Just in time for the holidays, the FTC has released its preliminary report, "Protecting Consumer Privacy in an Era of Rapid Change." Although privacy advocates may welcome the report as a gift, many portions, if adopted by policymakers, will prove to be a lump of coal to the advertising industry, website owners, and ultimately, to consumers who benefit from the free content, personalized services, and useful ads made possible by targeted advertising technologies.
The report proposes to move past the FTC’s traditional approaches to consumer privacy of providing "notice-and-choice" and specific remedies for specific harms, such as physical and economic injury. Instead, the FTC has proposed a far more expansive policy framework concerning data privacy. The framework would apply broadly to any company, online or offline, that collects, maintains, shares, or otherwise uses consumer data that can be "reasonably linked to a specific consumer, computer or device." In other words, the framework is not limited to companies that collect personally identifiable information ("PII"), such as a name, social security number, or e-mail address. It is much broader, and expressly covers offline commercial entities, entities that do not deal directly with consumers, and entities that do not collect PII. It is also intended to remedy harms far less specific than those contemplated by the FTC’s historical approach to privacy. Under the new proposed framework, the FTC also looks to protect consumers against vaguely defined harms such as "reputational and other intangible privacy interests." In today’s information age, it is difficult to conceive of many commercial enterprises – other than pure cash businesses, if any still exist – that would not be governed by this new framework.
The FTC is seeking comments on its report, which it acknowledges would merely be a framework for policymakers even when issued in its final form. While privacy advocates will no doubt look to the FTC’s preliminary report as an indicator of the standard of care for privacy issues, it is important to bear in mind that by characterizing the report as a guide for policymakers, the FTC has implied that it does not have independent authority to implement the proposed framework. Now is the time for interested parties to make their voices heard.
The Proposed Framework
Dismissing industry self-regulatory efforts as "too slow" and providing inadequate privacy protections, the FTC proposes a three-part framework to protect consumers.
1. Simplified Consumer Choice
The FTC does acknowledge that at least some practices that have become routinely used by businesses are "commonly accepted" by consumers and do not require consumer consent. Collecting and using consumer data in connection with processing orders; improving the vendor’s internal processes, such as through surveys; complying with the law; and preventing fraud would not require consent from the consumer under the proposed FTC framework. Retailers can also engage in "first-party marketing" without the consumer’s permission. For example, an online retailer may recommend products and services or offer coupons and discounts based on a user’s prior purchases on the site, and brick and mortar companies may do the same for purchases made in their stores.
However, for practices that are not "commonly accepted," the FTC believes that consumers should have the ability to make "informed and meaningful choices" regarding their data. Examples of such practices include the sharing of consumer data with third parties (other than service providers), allowing third parties to collect data about the consumer, and collecting data across websites. According to the FTC, for such choices to be effective, businesses should adopt a "just-in-time-approach" by providing consumers with a clear and conspicuous choice at the point when consumers enter their personal data or at the point of sale. Such an approach should be "uniform and comprehensive," and a consumer’s choice not to allow use of their personal data should be "durable," that is, not subject to repeated requests from the same company. It is unclear whether a consumer who chooses to allow use of their data would also have that choice be "durable."
The report does not define what constitutes "meaningful consent," but acknowledges that a "clear, simple, and prominent opt-out mechanism may be more privacy protective than a confusing, opaque opt-in." The report concedes that it is difficult to define what practices are "commonly accepted," which provides an opportunity for parties to provide their views on this critical issue. In addition, the report repeatedly refers to the fact that while PII and non-PII were once two clearly separate categories of data, there has been a "blurring" of the distinction as the technology has evolved. Similarly, in a rapidly changing world, what is not yet "commonly accepted" today may be tomorrow.
For certain types of sensitive data, such as medical, financial, and precise geolocation information, and information about children, the FTC recommends that companies should be required to obtain "affirmative express consent" before collecting, using, or sharing any such data. Similarly, the commission advocates "enhanced consent or even more heightened restrictions" regarding "deep packet inspection" and the data mining it entails.
The FTC singles out the behavioral advertising industry, which has been the subject of numerous FTC inquiries and reports and the target of many consumer rights groups. The FTC recommends that consumers should be empowered to choose whether companies can collect, use, and share data regarding their online searching and browsing. Dubbing this approach "Do Not Track," the commission argues that the most effective method of enabling consumers to make informed choices is to place a persistent setting on the consumer’s browser that signals the person’s willingness to be "tracked" and served targeted advertisements.
Out of all the many recommendations contained in the report, the Do Not Track mechanism has garnered the most attention and criticism from industry. However, it should come as little surprise to those who have followed the regulatory landscape regarding behavioral advertising. In its February 2009 report titled, "Self-Regulatory Principles for Online Behavioral Advertising," the FTC set forth several guiding principles for industry self regulation, and the first principle was transparency of data collection practices and consumer control of their own data. Industry responded to that report with it its own report in July 2009, which adopted the very same principles of transparency and consumer control. According to the FTC, industry’s efforts since this July 2009 report have been ineffective, thus leading the FTC to question whether it is time for legislative action.
If implemented, the "Do Not Track" concept could radically change the nature of how consumers use the Internet. The FTC’s own report acknowledges that the increased data flow about consumers that is made possible by tracking consumer behavior across web sites has had significant benefits in industries such as search, behavioral advertising, social networking, cloud computing, mobile technologies, and health services. However, the framework would jeopardize the future of these industries.
