Concoct an unclear or purposefully bewildering privacy policy with a wonky opt-out mechanism and you might have the Federal Trade Commission (FTC) breathing down your neck.
“Many companies are providing opt-outs and they need to be careful about what they’re saying and what it means to opt out,” said Maneesha Mithal, associate director for the FTC’s Division of Privacy and Identity Protection, speaking on Monday at the commission’s workshop on cross-device tracking.
“If they are unclear or deceptive in creating the opt-out or communicating the opt-out in a way that conflicts with a consumer’s understanding,” Mithal said, “there may be room for a Section 5 deception action in that case.”
Section 5 of the FTC Act, a federal law passed in 1914 to protect consumers, gives the FTC enforcement authority around “unfair or deceptive acts or practices” in or affecting commerce.
Considering most consumers don’t appear to know the purpose of a privacy policy in the first place, that would seem to leave the door pretty wide open.
According to polling by University of Pennsylvania professor Joseph Turow, between 55% and 65% of US consumers consistently believe that when a website has a privacy policy it means that the website in question won’t share information with other companies – and that’s plainly false.
“There is a common misconception that websites that have privacy policies are subject to rigorous federal protections when, generally, that is the opposite of what the privacy policy says,” said Jonathan Mayer, a privacy researcher and Stanford University computer science Ph.D. candidate. “But if by some small miracle they land on one of these control mechanisms, there is also a little cottage industry of academic research that suggests users have great difficulty actually exercising control using the mechanisms in a way that conforms the advertising environment to those preferences.”
In an ideal world, a privacy policy might exist to help consumers get a better grasp of how their data is being gathered, managed and shared. But in the real world, it’s simply the fulfillment of a legal requirement to disclose data collection practices to users.
“The level of ambiguity that’s purposeful, the lack of clarity in what is being said in what’s supposed to be a contract, I think is really terrible,” Turow said. “Partly it’s because things are changing and partly it’s because companies don’t want you to know what’s going on.”
And there is, of course, a lot going on.
Visiting a website you trust and have a known relationship with is one thing, said Digital Content Next CEO Jason Kint, but “having dozens, 50-plus, 100-plus third-party relationships fired off at that moment” is another.
“The challenge becomes that the first party really doesn’t have the ability to control all those – that’s how the web works,” Kint said. “There’s a daisy chain of third parties that get involved, and that creates issues. Even contractually it’s been very difficult to try to control that. You can slice and dice where the issues are, but you can’t deny that there is a trust issue.”
For its part, the Network Advertising Alliance calls upon member companies that have a “direct contractual relationship with a website where it collects data for interest-based advertising [to] … contractually require the website to post notice of interest-based advertising data collection and link to an opt-out mechanism.” The NAI advises that the notice be provided in a privacy policy or under a separate footer link like “About our Ads.”
“This is approximately the same place we were maybe 10 or 15 years ago with ad targeting,” said NAI President and CEO Leigh Freund. “Consumers over a period of time and with good messaging can understand and have reasonable expectations about the value exchange between their privacy and commercial enterprise and the content that we all consume. And if consumers want to dive into the sausage, they will have the tools to do so.”
But there’s another question beyond whether a privacy policy does or doesn’t run afoul of the FTC: Can users realistically be expected to read and fully digest the T&C side dish they’re served up with nearly every website and service they consume?
That said, more transparency can give those users who are so inclined a few clues on what’s in the sausage. If a user gets a real-time notice from an app that says something like “This app is using an audio beaconing technology in the audio stream,” at least “it gives people the opportunity to ask, ‘What the heck is that?’” said Joseph Lorenzo Hall, chief technologist and director of the Internet Architecture Project at the Center for Democracy & Technology.
Then again, one could also argue that concepts like enhanced notice and AdChoices, first devised in a cookie-based world, are becoming increasingly outmoded as the Internet of Things becomes a reality.
Talking toasters aside, cross-device is changing the game. The FTC recently ran an internal experiment, examining the top 20 Alexa sites in news, sports, shopping, games and reference – 100 in all – to see what cross-device tracking looks like from a consumer perspective.
Although the FTC was able to determine that a lot of sites were engaging in cross-device tracking, it was “hard to determine effectively from the end user point of view when cross-device tracking was going on,” said Justin Brookman, policy director of the FTC’s Office of Technology, Research and Investigation.
What’s noteworthy is that the privacy policies for those 100 sites didn’t have much to say on the topic of cross-device.
“[There was] often a discussion of behavioral tracking in general, oftentimes a link to one or more of the self-regulatory regime’s sites like NAI and DAA,” Brookman said. “But it’s difficult to get a sense of the scope of cross-device just from looking at these policies.”
Which is why publishers, advertisers and vendors alike have to pay heed to what the FTC’s Mithal said: “Companies need to be mindful of the representations they make.”
