Web Marketers Wary of FTC's 'Do Not Track' Initiative

The Federal Trade Commission urged online businesses to respect consumer privacy and recommended a "Do Not Track" mechanism. Contrary to reports, it is not an opt-out list.

Download the authoritative guide: The Ultimate Guide to IT Security Vendors

After federal regulators proposed a "Do Not Track" mechanism to give control over what consumer data companies can collect and share, a lot of confusion remains about what the proposal really means.

In a 122-page preliminary report issued Dec. 1, the Federal Trade Commission suggested that users need a way to universally opt-out of having companies track their Web activity. The report is "fairly consistent" with previous FTC statements and "just solidifies" its position, said Susan L. Lyon, a privacy and security lawyer at Seattle-based Perkins Coie, a firm specializing in privacy, online safety and Internet law.

Online behavioral advertising lets companies generate detailed profiles on consumers. Marketers are increasingly analyzing the Websites that consumers visit, the links they click, Internet search history, online and offline purchases, geographic location data, and other personal information disclosed on social networking sites.

The Do Not Track proposal endorsed by the FTC simplifies the process of opting out. The idea is that users would be able to choose to have their browser tell any Website not to track them for advertising purposes, and that setting wouldn't be wiped out if a user clears browser cookies, as currently happens with opt-out cookies.

FTC chairman Jon Leibowitz said the marketing industry has not done nearly enough to make sure people understand what personal information is being collected, or to provide them with adequate control over the associated data collection. The Electronic Frontier Foundation's (EFF) Reiny Reitman wrote on the group's blog that it is "extremely impractical" for consumers to defend against the "astonishing array" of tracking technologies that are both "sophisticated" and in "widespread use."

"In a sense, the biggest problem is not the targeted ads but the exhaustive records of peoples' reading and other online activities that are collected in order to facilitate that targeting," wrote Reitman.

The idea behind Do Not Track is not completely new to this report. Leibowitz floated the idea over the summer, and it was initially proposed back in 2007. EFF was one of the groups that supported the proposal three years ago, and it did so again this time.

While the 2007 proposal was criticized as "ineffective," the FTC's current proposal is a "revolutionary" approach to defending personal privacy and is a "promising development," said Reitman.

Last month, the European Union announced plans to update its privacy regulations to give consumers more control over online tracking.

The proposal is loosely based on the do-not-track concept used for the FTC's "National Do Not Call Registry," which was launched in 2003 and gave American consumers a way to opt-out of calls from telemarketers. However, comparisons with the Do Not Call list are misleading, with critics deriding the idea of the government maintaining a list of users who do not want their information tracked. What the FTC is proposing is not a list that an organization or entity will maintain, but actual technology, be it software or hardware, that would be made available to users.

How that technology mechanism will be implemented remains open to discussion. The FTC appears to have shifted the burden to the companies that develop Web browsers, and not onto each individual Website publisher, said Lyon.

Leibowitz acknowledged that Mozilla, Google, and Microsoft have all been experimenting independently on various private browsing mechanisms, but he indicated that it had to be more straightforward and persistent to be usable and effective.

The FTC differentiated between tracking and personalization in its report by focusing entirely on tracking cookies. Critics claim a Do Not Track capability would mean users would lose personalized settings on sites such as sports news sites and shopping. Users expect an e-commerce site to track what items they looked at in the store's catalog, and what they bought previously, because it's a "commonly accepted practice," said Lyon. For e-commerce sites and retailers that use cookies to learn about what customers are doing on their sites, the news is good: The FTC is saying "thumbs up, you can do that," Lyon said. The FTC is against having that information shared with another site or company, or with third-party ads running on the page that are collecting data unbeknownst to the user, she said.

E-commerce sites and retailers should employ a "don't surprise your users" rule when it comes to data collection, said Lyon. If a user would be shocked at the information that was being shared, then it shouldn't be shared, she said.

Claiming that the data being shared is anonymous and non-identifying is no longer accurate, according to Lyon. "Information that may seem unidentifiable can become identifiable," if someone tries to connect the dots between different sets of data, she said. This is even more of a concern with mobile devices, as location information can be used to "de-anonymize" previously anonymous data, concluded Lyon.

While Do Not Track has gained the most attention, the report also made other privacy recommendations. One called for companies to clarify and simplify privacy policies; some companies have already started the process. In September, Google announced it has simplified its privacy policy to explicitly tell users what kinds of data it would collect and retain. In May, Facebook rolled out a new privacy page for users.

Companies should also evaluate their Websites to make sure users can easily tell who is running the site, and who will see the data being collected, said Lyon. The FTC report called it a "privacy by design" approach.

Google, Microsoft, and Mozilla have all said they will review the report and provide feedback-the agency is taking comments until Jan. 31. "It will be interesting to see the comments that will be coming out of the companies," said Lyon, predicting that some would be "surprising."

While the report currently left the door open for either a self-regulatory approach or for new legislation, FTC head Jon Leibowitz said, "A legislative solution will surely be needed if industry doesn't step up to the plate."

Self-regulation is generally favored by online advertisers, social-network operators and Web-search companies, whose business models rely heavily on these tracking profiles. It's a little unclear whether the FTC will create guidelines, as it did for CANN-SPAM, for the industry to implement, said Lyon.

Even though the FTC currently doesn't have the authority to create new rules, Congress is paying attention. Massachusetts Senator John F. Kerry has promised to introduce privacy legislation that would give the FTC more rulemaking authority to carry out its recommendations, according to the Washington Post.