Ironically for an agency that is also charged with promoting competition, the "Do Not Track" concept, combined with the categorization of "first-party marketing" as a "commonly accepted" practice would provide a substantial advantage to larger companies over smaller start-ups. For example, Amazon.com, with its dominant industry position, would be free to continue to make recommendations to cross-sell other products to its customers based on tracking those customers’ activities across the enormous Amazon.com web site. Amazon would apparently not even need to disclose that is doing this type of tracking because it is engaged in "commonly accepted" "first-party marketing." However, smaller, more specialized retailers often rely on targeting their advertising to potential customers by utilizing the power of advertising networks to track consumer behavior across web sites. If the FTC’s framework were adopted and many consumers opted not to be tracked, small retailers would find it far more difficult to locate potential customers, while large retailers would find it easier.
Tracking technologies and behavioral advertising are more effective, and thus provide greater revenue to content providers on the web. Without these highly effective ads, we can expect that more content providers will not be able to support themselves through advertising, leading to either an inability for them to stay in business, or forcing them to charge web users for the content. Neither option is likely to be perceived by consumers as a benefit. In addition, this type of regulatory reversal of the technological progress that has been made in the online advertising industry will mean a return to less targeted ads. Consumers will not be well-served by a return to the days of irrelevant ads for products promising to reduce or enlarge body parts they may not even have.
2. Privacy by Design
Companies are encouraged to adopt and systematically implement a "privacy by design" approach by incorporating privacy protections into their everyday business practices. Such measures include the following protections that the FTC has been espousing for years and which have been incorporated into various state statutes:
- implementing and enforcing reasonable processes to ensure the security and accuracy of consumer data, including physical, technical, and administrative safeguards;
- collecting only data needed for specific business purposes, and retaining it only as long as necessary to fulfill that purpose; and
- safely disposing of data that is no longer being used.
3. Increased Transparency
As the final prong of its new framework, the FTC recommends that companies increase the transparency of their data practices. To do this, the FTC urges businesses to enhance consumer control by providing a choice mechanism in a "prominent, relevant, and easily accessible place." According to the Commission, the Do Not Track process is a significant part of this solution. In addition, the FTC recommends that companies provider clearer, shorter, and more standardized privacy policies to simplify consumer choice and offer better comparisons among companies’ privacy practices.
The FTC also proposes that consumers be granted access to their data to a degree proportionate to the sensitivity of the data, citing mechanisms offered by Google, eBay, and Yahoo as useful models. The report also reaffirms the FTC’s position that before a company can use a consumer’s data in a manner materially different than claimed when the data was collected requires a consumer’s affirmative opt-in consent. Finally, as it does in every report it issues, the FTC encourages industry to help educate consumers about commercial data practices.
Leading the Horses to Water
Industry reaction to the report has been swift and, not surprisingly, decidedly negative. Perhaps the most insightful comments came from the two FTC commissioners issuing concurring statements.
Commissioner Kovacic, who criticizes the Do Not Track proposal as "premature," questions whether consumer expectations of privacy are actually going unmet, and requests additional support. More importantly, he correctly analyzes the proposed mechanism from an economic perspective, pointing out that those who opt-out of behavioral advertising – yet continue to receive free web content and services – are essentially free riding on others who have not opted out. To combat this, content providers may need to start charging users for content or serve even more non-targeted advertisements to make up for their revenue shortfall, as random, non-targeted ads command a lower price than tailored ones.
Commissioner Rosch correctly notes that the FTC has never challenged a company’s failure to provide a particular kind of choice as a deceptive business practice. After all, if a business clearly and accurately discloses its business practices and complies with its policies, how can the practices possibly be deceptive? Rosch also questions the report’s assertion that a "majority of consumers are uncomfortable with being tracked online." He notes that although many consumers do not opt in to behavioral advertising when asked, an even higher percentage do not opt out when given the chance.
For Rosch – and all like-minded people who believe in individual autonomy and responsibility – the most appropriate solution is greater transparency: "If a consumer is provided with clear and conspicuous notice prior to the collection of information, there is no basis for concluding that a consumer cannot generally make an informed choice."
The FTC’s claim that industry has been slow to respond to alleged privacy abuses involving behavioral advertising is specious. The Commission released its proposed self-regulatory guidelines only in February 2009, and industry adopted those guidelines just several months later. Since then, as the report acknowledges, TrustE has launched an icon on advertisements that links the consumer to additional information about and choices regarding behavioral advertising. Members of the Network Advertising Initiative have created an opt out mechanism for behavioral advertising. In short, much progress has been made, and continues to be made. Facebook has implemented privacy practices so that users see quite clearly every time a third party application wants access to their data, and the user can decide on a "just in time" basis whether to permit such access or not (and if they do not, they do not get access to the application). Even as this article went to press, Stanford researchers announced they had designed a "do not track" mechanism for the Firefox browser.
However, online advertising, particularly behavioral advertising, is an incredibly complex and nuanced practice involving numerous stakeholders, including consumers. Releasing a report and demanding immediate change is not realistic. These disparate groups need time to evaluate their various business practices, time to reassess their disclosures to consumers, time to develop technical solutions that can function across numerous platforms, and time to craft sensible solutions that balance innovation, creativity, free content, and data privacy. It is not an easy task, but one the market is well equipped to handle if given sufficient time.
To be clear, the report is simply a set of draft recommendations to policymakers; it is not law. Although it is unclear what the final report will say or whether the framework will be adopted by lawmakers, both are certain to shape the discourse amongst industry, Congress, and privacy advocates over the next year and will likely affect the legislative and regulatory landscape for years to come.
Kesslen runs IP for the Tech Group at Lowenstein Sandler PC and co-chairs the firm’s IP Litigation Group. Prior to that he was Chief IP, Technology & Sourcing Lawyer worldwide for JPMorganChase. Leit is a member of Lowenstein in the Tech Group, where he practices intellectual property, technology, and privacy law. Savare specializes in privacy, IP, and media in the Tech Group at Lowenstein and is a frequent author and lecturer on the subjects