IAB Meets FTC In Broad Daylight

OBAAt the very least, it was a great photo op on Monday.

The U.S. Federal Trade Commission director stood with the backdrop of the IAB's Networks and Exchanges event behind him as industry members gathered to figuratively say, "Welcome. We don't bite," or "Please don't shoot us," or, quietly, "$@)&%#!"

Of course, David Vladeck, Director of the FTC's Bureau of Consumer Protection likely already knew many in the room as the latest round of lobbying efforts and discussions about online behavioral ads and consumer privacy have been under way for a couple of years now with the U.S. government arm that deals with "the trade."

In a speech just under 30 minutes, Vladeck provided a history of the current privacy debate as it relates to online behavioral advertising (OBA) and the FTC's involvement. Also included was a real-time update on where the FTC stands with the industry including Vladeck's own appearance in front of Senator Jay Rockefeller's committee today to discuss Rockefeller's new bill.

There didn't appear to be anything newsmaking but it was a great way to learn the end-to-end viewpoint of the FTC. The government appears earnest in its support of the industry regulating itself aggressively so that the government doesn't have to. We'll see how it plays out.

Do-Not-Track remains the hot button issue as Vladeck explained the Do-Not-Track functionality with some aspects still needing resolution. He spoke approvingly of the industry's efforts at self-regulation as well as the "constructive comments'" (450 total) the Commission received with its roundtable discussions. He added that the Commission expects to product a final report this year that will address three questions among others:

  1. What data can companies retain for "legitimate business purposes"?
  2. Some data collection is necessary for fraud detection and fulfillment. "What other data fits here?" Vladeck asked. From here, this seems similar to the first bullet, but OK.
  3. The report urges just-in-time disclosures - what are those? where do the icons fit in to not directly?

Vladeck made clear that the Commission's other function, beyond helping form policy, has been enforcement and that recent cases involving Playdom, Chitika, Google (Buzz) and others show the commission's ability to act can be swift and far reaching - especially in the case of Google which now will be audited for the next 20 years regarding privacy compliance - "a comprehensive, start-to-finish privacy program and (involving) trained third-party auditors every 2 years for 20 years."  Finishing his examples of enforcement, it was likely clear to industry listeners, "This could happen to you if you're not careful."

Vladeck gave a particular shout-out to the IAB's efforts around self-regulation and recognizing the need to commingle it with the FTC's own enforcement capabilities. The IAB requires all members to adhere to the self-regulation guidelines, and according to Vladeck, if you run afoul of the IAB's guidelines, you're running afoul of the government which may result in a Playdom-like settlement or a special privacy friend like Google has for the next 20 years.

The Q&A section reminded listeners that this isn't all about the use of third-party data tracking by ad network-like companies. It's also about first-party data due to details in Senator Rockefeller's bill which requires compliance from first-party data owners (could be e-Commerce publishers or marketers who collect directly from the consumer, for example). Originally, this wasn't something the FTC had said was under consideration.

The complete transcript of the Q&A between the IAB's Mike Zaneis, FTC's Vladeck and members of the audience for Monday's meeting is below:

MIKE ZANEIS: When I look at the cases that you've mentioned, things like Sears and Google Buzz, and Twitter, I'm not sure that I see that there's a common theme or not. Is there a lesson to be taken away today from these recent cases?

DAVID VLADECK: I think the one thread that ties these cases together is in each case we believe the company made a promise, explicit or half‑truth promise, about the way it was going to treat someones data and broke that promise. There's an easy example, Google's privacy policy made clear that it would not share email contacts data with third parties until it informed consumers and gotten their consent. Unfortunately for Google, the way Buzz was implemented ‑ maybe the company just had technical problems. But the choices that were offered to consumers to safeguard their information were ineffective. As a consequence, many consumers ‑ and Google saw this immediately ‑ were outraged that their personal contact information was being shared much more widely than they wanted it to be shared. Some of the data was embarrassing.

So Google, in my view, is a current dramatic example, as is a case like Sears. Sears told people it was sort of collecting information to provide better service to consumers. What they didn't say quite conspicuously was that they were pulling down everything from passwords to bank accounts to prescription information.

That, again, is another case that we think is emblematic of what we're worried about in this marketplace.

MIKE ZANEIS: That's great. So it sounds like the lesson is live up to your public promises, obviously.

DAVID VLADECK: Live up to your promises.

MIKE ZANEIS: Do the right thing.

DAVID VLADECK: Right. Do the right thing is always good.

MIKE ZANEIS: Right. We have some questions back here.

STEVE SULLIVAN: Hi, Steve Sullivan with the IAB. I have a question for you. You talked a little bit about what a Do‑Not‑Track mechanism should look like and you used terms like "mocking" or "preventing" that imply a technical mechanism that prevents certain activities or certain types of tracking. The reality is the industry, as we move in that direction, as we come together and agree on activities around the prevention of tracking, those are going to be self‑imposed policy things as opposed to actual technology solutions that will prevent those kind of things from happening.

