The Federal Trade Commission urged online businesses to respect consumer privacy and recommended a "Do Not Track" mechanism. Contrary to reports, it is not an opt-out list.
After federal regulators proposed a "Do Not Track"
mechanism to give control over what consumer data companies can collect and
share, a lot of confusion remains about what the proposal really means.
In a 122-page preliminary report issued Dec. 1, the Federal
Trade Commission suggested that users need a way to universally
of having companies track their Web activity. The report is "fairly
consistent" with previous FTC statements and "just solidifies"
its position, said Susan L. Lyon, a privacy and security lawyer at
Seattle-based Perkins Coie, a firm specializing in privacy, online safety and
Online behavioral advertising lets companies generate
detailed profiles on consumers. Marketers are increasingly analyzing the Websites
that consumers visit, the links they click, Internet search history, online and
offline purchases, geographic location data, and other personal information
disclosed on social networking sites.
The Do Not Track proposal endorsed by the FTC simplifies
the process of opting out. The idea is that users would be able to choose to
have their browser tell any Website not to track them for advertising purposes,
and that setting wouldn't be wiped out if a user clears browser cookies, as
currently happens with opt-out cookies.
FTC chairman Jon Leibowitz said the marketing industry
has not done nearly enough to make sure people understand what personal information
is being collected, or to provide them with adequate control over the
associated data collection. The Electronic
's (EFF) Reiny Reitman wrote on the group's blog that it
is "extremely impractical" for consumers to defend against the "astonishing
array" of tracking technologies that are both "sophisticated"
and in "widespread use."
"In a sense, the biggest problem is not the targeted
ads but the exhaustive records of peoples' reading and other online activities
that are collected in order to facilitate that targeting," wrote
The idea behind Do Not Track is not completely new to
this report. Leibowitz floated the idea over the summer, and it was initially
proposed back in 2007. EFF was one of the groups that supported the proposal
three years ago, and it did so again this time.
While the 2007 proposal was criticized as "ineffective,"
the FTC's current proposal is a "revolutionary" approach to defending
personal privacy and is a "promising development," said
Last month, the European Union announced plans to update
its privacy regulations to give consumers more control over online
The proposal is loosely based on the do-not-track concept
used for the FTC's "National Do Not Call Registry," which was
launched in 2003 and gave American consumers a way to opt-out of calls from
telemarketers. However, comparisons with the Do Not Call list are misleading,
with critics deriding the idea of the government maintaining a list of users
who do not want their information tracked. What the FTC is proposing is not a
list that an organization or entity will maintain, but actual technology, be it
software or hardware, that would be made available to users.
How that technology mechanism will be implemented remains
open to discussion. The FTC appears to have shifted the burden to the companies
that develop Web browsers, and not onto each individual Website publisher, said
Leibowitz acknowledged that Mozilla, Google, and
Microsoft have all been experimenting independently on various private browsing
mechanisms, but he indicated that it had to be more straightforward and
persistent to be usable and effective.
The FTC differentiated between tracking and
personalization in its report by focusing entirely on tracking cookies. Critics
claim a Do Not Track capability would mean users would lose personalized
settings on sites such as sports news sites and shopping. Users expect an
e-commerce site to track what items they looked at in the store's catalog, and
what they bought previously, because it's a "commonly accepted practice,"
said Lyon. For e-commerce sites and retailers that use
cookies to learn about what customers are doing on their sites, the news is
good: The FTC is saying "thumbs up, you can do that," Lyon
said. The FTC is against having that information shared with another site or
company, or with third-party ads running on the page that are collecting data
unbeknownst to the user, she said.
E-commerce sites and retailers should employ a "don't
surprise your users" rule when it comes to data collection, said Lyon.
If a user would be shocked at the information that was being shared, then it
shouldn't be shared, she said.
Claiming that the data being shared is anonymous and
non-identifying is no longer accurate, according to Lyon. "Information
that may seem unidentifiable can become identifiable," if someone tries to
connect the dots between different sets of data, she said. This is even more of
a concern with mobile devices, as location information can be used to "de-anonymize"
previously anonymous data, concluded Lyon.
While Do Not Track has gained the most attention, the
report also made other privacy recommendations. One called for companies to
clarify and simplify privacy policies; some companies have already started the
explicitly tell users what kinds of data it would collect and retain. In May,
Facebook rolled out a new privacy page for users.
Companies should also evaluate their Websites to make
sure users can easily tell who is running the site, and who will see the data
being collected, said Lyon. The FTC report called it a "privacy by design"
Google, Microsoft, and Mozilla have all said they will
review the report and provide feedback-the agency is taking comments until Jan.
31. "It will be interesting to see the comments that will be coming out of
the companies," said Lyon, predicting that some
would be "surprising."
While the report currently left the door open for either
a self-regulatory approach or for new legislation, FTC head Jon Leibowitz said,
"A legislative solution will surely be needed if industry doesn't step up
to the plate."
Self-regulation is generally favored by online
advertisers, social-network operators and Web-search companies, whose business
models rely heavily on these tracking profiles. It's a little unclear whether
the FTC will create guidelines, as it did for CANN-SPAM, for the industry to
implement, said Lyon.
Even though the FTC currently doesn't have the authority
to create new rules, Congress is paying attention. Massachusetts Senator John F.
Kerry has promised to introduce privacy legislation that would give the FTC
more rulemaking authority to carry out its recommendations, according to the Washington