Along with its approval of Google's DoubleClick acquisition Thursday the Federal Trade Commission outlined some core privacy principles that may have a bigger impact than the merger over time.
These principles sound great in theory, but in reality there will be some hand wringing among Web publishers including giants like Google, Microsoft and Yahoo. Let's dissect the FTC's principles.
1. The FTC wants transparency and consumer control of data used for behavioral advertising. Fair enough. Who wouldn't be for that? The FTC argues that existing privacy disclosures are "difficult to understand, inaccessible, and overly technical and long." Hard to argue with point either.
Here's the FTC's proposal to remedy the issue:
Every website where data is collected for behavioral advertising should provide a clear, concise, consumer-friendly, and prominent statement that (1) data about consumers’ activities online is being collected at the site for use in providing advertising about products and services tailored to individual consumers’ interests, and (2) consumers can choose whether or not to have their information collected for such purpose. The website
should also provide consumers with a clear, easy-to-use, and accessible method for exercising this option.
Why this won't go over well: More consumer friendly disclosures should be a no-brainer. After all, the mutual fund industry did it a few years ago. The real haggling will be over how friendly these privacy statements become and how much a company has to disclose. Let's ponder Company A, which takes your registration data, sells it to everyone, abuses the database and spams the hell out of you.
What exactly is Company A's privacy statement going to look like? How about four bullet points (fancy graphic optional):
- We will take your data.
- We will share it with the world.
- We will spam you to death.
- The End.
No one would go along with that--even though those same points may be buried today's privacy policies under four tons of legalese.
All of that brings me to the second part of this principle: An easy way for consumers to choose whether their information can be collected. The problem with advertisers is this: No one will choose to hand their data over if opting in and out becomes easier. Expect a lot of tap dancing over this principle.
2. Reasonable security, and limited data retention, for consumer data. The FTC argues that data collected for behavioral targeting may not be secured well. The FTC acknowledges that some of this data may be useless to a hacker, but you never know. There are two principles on the table here:
Any company that collects and/or stores consumer data for behavioral advertising should provide reasonable security for that data. Consistent with the data security laws and the FTC’s data security enforcement actions, such protections should be based on the sensitivity of the data, the nature of a company’s business operations, the types of risks a company faces, and the reasonable protections available to a company.
The problem with that proposal is that the term "reasonable security" is sketchy. Will Google be under the same standard as a medical information company?
And the other proposal, which covers how long companies should store data:
Companies should retain data only as long as is necessary to fulfill a legitimate business or law enforcement need. FTC staff commends recent efforts by some industry members to reduce the time period for which they are retaining data. However, FTC staff seeks comment on whether companies can and should reduce their retention periods further.
I could argue that the retention time shouldn't exist at all. But that's unrealistic. How much time is necessary? The good news is that this proposal is doable--it may just take legislators to force the issue. It is clear that 18 months doesn't make the cut to the FTC.
3. Affirmative express consent for material changes to existing privacy promises. The FTC recognizes that businesses "may have a legitimate need to change their privacy policies from time to time," but companies shouldn't change practices willy nilly. Think shareholder approval meets privacy policies.
As the FTC has made clear in its enforcement and outreach efforts, a company must keep any promises that it makes with respect to how it will handle or protect consumer data, even if it decides to change its policies at a later date. Therefore, before a company can use data in a manner materially different from promises the company made when it
collected the data, it should obtain affirmative express consent from affected consumers. This principle would apply in a corporate merger situation to the extent that the merger creates material changes in the way the companies collect, use, and share data.
This proposal sounds doable, but FTC may be barking up the wrong tree. The financial companies regularly change their privacy policies and tell me via some statement I rarely read.
4. Affirmative express consent to (or prohibition against) using sensitive data for behavioral advertising. The FTC says sensitive data shouldn't be used for advertising when an individual can be tracked unless specifically authorized.
Companies should only collect sensitive data for behavioral advertising if they obtain affirmative express consent from the consumer to receive such advertising. FTC staff
seeks specific input on (1) what classes of information should be considered sensitive, and (2) whether using sensitive data for behavioral targeting should not be permitted, rather than subject to consumer choice.
The big argument on this proposal will be what information is deemed sensitive. A bigger haggling point will be whether this targeting should be allowed at all. There's a whole industry using behavioral targeting to get CPMs up. Expect a heated debate.
5. Using tracking data for purposes other than