On March 17 the Federal Trade Commission (FTC) concluded the last of its three roundtables on the state of online privacy. A key area of scrutiny during the roundtables was the adequacy of privacy self-regulation by the online advertising industry with regard to the collection, use and sharing of information from consumers for behavioral advertising purposes (i.e., targeting customized ads to Internet users based on their activities online). In February 2009, the FTC issued detailed self-regulatory guidelines for behavioral advertising which emphasized prominent disclosure of practices (e.g., not burying the relevant information in a website privacy policy) and providing Internet users with meaningful choice mechanisms, such as opt-outs from information sharing. For a complete description of those guidelines, please check out my May 2009 article in ReveNews.com.
Two items emerged almost immediately from the roundtables and the FTC’s related comments: (1) the FTC does not believe industry self-regulation in behavioral advertising is working, and (2) the category of “personally identifiable information” (PII) that has been used in privacy law up to this point to denote sensitive information warranting legal and regulatory protection is effectively obsolete.
RIP, PII
To the latter point, studies have shown that non-personalized information like IP addresses or even browser and operating system specifications can be combined with other information gathered from online browsing to build detailed personal profiles and even identify individuals with a reasonable degree of certainty. The FTC’s 2009 behavioral guidelines anticipated a breakdown of the existing personal/non-personal information dichotomy by expanding the category of information covered by the guidelines to include information that can be used to identify a specific computer or device (not just a particular human being). According to the FTC, such data include clickstream data that can be combined with a consumer’s website registration information; individual pieces of anonymous data combined into a detailed profile that is identifiable with a particular person; and behavioral profiles that are not associated with a particular consumer, but are stored and used to deliver personalized advertising and content to a particular device.
In addition, the guidelines identified a special category of personal information, such as health information, financial information, precise geographic location information or information about children, that is so sensitive it warrants heightened privacy protection (for example, requiring consumers to opt in before such data can be collected for behavioral advertising, rather than providing the standard opt-out).
More Powers for the FTC?
Greater privacy regulation in online behavioral advertising seems to be a given, therefore. Some sites like Yahoo! have felt it prudent to get ahead of the curve by expanding their privacy disclosure preemptively (for example, Yahoo!’s Ad Interest Manager allows you to see information about your browsing activities that Yahoo! collects for targeted advertising purposes and set your preferences accordingly). The big question, though, is how sweeping the new rules will be. One problem with a non-incremental approach is that the FTC is currently limited in its rule-making authority when it is using its power to combat unfair or deceptive practices under Section 5 of the FTC Act. This is the main authority the FTC has used for a decade to make its views known with respect to online privacy (Congress has granted it broader powers to regulate in specific areas, such as under the Children’s Online Privacy Protection Act and the CAN-SPAM Act).
However, a clause in Congress Barney Frank’s (D-Mass.) financial reform bill H.R. 4173, otherwise known as the Wall Street Reform and Consumer Protection Act of 2009, would greatly expand the FTC’s power to regulate and litigate, and not just against financial services companies. Specifically, the bill would allow the FTC to implement consumer protection regulations generally through the Administrative Procedures Act (APA) rule-making process, rather than through the more rigorous current process, which takes much longer and requires greater public participation and comment. The FTC would also be able to file suit directly instead of having to act through the Department of Justice. (NOTE: this is the second time in a week I have blogged about a little-known clause in Congressional financial reform legislation that drastically expands regulatory involvement in areas that have nothing to do with the 2008 financial collapse.) FTC Chairman Jon Leibowitz argued for such powers in Senate testimony on the pending legislation, promising to use them sparely. It remains to be seen whether Congressman Frank’s creation of an “FTC on steroids” (as some libertarian/anarchist tech bloggers have called it) will appear in the final act after reconciliation with Senator Chris Dodd’s (D-Conn.) bill.
So, what’s next for online privacy? More disclosure and more consumer choice, probably, as well as the possible creation of a sliding scale of privacy protection based on categories of totally de-identified data, data that can (either alone or in combination with other data available through the Internet) be associated with a unique individual, and sensitive personal data warranting strong safeguards. Online advertisers and ad networks: be aware that the FTC is watching you. Of course, I am watching them, and you can find new developments on this blog as soon as they occur.