As the period for submitting comments to the U.S. Federal Trade Commission on behavioral targeting of online ads expires today, numerous groups weigh in from both sides of the contentious debate over data collection and consumer privacy.
At issue is the set of self-regulatory principles the FTC issued on Dec. 20, the same day it gave Google’s (NASDAQ: GOOG) acquisition of DoubleClick an unconditional approval, disappointing many privacy advocates who had lobbied against the merger.
But the comments that Web companies, industry associations and public-interest groups are submitting on the language of the principles also touch on the broader issue of whether online advertisers can be trusted to protect consumer privacy themselves, or if government regulation of the fast-growing industry is necessary.
The FTC’s call for comments coincides with several industry groups accelerating their lobbying against a controversial bill pending in the New York State Assembly and Senate.
The bill would write into law what data Web companies can collect and require them to offer opt-out mechanisms for consumers who don’t want their browsing histories tracked.
In a letter sent to Assemblyman Richard Brodsky, the Westchester County Democrat who is sponsoring the bill, an attorney representing a coalition that includes Google, Facebook, Yahoo, AOL and several other companies argued that the bill was unnecessary in light of the industry’s movement toward self-regulation and FTC principles.
Further, the letter argued that Brodsky’s bill is likely unconstitutional, citing the Dormant Commerce Clause of the Constitution that restricts state regulatory authority over Internet activity.
“It is simply not feasible to comply with Internet advertising regulations that vary from state to state,” attorney Jim Halpert wrote.
At the other end of the spectrum are watchdog groups such as the Center for Digital Democracy and U.S. PIRG, which say that Brodsky’s bill is a good start but advocate a national policy to protect online privacy.
In their comments to the FTC, the groups blasted the agency for failing to attach conditions to mergers of companies with large data sets, such as Google and DoubleClick, and for generally ducking the privacy issue by pursuing a policy of self-regulation.
“The Commission — frankly under both the Bush and the Clinton administrations — has been largely incapable to take a meaningful stand on data collection and interactive marketing,” the groups wrote in the comments they plan to file jointly today.
[cob:Pull_Quote]”Clearly, the time for regulation is here — but not merely self-regulation. The history of self-regulation clearly shows that in the absence of meaningful legal rules, the level of consumer protection will be minimal,” the groups said.
Industry groups, such as the Interactive Advertising Bureau and the Direct Marketing Association, have predictably expressed support for the self-regulatory approach, but suggested that the self-regulation should be left to the industry, challenging the FTC’s role in the process.
The groups claimed in their filing that no specific consumer harm had been demonstrated, so there was no need for regulatory involvement. In February the IAB released its own set of self-governing principles, which it has submitted to the FTC.
In addition to the general issue of consumer privacy and behavioral targeting, some groups are also pressing the FTC to enact meaningful safeguards for protecting children.
“Children and adolescents have more difficulty understanding privacy policies and are at a developmental disadvantage to give meaningful, informed consent to data collection,” the groups wrote in their filing.
Corie Wright, an attorney with the Institute for Public Representation at Georgetown University Law Center who helped prepare the filing, said that the FTC has been slow to adapt to the increasingly sophisticated methods of data collection and behavioral targeting.
[cob:Special_Report]
“The FTC still has a late 1990s understanding of online marketing,” Wright told InternetNews.com. “As a result, children and teens in the U.S. have been left vulnerable to manipulation because of the failure of the FTC to act in a meaningful way.”
Legislators are keeping an eye on the issue, as well. Rep. Ed Markey, a Massachusetts Democrat who co-chairs the Bi-Partisan Congressional Privacy Caucus, said that he was pleased the FTC was working to update the child-privacy safeguards of the Children’s Online Privacy Protection Act, the federal law effective April 2000 under which the agency limits the information that can be collected about kids online.
“Without stronger protections, including a prohibition on collecting data on children’s and teens’ online activities, young Internet users may become unwitting targets of the ‘hidden persuaders’ of the digital age,” Markey said in a statement, adding that he looked “forward to monitoring the FTC’s work in this important area.”
Continued from Page 1.
Industry responds
In its comments to the FTC, Google said it favored some kind of federal baseline privacy legislation that would punish “bad actors” who violate consumer privacy, but for the general practices of Internet advertisers, it favored the FTC’s self-regulatory approach.
Echoing the sentiments of many in the Internet industry, Google argued that technology and business models are developing so rapidly that the rush to regulation would stifle innovation.
For its part, Microsoft (NASDAQ: MSFT) applauded the FTC’s work on the issue, but suggested it go a little further. The company pitched a five-tiered plan that would impose more rigid safeguards on companies collecting sensitive information, and apply distinct requirements for sites engaging different ad-targeting practices.
Google qualified its support for the FTC behavioral targeting principles with the recommendation that their scope be refined to distinguish between what constitutes personally identifiable information (PII) and what does not. IP addresses, for instance, would only be considered PII when tagged to other information, such as an account number.
Google also urged the agency to scale back the activities it considered behavioral targeting, a definition Microsoft said should be expanded. The company claimed that its contextual advertising, where it serves search and display ads based on a user’s search queries or browsing history, should not be considered behavioral targeting because it is not based on PII.
“The staff should be aware, moreover, that failing to define behavioral advertising precisely, or an attempt to categorize specific activities as elements of behavioral advertising (e.g., search queries, clicks and other similar online activities) could have unintended and very negative consequences,” Google said.
Like all advocates of a scaled-down, self-regulatory policy for online advertisers, Google argues that targeted advertising has a positive effect for consumers. It makes Web content free, drives innovation and has been the engine of tremendous economic growth. Further, Google points out that consumers prefer to see relevant ads.
“Our hope is that the privacy principles … will be adopted widely by the online advertising industry and will serve as a model for industry self-regulation in jurisdictions beyond the United States,” Google wrote in its comments.
In Europe, where regulators are typically more active about enacting privacy requirements, an advisory body to the European Commission recommended last week that IP addresses be defined as personal information. It also suggested that search engines be required to irreversibly anonymize their server logs after six months. Last June Google announced that it would reduce the maximum data-retention period from 24 months to 18 months.
Responding to the latest recommendations from the European group, Peter Fleischer, Google’s global privacy counsel, wrote in a company blog post acknowledging that privacy concerns are important.
He also argued for consideration of how data helps companies create better products, such as more accurate search results. Fleischer called attention to some of Google’s online safety and privacy initiatives, such as the use of data from its server logs to scout for malware and phishing attacks.
In the broadest sense, the debate fissures over the role that regulatory authorities should play in a rapidly changing industry that is a powerful engine of the Internet economy. As the FTC moves closer to codifying its self-regulatory approach, privacy groups will continue to press for legislation on the state and national level to limit how much and what types of information companies can collect about people’s Web habits.
