• by Wendy Davis  @wendyndavis, March 4, 2024

The Federal Trade Commission said Monday it considers web browsing data sensitive, even when stripped of names, social security numbers and other comparable information traditionally considered “personally identifiable.”

“Browsing and location data are sensitive. Full stop,” the FTC said in a post discussing recent privacy complaints it brought against Avast (which sold users' web browsing data) as well as two location data brokers (Outlogic and InMarket Media).

“Years of research shows that datasets often contain sensitive and personally identifiable information even when they do not contain any traditional standalone elements of PII,” the agency wrote.

“What makes the underlying data sensitive springs from the insights they reveal and the ease with which those insights can be attributed to particular people,” the FTC added, noting that Avast used an algorithm to remove names and types of traditional personally identifiable information from people's browsing data before selling it.

The post comes as the FTC is considering whether to issue privacy rules that would restrict online behavioral advertising and other forms of what so-called “commercial surveillance.”

The agency hasn't yet proposed specific rules, but FTC Chair Lina Khan and consumer protection head Samuel Levine have repeatedly criticized current online data practices. Even without issuing new rules, the agency could take the position that collecting web browsing data without opt-in consent is an unfair business practice.

If taken at its word, the broad language in Monday's blog post suggests that the FTC wants companies to obtain consumers' affirmative consent before amassing and selling the kind of cross-site data the fuels online ad targeting, according to attorney Daniel Goldberg, a privacy expert with Frankfurt Kurnit Klein & Selz.

“In theory, they're saying if you're compiling these datasets, and selling them to third parties, you need opt-in consent,” Goldberg says.

An opt-in mandate would go beyond what the FTC has previously suggested in its enforcement actions or policy statements.

For instance, though the FTC said in a 2016 staff report that companies should obtain explicit consent before collecting sensitive information, the agency didn't suggest at the time that all browsing data is sensitive.

Instead, that report said certain types of online data were sensitive, such as search queries, email messages, social media posts, and titles of books read or movies viewed. But the FTC wrote Monday that browsing (and location) data “paint an intimate picture of a person’s life, including their religious affiliations, health and medical conditions, financial status, and sexual orientation.”

Any potential FTC rules requiring companies to obtain affirmative consent before collecting or selling browsing data would also go further most new state privacy laws, says David LeDuc, vice president for public policy at the industry self-regulatory group Network Advertising Initiative.

“On its face, it does represent a departure from the way our laws are constructed,” LeDuc said of the FTC's post.

Recent privacy laws in most states generally require businesses to allow people to opt out of the processing of their data for ad targeting.