Is that going to be acceptable? Is that the kind of thing that once you understand what those approaches are, the policies and leasing, that that will be the kind of thing that will meet the bar?

DAVID VLADECK: We have never argued that it must be a browser‑based technological system. We do talk extensively and report about enforceability and com compliance monitoring. We have been deliberately agnostic about how to achieve this result. But it is true that there are technological means that are partially browser‑based to effectuate this result. As you know, the browser manufacturers jumped in very quickly. Each of the major browser manufacturers has announced changed to the way their browser work to help effectuate through that track.

But we're not wedding necessarily to a browser‑based option. I think it's also important to be clear that in this space the FTC is not the only audience. As you know, Senator Rockefeller who's chair of the commerce committee dropped a bill calling for requiring the FTC to impose a robust, comprehensive, and universal Do‑Not‑Track system.

There's a broader audience out there that's engaged in this debate. We're not the only players, as much as I would sometimes like to think so.

MIKE ZANEIS: I know one thing for us is we now; we talk about implementation of our self‑regulatory program, the digital advertising alliance program of the icon. Now that we are seeing major networks specifically implementing the icon and being served literally billions of times a day now in the US within our around advertisements. We see that as certainly something that is easily discoverable by consumers. I think the DA used browser options and tools as, perhaps, another consumer touch point to continue to push out easy discoverability for consumers.

Do we have another question? We've got one over here on the aisle.

GEORGE IVEY: Hi. I'm George Ivey with the Media Rating Council. I found it interesting that your Google settlement required 20 years worth of auditing every other year by a third‑party auditor. What types of auditing or verification are you envisioning in this Do‑Not‑Track, the five scenarios you outlined?

DAVID VLADECK: To the extent there are technological solutions to Do‑Not‑Track, browser‑based. We brought on a technologist about two years ago to help us unravel the question about how technologically a Do‑Not‑Track system could be posed. The guy who heads this up is Ed Felten, who is a Princeton professor, computer science, who I think is well‑known as one of the leading technologists. It's Ed's view that no matter how sophisticated tracking is, there will always be digital, he hates the word fingerprint so I won't use that, but some tell‑tale digital sign that enforcement agencies would be able to find.

We now have devoted a lot of time and money to developing a very robust Internet [inaudible] that includes not only Internet equipment, but also local equipment. So we now are forensically capable not just on the Internet, but basically with any other Smartphone or other digital platform.

So one of the questions we have is enforceability and that's an important play to us we don't know if we will be able to achieve.

MIKE ZANEIS: I think you and I might be in the wrong business. We might be doing audits, I think, we have 20 year biannual audits.

DAVID VLADECK: Not only audits, but audits by people who are really trained in this field. Part of this is, and I think maybe your question went to that, just technological, you really need people with very high levels of technological skill.

MIKE ZANEIS: But this is because there was a negotiated settlement with Google. This is not an industry standard and I think we should be clear about that.

DAVID VLADECK: Well, it's even a true standard. We think that the requirements imposed in the Google order are good industry practices. The first provision, don't lie about your privacy policy. The second embodies what we've been saying for years, which is if you're going to make a material change to your privacy policy, you've got to give notice to consumers and get opt‑in consent. There's nothing new about that. Yes, we can't require privacy policy in audits. But we've been talking about privacy by design, having privacy policies, engaging in good security and privacy practices from the start. All we've required Google to do is to prove it to us every two years by filing an audited report by experts outside the company.

MIKE ZANEIS: That's great. I know we've run out of time. I might just make one last note here. We agree with things like strong data security, keeping your promises to the public, trying to implement privacy up front in the development of the product and services, otherwise known as privacy by design. There's just one point that I have to make since you'll be in front of Chairman Rockefeller later this week. That is I think we are all in agreement that first party activity is not tracking and, as you pointed out in that privacy report, is not something that raises the same concern as some of the third party activities.

So we were a little disturbed when Senator Rockefeller's Do‑Not‑Track bill came and it actually reports to cover purely first party practices. I don't know if you want to comment on that or not.

DAVID VLADECK: I certainly do not. [laughter]

MIKE ZANEIS: Maybe on Thursday you'll comment on it.

DAVID VLADECK: I will say that you are correct in that the FTC statement, we've never suggested that the first party relationship involve tracking in that sense. Our privacy report explicitly says that the commission has said it other places. But I'm not about to argue with Chairman Rockefeller here or on Thursday.

MIKE ZANEIS: Thank you very much.

To hear a bit of Vladeck's presentation, view this 5-minute clip from the IAB from YouTube:

By John Ebbert


Add a comment

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>