The FTC last week released a long-expected preliminary staff report entitled, “Protecting Consumer Privacy in an Era of Rapid Change.”
Developments since the privacy roundtables
Although staff likely had in mind how quickly changes in technology impact consumers’ privacy, an “era of rapid change” is an apt descriptor for more than just the pace of technology. Since the last of the FTC privacy roundtables held in March, staff working on this report were influenced by regular and rapid change:
- In May, then-Congressman Boucher released a draft of widely-anticipated legislation addressing consumer privacy both on and off the Internet.
- In July, Congressman Rush introduced H.R. 5777, an even more comprehensive consumer privacy bill.
- In August, the FTC Chairman testified as the Senate began its own hearings on Consumer Online Privacy.
- In September, Senator Pryor (co-sponsor of the Senate version of the bipartisan Data Accountability and Trust Act that preempts increasingly complex state data security and breach notification laws) announced his forthcoming privacy bill which would create a national “Do Not Track List”.
- In October, online marketing industry groups released an implementation program for their “Self-Regulatory Principles for Online Behavioral Advertising” (see here for background).
- In November, four well-known privacy watchdog groups requested the FTC investigate Google, Microsoft, QualityHealth, WebMD, Yahoo, AOL, HealthCentral, Healthline, and Everyday Health for data collection and behavioral marketing practices the groups believe are unfair or deceptive.
Not that things slowed down following the release of the report, as “tweets”, media conference calls, and House hearings occurred with breakneck speed. Good thing the FTC gave the public until the end of January for comments, because if there’s one thing the FTC looks to get from this report, it is comments.
What the FTC might have in mind for a Do Not Track list
Driving the FTC’s exploration of a Do Not Track list appears to be concern that existing “opt-out” programs developed by companies or industry groups under self-regulatory frameworks have fallen short. Specifically, staff suggested while some approaches showed promise, they haven’t been widely and uniformly adopted; consumers aren’t using them; and they don’t clearly spell out what exactly a consumer is opting-out of. But fixing and expanding existing “opt-out” programs may not necessarily be the same thing as setting up a national Do Not Call (DNC) registry for online advertising. As Commissioner Kovacic pointed out in concurring remarks to the report, the issues are completely different: the DNC is run by the FTC under laws authorizing its implementation and enforcement, and supported by extensive rules. It is fairly clear the FTC envisions an industry-run Do Not Track list, and staff have already publicly admitted they likely can’t mandate one under existing authorities.
Commenters who question whether it is even technically feasible to establish a Do Not Track list may be missing a point others seem to have gotten past. A key area where the FTC and commenters appear to agree is that any technical framework should be browser-based, rather than by using “unique identifiers” such as computers’ IP addresses (like the DNC uses telephone numbers). A Do Not Track system can’t use IP addresses, as Symantec pointed out in the December 2nd hearings in the House, as they often change when computers reboot, or are masked by organizations’ network managers. The report even highlights that creating such an identifier would itself raise privacy concerns. Realistically, a browser-based technical approach will likely influence the answers to several of the FTC’s other questions. Add to that the reasons why the FTC began looking at a Do Not Track list in the first place (previous approaches weren’t uniform or widely-adopted; weren’t clear; and weren’t used), and an incremental rather than radical approach looks far more likely. Any industry-based solution addressing these concerns would likely look, cost, and have dramatically different use rates than say, a centralized one that allows consumers to register the MAC address of any computer, mobile phone, or other device, and to halt or severely limit any data collection from (or placement of targeted ads to) that device. Still though, in the absence of a single existing system that offers all the requirements FTC staff have in mind, commenters should also focus on some specific questions that will drive how any possible future Do Not Track list might operate - questions that appear not yet quite settled, such as:
- Should it restrict companies ability to collect data from, or only to place targeted advertisements to, consumers?
- Should consumers’ choices be a simple “collect or not collect”, or a more complex choice of allowing some collection or ad placement from selected sites but not others?
- How much would implementation efforts and operations drive up costs?
- Would implementation costs, or loss of revenue from less data collection or fewer targeted ad placements, force companies to stop subsidizing services many consumers currently enjoy?
The answers to these questions will likely shape what the FTC recommends in its final report. If you would like to read a more full discussion of the FTC report, click here.