After federal regulators proposed a "Do Not Track" mechanism to give control over what consumer data companies can collect and share, a lot of confusion remains about what the proposal really means.
In a 122-page preliminary report issued Dec. 1, the Federal Trade Commission suggested that users need a way to universally opt-out of having companies track their Web activity. The report is "fairly consistent" with previous FTC statements and "just solidifies" its position, said Susan L. Lyon, a privacy and security lawyer at Seattle-based Perkins Coie, a firm specializing in privacy, online safety and Internet law.
Online behavioral advertising lets companies generate detailed profiles on consumers. Marketers are increasingly analyzing the Websites that consumers visit, the links they click, Internet search history, online and offline purchases, geographic location data, and other personal information disclosed on social networking sites.
The Do Not Track proposal endorsed by the FTC simplifies the process of opting out. The idea is that users would be able to choose to have their browser tell any Website not to track them for advertising purposes, and that setting wouldn't be wiped out if a user clears browser cookies, as currently happens with opt-out cookies.
FTC chairman Jon Leibowitz said the marketing industry has not done nearly enough to make sure people understand what personal information is being collected, or to provide them with adequate control over the associated data collection. The Electronic Frontier Foundation's (EFF) Reiny Reitman wrote on the group's blog that it is "extremely impractical" for consumers to defend against the "astonishing array" of tracking technologies that are both "sophisticated" and in "widespread use."
"In a sense, the biggest problem is not the targeted ads but the exhaustive records of peoples' reading and other online activities that are collected in order to facilitate that targeting," wrote Reitman.
The idea behind Do Not Track is not completely new to this report. Leibowitz floated the idea over the summer, and it was initially proposed back in 2007. EFF was one of the groups that supported the proposal three years ago, and it did so again this time.
While the 2007 proposal was criticized as "ineffective," the FTC's current proposal is a "revolutionary" approach to defending personal privacy and is a "promising development," said Reitman.
Last month, the European Union announced plans to update its privacy regulations to give consumers more control over online tracking.
The proposal is loosely based on the do-not-track concept used for the FTC's "National Do Not Call Registry," which was launched in 2003 and gave American consumers a way to opt-out of calls from telemarketers. However, comparisons with the Do Not Call list are misleading, with critics deriding the idea of the government maintaining a list of users who do not want their information tracked. What the FTC is proposing is not a list that an organization or entity will maintain, but actual technology, be it software or hardware, that would be made available to users.
How that technology mechanism will be implemented remains open to discussion. The FTC appears to have shifted the burden to the companies that develop Web browsers, and not onto each individual Website publisher, said Lyon.
Leibowitz acknowledged that Mozilla, Google, and Microsoft have all been experimenting independently on various private browsing mechanisms, but he indicated that it had to be more straightforward and persistent to be usable and effective.
E-commerce sites and retailers should employ a "don't surprise your users" rule when it comes to data collection, said Lyon. If a user would be shocked at the information that was being shared, then it shouldn't be shared, she said.
Claiming that the data being shared is anonymous and non-identifying is no longer accurate, according to Lyon. "Information that may seem unidentifiable can become identifiable," if someone tries to connect the dots between different sets of data, she said. This is even more of a concern with mobile devices, as location information can be used to "de-anonymize" previously anonymous data, concluded Lyon.
Companies should also evaluate their Websites to make sure users can easily tell who is running the site, and who will see the data being collected, said Lyon. The FTC report called it a "privacy by design" approach.
Google, Microsoft, and Mozilla have all said they will review the report and provide feedback-the agency is taking comments until Jan. 31. "It will be interesting to see the comments that will be coming out of the companies," said Lyon, predicting that some would be "surprising."
While the report currently left the door open for either a self-regulatory approach or for new legislation, FTC head Jon Leibowitz said, "A legislative solution will surely be needed if industry doesn't step up to the plate."
Self-regulation is generally favored by online advertisers, social-network operators and Web-search companies, whose business models rely heavily on these tracking profiles. It's a little unclear whether the FTC will create guidelines, as it did for CANN-SPAM, for the industry to implement, said Lyon.
Even though the FTC currently doesn't have the authority to create new rules, Congress is paying attention. Massachusetts Senator John F. Kerry has promised to introduce privacy legislation that would give the FTC more rulemaking authority to carry out its recommendations, according to the Washington Post.