The U.S. Federal Trade Commission (FTC) recently recommended “best practices” for protecting consumer privacy, but the recommendations may cramp the style of how some data collectors, from Facebook and Google, to data brokers, banks and retailers, do their business online.
One of the cornerstones of the March 26 report, titled “Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers ,” is support for a controversial technology called “Do Not Track.” Makers of major web browsers, including Chrome, Firefox, Internet Explorer and Safari, have incorporated the technology into their products. But questions have been raised about the effectiveness of this approach.
“I’m concerned about the extent on which we’re relying on Do Not Track technology, which is not mature,” said FTC Commissioner J. Thomas Rosch. Rosch was the lone dissenter from the final report released by the five-member commission.
In proposing its “framework” for privacy, the FTC is delegating too much of the responsibility for protecting consumer privacy to those who are gathering data, Rosch argued. Such self-regulating schemes can be dominated by large players in the market who can use tools like Do Not Track to restrict competition.
“Big enterprises could raise the regulatory bar so high that smaller companies couldn’t live with it,” he reasoned.
To some extent, however, the FTC has addressed that problem by excluding from compliance with its framework companies “who collect only non-sensitive data from fewer than 5,000 consumers per year and do not share the data with third parties.”
How high the bar should be for Do Not Track is a heated issue between data collectors and privacy advocates, explained Andrew Frank, a research vice president for Gartner. Data collectors would like to see Do Not Track narrowly defined so all data collection isn’t blocked by the technology, he noted, while privacy advocates want all data collection blocked.
For example, a strict interpretation of Do Not Track could prevent a data collector from obtaining any information from a website visitor—and prevent companies from earning money for the services they provide by delivering messages targeted at users based on their online behavior. The industry has been working to demonstrate it can regulate itself and the FTC noted in its report the Digital Advertising Alliance, a group of media and marketing associations, has developed an icon that would allow consumers to click on an ad and see how they were targeted, and to opt out of it.
“If the strictest interpretation were adopted, it would create major problems for the data brokers, depending on what the enforcement profile looked like, or it would create a new market for workarounds and gray market data,” Frank said.
In its report, the FTC also recommends that companies should offer “choice at a time and in a context in which the consumer is making a decision about his or her data” and “obtain affirmative express consent before (1) using consumer data in a materially different manner than claimed when the data was collected; or (2) collecting sensitive data for certain purposes.”
If companies follow this recommendation, that will end “take it or leave it” policies on the Web, according to Rosch. Currently, it’s common for online privacy policies to make data collection a condition of service for accessing a website or its online tools. Ending take-it-or-leave-it would curb what data could be collected from a website’s users.
Another basic policy of the framework calls for companies to “provide reasonable access to the consumer data they maintain; the extent of access should be proportionate to the sensitivity of the data and the nature of its use.”
That can pose some serious problems for data collectors, Gartner’s Frank contended. “Data brokers may have data that is the property of its clients, not its own, so they shouldn’t be compelled to expose it,” he explained.
While the ultimate goal of the FTC’s framework may be to create greater consumer awareness of what data collectors are doing with their data, it may be an elusive goal at best, Frank maintained.
“Consumers don’t have the patience to deal with privacy issues in the first place,” he said. What’s more, he continued: “They’re conflicted about privacy. If you ask them, are you concerned about protecting your privacy? They’ll say, of course. Then the next day they’ll put everything about them on Facebook for the world to see. Clearly, behavior and attitude are misaligned.”
“As a practical matter,” he added, “creating enforceable laws that can protect something that’s so vague and complicated as the world of big data will be an impossible task for any regulatory body.”
The FTC is not the only body looking at the issue of consumer tracking. In January, the European Union proposed reforming its 1995 data protection rules to strengthen consumers’ online privacy rights and increase the responsibilities of entities processing personal data. In addition, the World Wide Web Consortium has a Tracking Protection Working Group assigned “to improve user privacy and user control by defining mechanism for expressing user preferences” regarding blocking or allowing Web tracking elements. That group, whose participants include public interest groups as well as corporate representatives from Microsoft, The Nielsen Company, PayPal, Google, Comcast, and IBM, is scheduled to release a proposal in May and recommendations in June.
John Mello is a freelance writer specializing in business and technology subjects, including consumer electronics, business computing and cyber security. Follow him on Twitter @jpmello.