In an earlier blog entry, we reviewed the FTC’s Online Principles for Behavioral Advertising, and came to two conclusions: the FTC was continuing to rely on industry self-regulation, and it appeared likely either a new FTC would reverse course, or Congress would enter the fray. Five months, three more Congressional hearings, a new FTC Chairman, and another industry effort at a self-regulation regime later, and the only question left appears to be what legislation is going to look like.
First, for background, Behavioral Advertising (BA), is the “tracking of a consumer’s activities online - including the searches the consumer has conducted, the web pages visited, and the content viewed - in order to deliver advertising targeted to the individual consumer’s interest.” (as defined by the FTC). In 2007, the FTC issued a draft set of principles for industry self-regulation. The House and Senate held a series of hearings in 2008 decrying some of the bad apples in the online BA world - those using Deep Packet Inspection (DPI) to potentially review the content of what a user sends or receives in order to better target advertising. The Industry, or at least the Network Advertising Initiative (NAI), responded by tightening the principles underlying its self-regulatory code of conduct, in December, 2008, beating the FTC to the punch by barely two months.
Since then, a lot has happened that suggests Congress will be taking its turn by issuing general privacy legislation addressing the issue, which may provide some absolute protections, and give both the FTC and FCC greater authority to regulate in this area. So, what happened?
First, statements from then-Commissioner and now Chairman Leibowitz, have become more pointed. The “last clear chance” for industry to show “meaningful, rigorous self-regulation,” or invite legislation and a more active FTC, has apparently come and gone and been replaced by “the current model is not working,” and without a “vigorous response,” self-regulation may find itself operating under a legislative or regulatory umbrella. The Chairman’s reaction to the industry’s latest version (IAB’s new regime incorporating privacy principles was only made public on July 2 - more below) of a vigorous response? “Thanks for the effort - we’ll get back to you,” may be a paraphrase, but it’s not that far off the mark.
Second, Congress (or at least the House) has followed up hearings held last year with three new ones this year - one each by the Communications, Technology, and the Internet (how technologies used to track consumers’ use of the Internet interacted with privacy concerns), and Commerce, Trade and Consumer Protection (data security and protection issues) subcommittees, and one held jointly before both (actual practices in BA, and consumers’ expectations for privacy) The messages from the hearings:
- There is a plan. Both Chairmen (Rush and Boucher) made clear from the beginning there was a plan to jointly explore related topics of privacy and advertising in the Internet context, and arrive at wider legislation.
- Three pieces of the puzzle are already in plain sight. Elements of a notional consumer privacy bill include pieces that empower users (notice, transparency and choice mechanisms), protect users’ data (collection limits, security, and notification procedures for breaches), and deal with practices that raise particular concerns (either technology-based like DPI, or reselling data without de-identifying it). Two bills have already been introduced in Chairman Rush’s committee that take a stab at one of the above sections (data security and protection), address one practice in a second (use of P2P applications to gather data), and Chairman Boucher’s previously introduced Consumer Privacy Protection Act is a starting point for the third.
- The plan has bipartisan support. Bipartisanship on this issue largely predates this latest series of hearings, but it has been on display here a bit beyond the norm. Rep. Joe Barton, R-TX(6), clearly not a fan of targeted ads suggesting which flight he should next book, thanked Chairman Rush for introducing H.R. 2221 (data security and protection) calling it a “Republican” bill. Technically, while this bill was introduced by the Chairman in this Congress along with Representatives Stearns, Barton, Schakowsky, and Radanovich, this marks the third Congress in which it has been introduced by a bipartisan group of members. This bill particularly attracts business support because it would lay out clear standards for data security and notification in the event of a breach, and expressly preempts the myriad of (often conflicting) state laws in the area. The bipartisan tone goes beyond this bill - Chairman Rush gave extensive time to the Ranking Members of both subcommittees in opening the latest hearing and extra time for questions from Republican members (Rep. Steve Scalise, R-LA, even asked the same exact questions Chairman Rush did, and was given extra time to wait for an answer).
The FTC has chimed in during these hearings, lending its support to the two bills already introduced, and also asking for the authority to seek civil penalties in data security cases it might pursue. Ouch! The FTC’s comments by the way provide a nice illustration of how data security and notification issues (the subject of H.R. 2221) frame many of the same concerns surrounding BA. Eileen Harrington (then-Acting Director of the Bureau of Consumer Protection) recounted principles underlying recent enforcement actions to protect consumer data as “businesses that make claims about data security should be sure that they are accurate”; “businesses should protect against common technology threats”; “businesses must know with whom they are sharing customers’ sensitive information”; “businesses should not retain sensitive consumer information that they do not need"; and “businesses should dispose of sensitive consumer information properly.” Listening to the hearings addressing concerns raised about BA practices, one could hear the same principles time and again.
So, if the House is ready to depart from a sector-by-sector approach (e.g., COPPA, HIPAA, etc.) and introduce legislation addressing wider consumer privacy protections, what would such legislation look like? Other than the above outline of the areas, if statements and questions made during the hearings provide any clue, it will do two things: provide additional authority to both the FTC and FCC to regulate various areas; and provide room for industry self-regulation underneath any enforcement umbrella that is created.
Why carve out space for the FCC? Other than the fact the FCC has already been active in related areas (remember the Comcast decision, and questions as to how far operators can go to perform reasonable network management under the Internet Policy Statement, or how far FCC Title I ancillary jurisdiction actually extends?), Chairman Boucher at least seems to recognize that existing and emerging technologies (DPI, cloud-computing, set-top boxes, et. al.) will continue to require technical expertise to evaluate, which the staff at the FCC has in spades. The primary role on ensuring transparency, what companies do with consumer information, and what consumers can do about it, would stay with the FTC.
And why leave room for self-regulation within a regulatory environment? While the new IAB guidelines may not be written for laymen, and offer enforcement mechanisms still largely on the horizon, they do offer in many ways enhanced consumer protections over the existing NAI principles. New measures include more specific transparency efforts to let users know their personal information is being collected, new restrictions on service providers (affecting ISPs and application-developers), and increased consumer control (better opt-out procedures for ‘normal’ BA collection as well as use, opt-in for service providers’ collection and use). While these guidelines may fall short of what consumer privacy groups ask for (no restrictions on first-party collection or use of data, and broad concepts of “first-parties”; no restrictions on use of data for any purpose other than BA; no protections for sensitive data not already required by other laws; and follow-on notice to consumers if privacy policies change only required if the change is for a new BA purpose), they do represent a more concerted effort to demonstrate industry can perform a role in self-regulation. And that is exactly the point - not to attempt to convince Congress that legislation is not required, but rather that industry can, and should perform, an active role in any scheme Congress and the FTC develops. Why should Congress or the FTC disregard an existing self-regulatory framework? Even if falling short of their designs, a working system is sometimes better than none - especially a working system that might be able to reduce the workload at the FTC. Chairman Boucher keyed in on this theme, asking during the most recent hearing how statutory and regulatory regimes could exist on top of a self-regulatory one, and how would consumers know where to turn in such a maze? Some observers believe that the enforcement mechanisms of the IAB partners, under the watchful eye, occasional audit, and very rarely-needed hammer of the FTC would be effective.
Watch this space though, because if one thing in certain, it is that, in the growing industry of using personal information to better target and sell online advertising, things stay the same only until the next idea to use technology comes along.