The FTC announced today the agenda for its second privacy roundtable discussion, scheduled for January 28, in Berkeley, California “to explore the privacy challenges posed by the vast array of 21st century technology and business practices that collect and use consumer data.” This second recent foray into online privacy follows the first roundtable, held December 7, 2009, in Washington DC. Although the focus of these roundtables is wider than using consumers' information to support Behavioral Advertising (BA), a bit of background on that practice and the history behind these discussions, provide perspective on some of the issues involved.
A Brief History
As long-time readers know, the FTC has been engaged in a dance with industry for years over using consumers' personal information to support different business activities, including BA (the “tracking of a consumer’s activities online - including the searches the consumer has conducted, the web pages visited, and the content viewed - in order to deliver advertising targeted to the individual consumer’s interest”). When the music first started the FTC and industry seemed to be doing a waltz, moving together in both apposition and concordance, and the FTC in 2007 seemed happy to let industry take a self-regulatory spin. With the changing of administrations, the waltz gave way to alternating turns of break-dancing. First industry, then the FTC, sought to anticipate the other and vied for the crowd's attention. The Network Advertising Initiative (NAI), jumped on stage early, modifying its existing online self-regulatory code of conduct in December, 2008, anticipating the FTC’s release of “final” self-regulatory principles by two months. The FTC issued those principles in February, 2009, with staff in the accompanying report. Congress, watching from the sidelines, grumbled it wasn't overly fond of the music, and began to mutter about changing the tune completely. The Interactive Advertising Bureau (IAB), until then mostly silent, broke onto the floor in July, suggesting Congress stay on the sidelines because the dance floor was full and the dancers already doing quite fine on their own. The FTC then sidled closer to where Congress was standing, and said that it too was thinking it might be time to change the music once and for all. Since then, the dance has slowed to a crawl as everyone has waited to see what music Congress decides to put on and occasionally suggesting the current tune was still snappy and shouldn't be changed just yet.
What to Expect
Back to the privacy roundtables the FTC is hosting. The FTC is checking to see whether, if it agrees on a play-list with Congress, will the crowd at least hum a tune to the new beat? And what can we tell about the new music, or who's going to be dancing with whom?
First, Congress' suggestions that what's coming next isn't so much an extended alternative play-list as an entire change of musical genre, are being echoed by the FTC. The genre coming out isn't going to be focused only on BA, but may look a lot more like Congressman Boucher's earlier attempts to pass general consumer online privacy protections. Comments made during the first roundtable focused on other technologies (cloud computing, search engine data retention, etc.) other data, and other practices (mobile marketing). So many “others”, and you begin to see why the discussions run to “comprehensive” online privacy protection legislation.
Second, while the “self-regulatory-only” era may be coming to a close, it’s not going to be replaced with a top-down regulatory regime. The future will include space for industry to continue to dance alone with consumers, but under a more watchful eye from the FTC. Congressman Boucher focused heavily in questions during hearings on the subject about how to make a hybrid scheme work, and has proposed adding a “safe harbor” provision to legislation, whereby companies that adhere to industry self-regulatory schemes which pass a TBD FTC approval process, escape the dangers of enforcement actions.
Third, whatever scheme Congress and the FTC devise, both will look to adjust the play-list as they go, as consumer expectations about online privacy evolve. Participants heard during the first roundtable that consumers don't really know what companies are doing with their data, and if they did, they would be both pleasantly surprised and disappointed. More studies, and a subjective “consistent with consumers' expectations” standard in legislation, may both be on the horizon.
Finally, any legislation would probably adopt the FTC's approach of defining protected data broadly. Several participants at the first roundtable spoke disapprovingly of industry's reliance on traditional distinctions between PII (personally identifiable information) and non-PII (everything else) in the codes and principles developed to date. The FTC seems to favor a simpler approach – any data that can be linked to a person or individual computer is covered data, receiving basic protections and triggering notice and consent requirements. Protections only go up from there in the FTC’s view, with additional measures for data that’s “sensitive” or about children, or when a use of data is materially different from what was earlier advertised in privacy policies. The acronym PII may not even appear in any final bill. Keep your dance cards at the ready for January 28, 2010 in Berkeley, for the next online privacy roundtable dance-a-thon!