On December 1, 2010, the FTC issued its much-awaited preliminary staff report on Internet privacy entitled, “Protecting Consumer Privacy in an Era of Rapid Change,” which is available here. While a final report will follow in 2011 after a public comment period, this initial report makes plain the FTC’s dissatisfaction with current industry efforts to protect consumer privacy online, the big changes it thinks are necessary to achieve adequate protection, and its determination to implement them through governmental intervention if industry self-regulatory efforts fall short. Significantly, the Chairman of the FTC, Jon Leibowitz, enthusiastically embraced the report and left no doubt the FTC will continue to pursue aggressive law enforcement, will continue to “jawbone” industry to take steps to improve consumer privacy, and, in all likelihood, will ask Congress to give it additional regulatory powers over online privacy.
Chief proposals of the 79-page report include:
- A “Do Not Track” mechanism, similar in concept to the “Do Not Call” registry, to enable consumers to prevent advertisers from monitoring their online behavior and delivering targeting ads. As envisioned by the FTC, the mechanism would be a browser setting similar to a persistent cookie that, when activated, would signal sites that the consumer does not want to be tracked or receive targeted ads. Several unanswered questions exist about the actual necessity, technology and enforceability of a Do Not Track option for consumers, and robust debate surrounding it is certain to ensue, but the FTC stance is now crystal clear: it supports Do Not Track and will push the online advertising industry and Congress with all its might to make it a requirement.
- Privacy policies are too often “legalistic” and incomprehensible; important privacy choices, including third party data sharing for marketing purposes, should be clearly and conspicuously presented on the website itself, in “just in time” fashion (i.e., when the consumer is entering personal data or making a purchase decision), and express consumer consent should be obtained at that point before the data is shared.
- “Intangible” (non-physical or non-economic) harm, such as “reputational” harm, “fear of being monitored” or “injury to consumer dignity” (in the words of the Director of the FTC Bureau of Consumer Protection), perhaps should be considered as a basis for law enforcement actions against privacy violations. This would be a radical departure from long-standing FTC policy that only tangible physical or economic consumer injury is sufficient to justify exercise of the FTC’s law enforcement powers.
- Subsequent material changes to a privacy policy must be clearly disclosed and express consumer consent obtained before they are implemented.
- Adoption of “privacy by design,” i.e, integrating privacy protections into everyday business operations and improving transparency of all data practices, including those of companies, such as list brokers, that don’t face consumers.
In addition to the FTC report, the House of Representatives Subcommittee on Commerce, Trade and Consumer Protection held hearings on December 2 to consider online privacy legislative proposals, including Do Not Track, which again was endorsed at the hearing by the FTC.
The FTC report signals a sea change in the debate over Internet privacy. Tighter federal regulation of online privacy practices is no longer a matter of if, but when. The stakes are high for marketers, consumers, and even the continuing vibrancy of the behavioral advertising model which has been so integral to the growth of commerce on the Internet. I will be following the privacy debate at the FTC and in Congress closely and will continue to stay abreast of developments in this important area.
This is perhaps an opportune time for your company to take a fresh look at its own privacy policy and practices. If you have questions on this or any other topic of FTC advertising regulation, please do not hesitate to contact me.