FTC’s Proposed Privacy Framework

FTC’s proposed a framework to protect the privacy of consumers. Part of this framework is a “Do Not Track” option that has raised a lot of questions among the web analytics and advertising community. Well since this is just a proposal at this stage nobody knows how it will finally pan out. At this point FTC has published the report to seek public comments. The report that FTC has put together is 122 pages long. I have extracted some important point from that report in case you don’t have the time to read the full report.

The basic building blocks of this framework are:

• Scope: The framework applies to all commercial entities that collect or use consumer data that can be reasonably linked to a specific consumer, computer, or other device.
  
  Note: This is not limited only those who collect PII data, if you collect any information about a consumer then this applies to you. However commission is seeking input on how to determine
  “reasonably linked to a specific consumer…”
  
• Privacy by Design: Companies should promote consumer privacy throughout their organizations and at every stage of the development of their products and services.
  
  • Companies should incorporate substantive privacy protections into their
    practices, such as data security, reasonable collection limits, sound
    retention practices, and data accuracy.
  • Companies should maintain comprehensive data management procedures
    throughout the life cycle of their products and services.
    
    Note: You might need to assign a person to oversee that privacy of data is built into your products/services/process etc. Think, “Chief Privacy officer”.
    
    • Ensure physical data protection
    • Do not collect what is not required
    • Do not retain data for longer than it is required
    • Ensure accuracy of the data so that you do not harm someone because of the inaccurate data
• Simplified Choice: Consumers face considerable burdens in understanding lengthy privacy policies and effectively exercising any available choices based on those policies. Under proposed framework, companies should simplify consumer choice.
  
  
  • Companies do not need to provide choice before collecting and using consumers’ data for commonly accepted practices, such as product fulfillment.
    This also includes tracking for improving the sites (Web Analytics), fraud protections, legal compliance and first party marketing.
  • For practices requiring choice, companies should offer the choice at a time and in a context in which the consumer is making a decision about his or her data.
• Greater Transparency: Companies should increase the transparency of their data practices.
  
  • Privacy notices should be clearer, shorter, and more standardized, to enable better comprehension and comparison of privacy practices.
  • Companies should provide consumers with reasonable access to data about themselves; the extent of access should depend on the sensitivity of the data and the nature of its use.
  • Companies must provide prominent disclosures and obtain affirmative express consent before using consumer data in a materially different manner than claimed when the data was collected.
  • All stakeholders should work to educate consumers about commercial data privacy practices.

Feel free to leave a comment if I missed anything. You can read the full report at http://ftc.gov/os/2010/12/101201privacyreport.pdf.

Read my other articles on Privacy

----------------------------------------------------------------------------------------------------
Open Web Analytics and Online Marketing Jobs

• Web Data Analyst
  at Genworth Financial (Richmond, VA)
• Web Games Analyst
  at Arkadium (New York, NY)
• Web Metrics Analyst
  at Omnitec Solutions (Alexandria, VA)
• Web Data Analyst
  at Alzheimer's Association (Chicago, IL)
• Web Analytics Manager
  at Tig Global (Chevy Chase, MD)
• Sr. Data Analyst
  at Capella University (Minneapolis, MN)
• Manager, Web Analytics, Search & Production Support
  at Asme (New York, NY)
• Web Analytics Manager
  at Conde Nast (New York, NY)
• Web Analytics Manager
  at Juggle (Swansea, IL)
• Sr. Analyst Web Analytics
  at Williams-Sonoma (San Francisco, CA)

Privacy of Online Data – Debate Continues

Today a U.S. Senate committee summoned representatives of several internet companies like Google, Microsoft, Facebook and also NebuAd, and expressed its concerns about the user privacy resulting from online data collection and targeting. (Source: LATimes)

This committee was led by Sen. Byron Dorgan (D- North Dakota), who said "I don’t have the foggiest idea who's tracking it, how they’re tracking it, how they might use it, whether that company has some scruples and might be very careful about how it handles it, or whether it's somebody else who grabs a hold of it…. There are so many unanswered questions about information on how people navigate this Web."

NebuAd and ISP based Behavioral Targeting

NebuAd, which has been on the hot seat lately, defended its position by maintaining that it does not violate the privacy of the consumer as it strips out any personally identifiable information from the data it uses.
"NebuAd’s systems are designed so that no one, not even the government, can determine the identity of our users", Dykes, CEO of NebuAd said. "We do not collect or use personally identifiable information. … We do not store raw data linked to identifiable individuals. And we provide state-of-the-art security for the limited amount of information we do store."

But Leslie Harris, president of the Center for Democracy and Technology, said the increasingly detailed profiles NebuAd and other companies keep could be linked to specific people.

Senators Understand the Benefits of Online Advertising

Dorgan and other senators said that they understand the benefits of online advertising. Their worries are with the security of the data used to deliver those ads.

Sen. Amy Klobuchar (D-Minn.) said "We're not against advertising on the Internet, but the issue is, as it becomes more sophisticated, do we have a role here to play in making sure that consumers' privacy is protected as companies develop more technology and are able to dig deeper into that information?"

And...debate continues….

Comments?

FTC Proposes Behavioral Advertising Privacy Principles

To address consumer privacy concerns associated with Behavioral Targeting FTC proposed privacy principals.

