As concern over Internet advertising and data collection grows, privacy advocates and the Internet advertising industry have been sharpening their legal knives for more than a year. Now two Congressmen have finally given them a piece of legislation they’re all too happy to slice apart.
Rick Boucher, D-Va., and Cliff Stearns, R-Fla., released a draft Tuesday of a privacy bill aimed at defining broad new regulations for the data collection practices of online advertising. The bill would require sites to offer easier methods of letting users prevent their behavior from being tracked online, warn users about data collection with a symbol on Web pages and require sites to render anonymous any data they collect after 18 months.
But while those new safeguards are enough to raise hackles in the advertising industry, irate privacy groups say they fall short of their demands, and even represent a deterioration of current privacy protections. “This is very flawed legislation,” Jeffrey Chester, president of the Center for Digital Democracy, told reporters on a conference call. “The bill is going to have to be radically revised, or it will face significant opposition from consumer and privacy groups and their supporters.”
One of the key battles in online privacy has been over the question of “opt-out” vs. “opt-in”: Should users have to agree to have their online behavior data collected, or should sites legally be allowed to track their behavior by default, with an option to stop that collection upon request?
Boucher’s and Stearns’ bill offers just enough of each approach to please neither advertisers nor privacy advocates. For sensitive data such as telephone numbers, postal and e-mail addresses, social security numbers or financial data, a site would have to explicitly request a user’s permission to track and store the information. For tracking of users’ paths around the Web for what the bill calls “transactional” or “operational” purposes, sites would be allowed to collect data on users’ behaviors without their permission, though they would be required to overtly state on their site with a “seal or symbol” that the page engages in behavioral tracking, and would have to allow the user to prevent that tracking upon request.
The bill also puts strict regulations on tracking users’ behavior on mobile devices, an increasing concern as Web-friendly devices like Android phones and iPhones make handsets a new destination for ads. Location-based tracking on cellphones or other portable gadgets would fall under the more sensitive category of data that requires users to opt in before it can be collected.
To Mike Zanneis, vice president of public policy at the Internet Advertising Bureau, the new safeguards sound ill-defined and potentially dangerous to the $23 billion online ad industry. “Opt-in is really the most burdensome privacy restriction that we implement in the U.S.,” Zanneis says.
He argues that the data requiring opt-in measures defined by the bill in its current form could include not just names and addresses but also IP addresses and “cookie” files that sites download to a user’s browser to note his or her path on the Web. “We know that greater than 70% of all online advertising depends on targeting techniques,” he says. “If we have an opt-in standard for cookies, that would impact the vast majority of online advertising, and that’s what we want to avoid.”
Meanwhile, privacy advocates argue that the bill’s exemption for “operational” collection of data–allowing those practices to take place under an “opt-out” rule–gives advertisers far too much leeway. “This bill really adopts an archaic and bankrupt ‘notice and consent’ regime that we all know doesn’t’ work,” says John Simpson, head of the Google Privacy and Accountability project at Consumer Watchdog.
Consumers, it’s been shown repeatedly, don’t take advantage of opt-out functions. In a Congressional hearing last June, Representative Stearns asked Google and Yahoo’s privacy executives how many users chose to not take part in their ad tracking systems. Yahoo’s rep said the number was “less than 1%,” and Google’s rep replied that she didn’t know. (See: “Congress Mulls Online Privacy Law”)
In a study last month, NYU law professor Florencia Marotta Wurgler found that less than one in 1,000 users even reads the fine print on websites’ terms of service. (See: “Who Reads The Fine Print?”) “We need better rules for the road on the Web, so that users don’t have to worry about reading the fine print or clicking ‘I agree’,” says Peter Eckersley, an attorney with the Electronic Frontier Foundation.
Worse yet, privacy groups also point out that the bill would preclude any state-level legislation and would restrict privacy class-action lawsuits. Instead, the Federal Trade Commission would enforce the law. That’s not a strategy that’s worked in the past, says Ginger McCall of the Electronic Privacy Information Center (EPIC). Despite three complaints that EPIC has issued against perceived privacy violations by Google Buzz and Facebook’s recent data-sharing moves–one released Tuesday–the FTC hasn’t taken any action against the companies. “The lack of enforcement on the FTC’s part has been very troubling,” McCall says.
In last June’s hearing, Rep. Boucher responded to advertisers’ concerns by promising that he had “no intention of doing anything that would disrupt a very important and essential business model for Internet-based companies.”
But the Center for Digital Democracy’s Chester calls advertisers’ arguments that regulation would cripple the Web economy “disingenuous” and “fallacious.” “I think this is an attempt to straitjacket the FTC,” says Chester. “The online ad industry has dodged a regulatory bullet.”