Earlier this year, in a remarkable reversal, the Interactive Advertising Bureau officially urged federal lawmakers to consider “sensible” privacy legislation.
The group, which long argued against new privacy laws, said in September it supported a “uniform privacy standard” that would override state laws -- including a broad California law, slated to take effect in 2020, that will allow consumers to learn what personal information about them is held by businesses, and to opt out of the sale of that information.
The IAB didn't offer many specifics back in September, but endorsed the general proposition that new privacy laws “should provide meaningful consumer controls that are technologically neutral, proportionate to consumer risk, and encourage industry best practices."
Now, the IAB has fleshed out its position. In comments filed with the Federal Trade Commission last week, the IAB suggests that new laws should be modeled on the industry's self-regulatory principles. Those principles call for companies to notify consumers about online tracking -- or the collection of data across multiple sites and apps -- and to allow consumers to opt out of receiving ads targeted based on "non-sensitive" data.
The principles also call for companies to obtain explicit consent before serving consumers with targeted ads based on financial information, data about medical conditions or other information that the industry considers "sensitive." Since 2012, the industry's self-regulatory code has prohibited members from collecting any information about people in order to determine their eligibility for employment, credit, health care or insurance.
“As the FTC assesses how it should approach digital privacy in the coming year, it should consider the reasonableness of certain practices, balanced against consumer expectations and the sensitivity of data in question,” IAB executive vice president for public policy David Grimaldi writes in the group's comments. “Applying such an approach to consumer privacy, as opposed to a blanket, one-size fits all regime across the digital ecosystem, will help strike the appropriate balance between strong consumer privacy choices and continued economic development and innovation.”
Some consumer advocacy groups are urging the FTC to support broader laws. Public Knowledge, for instance, argues that privacy protections shouldn't depend on whether data is deemed “sensitive.”
“The so-called sensitive/non-sensitive distinction, which provides heightened protections to so-called sensitive information, like first and last name, social security numbers, bank account numbers, etc., and lesser protections to other information is increasingly illogical in today’s world and should be eschewed,” the group writes in its comments. “So-called non-sensitive information can be aggregated to reveal sensitive information, and, in fact, some non-sensitive information, in isolation, may reveal sensitive information.”
The organization points to the use of supposedly “non-sensitive” data by political consultancies including the now defunct Cambridge Analytica (which famously harvested data from up to 87 million Facebook users) and the Obama campaign (which also reportedly harvested Facebook data).
“If Cambridge Analytica (and, for that matter, the Obama campaign) is to be believed, so-called non-sensitive information such as social media likes can be used for highly sensitive activities such as influencing individuals in the voting booth,” Public Knowledge writes. “In addition, sensitivity is highly subjective. Different individuals are likely to perceive different data points’ sensitivity levels differently.”