The US FTC urged online respect for consumer privacy but the “Do Not Track” mechanism is not an opt-out list
After the US Federal Trade Commission (FTC) proposed a “Do Not Track” mechanism to give control over what consumer-data companies can collect and share, a lot of confusion remains as to what the proposal means.
In a 122-page preliminary report, the FTC suggested that users need a way to universally opt-out from having companies track their Web activity. The report is “fairly consistent” with previous FTC statements and “just solidifies” its position, said Susan Lyon, a privacy and security lawyer at Seattle-based Perkins Coie, a firm specialising in privacy, online safety and Internet law.
Simplify Opt-out Processes
Online behavioural advertising lets companies generate detailed profiles on consumers. Marketers are increasingly analysing the Web sites consumers visit – the links they click, Internet search history, online and offline purchases, geographic location data, and other personal information disclosed on social networking sites.
The Do Not Track proposal simplifies the process of opting out. The idea is that users would be able to choose to have their browser tell any Website not to track them for advertising purposes and that setting would not be wiped out if a user clears their browser cookies, as currently happens with opt-out cookies.
FTC chairman Jon Leibowitz said the marketing industry has not done nearly enough to make sure people understand what personal information is being collected, or to provide them adequate control over the data collection. The Electronic Frontier Foundation’s Reiny Reitman wrote on the group’s blog that it is “extremely impractical” for consumers to defend against the “astonishing array” of tracking technologies that are both “sophisticated” and in “widespread use”.
“In a sense, the biggest problem is not the targeted ads but the exhaustive records of peoples’ reading and other online activities that are collected in order to facilitate that targeting,” wrote Reitman.
The idea behind Do Not Track is not brand new to this report. Leibowitz floated the idea over the summer and it was initially proposed back in 2007. The Electronic Frontier Foundation was one of the groups that supported the proposal three years ago, and again today.
While the 2007 proposal may have been criticised as “ineffective”, the FTC’s current proposal is a “revolutionary” approach to defending personal privacy and a “promising development”, said Reitman.
Last month, the European Union also announced plans to update its privacy regulations to give consumers more control over online tracking.
Not An Opt-out List Of Users
The proposal is loosely based on the Do Not Track concept on the FTC’s National Do Not Call Registry, which was launched in 2003 and gave American consumers a way to opt-out of calls from telemarketers. This is mirrored by CPR Global’s Telephone Preference Service (TPS) in the UK. However, comparisons to the Do Not Call list are misleading, with critics deriding the idea of the government maintaining a list of users who do not want their information tracked. What the FTC is proposing is not a list that an organisation or entity will maintain but actual technology, whether in software or hardware, available for users.
How that technology mechanism will be implemented remains open to discussion. The FTC appears to have shifted the burden to the companies that develop Web browsers, and not onto each individual Website publisher, said Lyon.
Leibowitz acknowledged that Mozilla, Google, and Microsoft have all been experimenting independently on various private browsing mechanisms but indicated it had to be more straightforward and persistent for users to use. The FTC differentiated between tracking and personalisation in its report by focusing entirely on tracking cookies.
Critics claim a Do Not Track capability would mean users would lose personalised settings on sites such as sports news sites and shopping. Users expect an e-commerce site to track what items they looked at in the store’s catalogue, and what they bought previously, because it is a “commonly accepted practice”, said Lyon.
For e-commerce sites and retailers using cookies to learn about what their customers are doing on their sites, the FTC is saying “thumbs up, you can do that”, she said. The FTC is against having that information shared with another site or company, or third-party ads running on the page that is collecting data unknown to the user, she said.
E-commerce sites and retailers should employ a “don’t surprise your users” rule when it comes to data collection, said Lyon. If a user would be shocked at the information that was being shared, then it should not be shared, she said.
Claiming that the data being shared is anonymous and non-identifying is no longer accurate, according to Lyon. “Information that may seem unidentifiable can become identifiable”, if someone tries to connect the dots between different sets of data, she said. This is even more of a concern with mobile devices, as location information can be used to “de-anonymise” previously anonymous data, she said.
More To It Than A Tracking Ban
Companies should also evaluate their Websites to make sure users can easily tell who is running the site and who will see the data being collected, said Lyon. The FTC report called it a “privacy by design” approach.
Google, Microsoft and Mozilla have said they will review the report and give feedback. The agency is taking comments until January 31. “It will be interesting to see the comments that will be coming out of the companies,” said Lyon, predicting that some would be “surprising”.
Currently, the report has left the door open for either a self-regulatory approach or for new legislation but FTC head Jon Leibowitz said, “A legislative solution will surely be needed if industry doesn’t step up to the plate.”
Self-regulation is generally favoured by online advertisers, social-network operators, and Web search companies, whose business models rely heavily on these tracking profiles. It is a little unclear whether the FTC will create guidelines, as it did for CANN-SPAM, for the industry to implement, said Lyon.
Even though the FTC does not have any kind of authority to create new rules currently, Congress is paying attention. Massachusetts Senator John Kerry has promised to introduce privacy legislation that would give the FTC more rulemaking authority to carry out its recommendations, according to the Washington Post.