Do Not Track is back. This morning the Obama Administration
introduced a “Consumer Privacy Bill of Rights” that will be voluntarily supported by Google, Yahoo, AOL and Microsoft. The companies have also reportedly agreed to work with so-called “do not track” buttons or technology in web browsers to disable tracking and behavioral ad targeting for those consumers who do not want it.
On surveys most consumers say they do not want to be tracked.
Seven Privacy Principles
Such capabilities already exist in Microsoft’s Explorer browser and for Firefox and Chrome with “private browsing” or browser add-ons or extensions. However the majority of people don’t use these tools currently. Is that because of actual indifference or simply a lack of understanding?
Below is an abridged version of the seven principles that form the core of the new Consumer Privacy Bill of Rights:
Individual Control: Consumers have a right to exercise control over what personal data companies collect from them and how they use it . . .
Transparency: Consumers have a right to easily understandable and accessible information about privacy and security practices.
Respect for Context: Consumers have a right to expect that companies will collect, use and disclose personal data in ways that are consistent with the context in which consumers provide the data . . .
Security: Consumers have a right to secure and responsible handling of personal data…
Access and Accuracy: Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data is inaccurate . . .
Focused Collection: Consumers have a right to reasonable limits on the personal data that companies collect and retain . . .
Accountability: Consumers have a right to have personal data handled by companies with appropriate measures in place to assure they adhere to the consumer-privacy bill of rights . . .
Seeking “Enforceable” Codes of Conduct
According to the statement put out by the White House this morning stakeholders, including major internet companies and privacy advocates, will be convened to formulate “codes of conduct” that will be enforceable by the FTC:
In the coming weeks, the Commerce Department’s National Telecommunications and Information Administration will convene stakeholders – including companies, privacy and consumer advocates, technical experts, international partners, and academics – to establish specific practices or codes of conduct that implement the general principles in the Consumer Privacy Bill of Rights.
However the Wall Street Journal says any such new codes of conduct won’t preclude all tracking:
The new do-not-track button isn’t going to stop all Web tracking. The companies have agreed to stop using the data about people’s Web browsing habits to customize ads, and have agreed not to use the data for employment, credit, health-care or insurance purposes. But the data can still be used for some purposes such as “market research” and “product development” and can still be obtained by law enforcement officers.
Facebook’s tracking or targeting, based on Likes (etc.), would not be prevented by the new rules either. However, these new privacy codes could pose unique challenges for Facebook, especially as it seeks to expand into mobile advertising and potentially launch an ad-network competitor to AdSense.
What’s Next?
While the Obama Administration and the FTC probably have discretion to create an enforcement scheme under existing authority, there will be an effort at passing new privacy legislation to embody the privacy principles above:
The Administration also will work with Congress to develop legislation based on these rights to promote trust in the digital economy and extend baseline privacy protections to commercial sectors that existing federal privacy laws do not cover.
The problem there is two-fold, however. We’re in an election year when little new legislation can be expected to pass. And several independent efforts to enact new online privacy rules have been stalled in Congress for many months. Those bills may be given new life by this announcement.
As the groups come together to define and implement the codes of conduct, there will likely be a battle over “enforcement” and penalties, with groups such as EPIC and the ACLU seeking to ensure there are tough penalties and industry groups trying to build as large a “safe harbor” as possible and minimize penalties.
Privacy Now a Hot Button for Everyone
After years of being dismissed as a serious issue by digital ad executives a number of recent privacy scandals, including Cookiegate and Pathgate, have made privacy a very hot issue. In particular, mobile has been an area of intense focus for privacy advocates of late.
Accordingly, in a separate move yesterday, California Attorney General Kamala Harris announced an agreement with Apple, Google, HP, Microsoft and RIM to require mobile developers to create and publish privacy policies that make clear what data their apps are accessing and capturing. This comes on the heels of a critical FTC report on data collection by mobile apps directed at kids.
In addition 36 state attorneys general are seeking a meeting with Google about its intended privacy policy change next week. In their letter to Google requesting the meeting they expressed disapproval of the notion that the only way consumers could prevent the broader sharing of data across Google properties was to avoid signing in.
The recent introduction of the Chrome mobile browser by Google is also an effort to capture consumer information cross-platform. Signed in users would be tracked from PC to mobile web. There are many benefits to consumers from this but Google would also be able to see and share data across device categories for many purposes including ad targeting (Yahoo also can do and does this).
How Will Consumers Respond?
As mentioned above privacy tools that effectively provide “do not track” functionality already exist but they’re not in widespread use. When formal do not track buttons and related policies come into effect will consumers adopt and use them? That’s very much an open question.
The IAB, online ad networks and publishers using behavioral targeting and retargeting have sought to avoid the imposition of “do not track” with the “ad choices” option that appears now on most targeted online display advertising (see image above). It appeared for some time like “self regulation” might satisfy and mollify Congress and privacy advocates.
The run of privacy snafus and scandals in the past few months, however, have effectively ended self-regulation as a solution to online privacy concerns.
Related Entries
36 State Attorneys General Call For Privacy Meeting With Google
No Surprise: Congress, Consumer & Privacy Groups Want Google To Explain Safari Privacy Snafu
Europeans, EPIC Bring More Scrutiny To Google Privacy Changes
No, You Don’t Need To Fear The Google Privacy Changes: A Reality Check
Microsoft Slams Google Privacy Changes With “Putting People First” Ad Campaign
Google Tells Congress: Users Can Opt-Out Of New Privacy Policy By Not Logging In
Google’s New Terms Of Service & Privacy Policy: Anything You Do May Be Used To Target You?
Comments