On the heels of clearing the way for the Google-DoubleClick deal, and resulting from a recent meeting on behavioral advertising, the FTC today released a statement for comment on behavioral advertising: “Possible Self-Regulatory Principles for Online Behavioral Advertising” (PDF). In it, they propose some self-regulatory principles for behavioral advertising and now seeks comment on the principles from interested parties. Following is a summary of the key issues, proposed principles, and my initial comments.
Transparency and consumer control
Issue: Interested parties cite the need for greater transparency and consumer control to address the privacy issues raised by behavioral advertising. Many criticize existing disclosures as difficult to understand, inaccessible, and overly technical and long. They also stated that, with clearer disclosures, consumers can make more informed decisions about whether or not they want personalized advertising or, alternatively, whether they would prefer not to do business at particular websites…
Proposed Principle: Every website where data is collected for behavioral advertising should provide a clear, concise, consumer-friendly, and prominent statement that (1) data about consumers’ activities online is being collected at the site for use in providing advertising about products and services tailored to individual consumers’ interests, and (2) consumers can choose whether or not to have their information collected for such purpose. The website should also provide consumers with a clear, easy-to-use, and accessible method for exercising this option.
Requiring this kind of opt-in regime is an important step towards giving users more control over the collection and use of their personal data. To extend this further, websites should be required to have users periodically renew their acceptance of the collection of data, since privacy preferences might change as user behavior on a particular website changes over time. For example, when a user first uses Facebook to simply connect with friends, she might be willing to share basic personal information, but once her activities on Facebook expand to include more extensive personal information, she might no longer be so willing to have her data used for behavioral targeting. Rather than relying on her to take the time to find and tweak the privacy preferences, Facebook should be required to actively present her privacy options to her periodically when she logs in.
Limited data retention
Issue: Stakeholders express concern about the length of time that companies are retaining consumer data collected for behavioral advertising. The longer that data is stored in company databases, the greater the risks to the data. On the other hand, there may be good reasons for retaining data, such as maintaining and improving customer service or tracking criminal activities on the website.
Proposed Principle: Companies should retain data only as long as is necessary to fulfill a legitimate business or law enforcement need. FTC staff commends recent efforts by some industry members to reduce the time period for which they are retaining data. However, FTC staff seeks comment on whether companies can and should reduce their retention periods further.
While the FTC is on the right track, I struggle with framing a self-regulatory principle around a “legitimate business or law enforcement need.” Companies can claim any business need (current or future) as legitimate, and who know when law enforcement might come knocking on your door to access user records. There is enough fuzziness here that a company can easily say they need to retain records for 1, 10, or 100 months on “legitimate” grounds. Data retention periods need to be fixed and externally-defined, not left up to the companies themselves.
Affirmative express consent for material changes to existing privacy promises
Issue: Acknowledging that privacy polices are not only important tools for providing information to consumers, but also serves to promote accountability among businesses, it is also widely recognized that businesses may have a legitimate need to change their privacy policies from time to time.
Proposed Principle: A company must keep any promises that it makes with respect to how it will handle or protect consumer data, even if it decides to change its policies at a later date. Therefore, before a company can use data in a manner materially different from promises the company made when it collected the data, it should obtain affirmative express consent from affected consumers.
Again, opt-in regimes are always preferred over simply making changes and telling people they can opt-out if they so choose. Requiring “affirmative express consent” to use personal data is an important requirement.
Affirmative express consent to (or prohibition against) using sensitive data for behavioral advertising
Issue: Stakeholders express concern about the use of sensitive data (for example, information about health conditions, sexual orientation, or children’s activities online) to target advertising, particularly when the data can be traced back to a particular individual. They state that consumers may not welcome such advertising even if the information is not personally identifiable; they may view it as invasive or, in a household where multiple users access one computer, it may reveal confidential information about an individual to other members.
Proposed Principle: Companies should only collect sensitive data for behavioral advertising if they obtain affirmative express consent from the consumer to receive such advertising. FTC staff seeks specific input on (1) what classes of information should be considered sensitive, and (2) whether using sensitive data for behavioral targeting should not be permitted, rather than subject to consumer choice.
Here, the FTC again supports user opt-in for the collection of personal data, which is important, and I again call for the need to have users periodically re-affirm their acceptance. In response to the FTC’s request for input: attempting to globally define “sensitive” information is the wrong approach. Some information is sensitive in one context, and not in another. I’m willing to share my income level with a website trying to match me up with the proper investment options, but I might not want to share it with my social networking site. Similarly, pieces of information typically considered non-sensitive (my zip code or my gender), might become sensitive when combined or used to help link me to separate, sensitive data. Rather, users should be given the technical ability to specify which of their personal information can be used by a particular site (allowing the ability to decide what is sensitive in a particular context). Further, companies should be prevented from mining, aggregating, or using these data points in order to extrapolate or extract additional information about users.
The document also addresses issues related to security of data, and secondary use of data beyond behavioral advertising.
What is missing, however, are key principles shared by many other privacy frameworks, including the FTC’s own Fair Information Practice Principles. Notably, there is no mention of granting users the right to access the data collected by a particular website. The FTC should add language similar to their existing Fair Information principles:
Access refers to an individual’s ability both to access data about him or herself — i.e., to view the data in an entity’s files — and to contest that data’s accuracy and completeness. Both are essential to ensuring that data are accurate and complete. To be meaningful, access must encompass timely and inexpensive access to data, a simple means for contesting inaccurate or incomplete data, a mechanism by which the data collector can verify the information, and the means by which corrections and/or consumer objections can be added to the data file and sent to all data recipients.
The right of individuals to access and challenge personal data is generally regarded as perhaps the most important privacy protection safeguard, and must be included any regulatory regime of set of best practices addressing the collection of personal information.