The purpose of this proposal is to encourage more meaningful and enforceable self-regulation to address the privacy concerns raised with respect to behavioral advertising. In developing the principles, FTC staff was mindful of the need to maintain vigorous competition in online advertising as well as the importance of accommodating the wide variety of business models that exist in this area,” according to its proposal “Behavioral Advertising: Moving the Discussion Forward to Possible Self-Regulatory Principles. The proposal states that behavioral advertising provides benefits to consumers in the form of free content and personalized advertising but notes that this practice is largely invisible and unknown to consumers.

Below are the principal they proposed:

• Every Web site where data is collected for behavioral advertising should provide a clear, consumer-friendly, and prominent statement that data is being collected to provide ads targeted to the consumer and give consumers the ability to choose whether or not to have their information collected for such purpose.
  
  Sooner or later that is going to be almost every site that you encounter. Since there is no common definition of Behavioral Targeting any targeting (since it will uses onsite behavior, geo or any data collected from users ) can be considered behavioral targeting.
  
  Give consumers the ability to choose whether or not to have their information collected for such purpose - it is not clear if they mean opt-in or opt-out.
  
  I am in favor of providing an opt-in instead of opt-out. In my post on Google and Doubleclick privacy concerns, I wrote:
  I believe that if consumers are provided proper education (I will write about consumer benefits in one of my future posts) than they can infect benefit from Behavioral Targeting. It will be a win-win situation for all the parties involved. Proper education and disclosures by advertisers, publishers and networks will ease the concerns regarding Behavioral Targeting. Consumers have the right to opt out of Behavioral Targeting but what is lacking is proper education on how to do so. The networks currently opt-in users by default; however, in my opinion the proper process should be opt-out by default and opt-in if user chooses to opt-in, just like we do for emails and newsletters. This process will move the burden from users to the advertisers, publishers and networks.
  



• Any company that collects or stores consumer data for behavioral advertising should provide reasonable security for that data and should retain data only as long as is necessary to fulfill a legitimate business or law enforcement need.
  
  “Reasonable” is very vague since every company can define it’s own explanation of reasonable.
  
  


• Companies should obtain affirmative express consent from affected consumers before using data in a manner materially different from promises the company made when it collected the data.
  
  This is to safeguard against changing privacy policies. Since almost all the privacy policies have a clause which says something like “We reserve the right to change this privacy policy. New privacy will be posted on this page”. It is hard for consumers to keep track of what has changed since they agreed to the privacy policy.
  


• To address the concern that sensitive data – medical information or children’s activities online, for example – may be used in behavioral advertising, FTC staff proposes:
  
  
  • Companies should only collect sensitive data for behavioral advertising if they obtain affirmative express consent from the consumer to receive such advertising.
  
  
  • FTC staff also seeks comment on what constitutes “sensitive data” and whether the use of sensitive data should be prohibited, rather than subject to consumer choice.
  
  
  
  My opinion: Sensitive data should be prohibited. However it won’t be easy to define what constitutes sensitive data especially when it has to apply to various countries and cultures. Sensitive information in one country might not be sensitive in another country or culture.
  

Comments? Questions?

FTC to Host Town Hall meeting to discuss Behavioral Targeting and Online Privacy

Federal Trade Commission is conducting a Town Hall meeting to discuss several topics on Behavioral Targeting and Online Privacy.
This is your chance to participate in the panel and have your voice heard.
This two-day Town Hall will bring together consumer advocates, industry representatives, technology experts, and academics to address the consumer protection issues raised by the practice of tracking consumers’ activities online to target advertising – or “behavioral advertising.” It will be held November 1-2, 2007 at the FTC Conference Center at 601 New Jersey Avenue, N.W., Washington, DC. It is free and open to the public.
The Commission invites interested parties to submit requests to be panelists and to recommend other topics for discussion. The requests should be submitted electronically to behavioraladvertising_requests@ftc.gov by September 14, 2007. The Commission will select panelists based on expertise and the need to represent a range of views about the issues. Panelists selected to participate will be notified by October 5, 2007.
Topics at the Town Hall will include:

• How does online behavioral advertising work? What types of companies play a role in this market?


• What types of data are collected? Is the data personally identifiable or anonymous? Even when the data is anonymous, is it, or could it be, combined with personally identifiable data from other sources??


• How is the data used, and by whom? Is it shared or sold? Is the data used for any purposes other than to target advertising??


• How has the online advertising market, and specifically behavioral advertising, changed since 2000??


• What security protections are companies providing for the consumer data that they collect, use, transfer, or store??


• What do consumers understand about the collection of their information online for use in advertising??


• Are companies disclosing their online data-collection practices to consumers? Are these disclosures an appropriate and effective way to inform the public about these practices? Are companies offering consumers choices about how data is collected and used??


• What standards do, or should, govern practices related to online behavioral advertising? Are companies following the Network Advertising Initiative Principles, originally issued in 2000 for online network advertising companies? Are these principles still relevant, in light of changes in the marketplace? What other legal or self-regulatory standards are applicable to these practices? Are certain practices generally regarded as appropriate or inappropriate in this area?


• What changes are anticipated in the online behavioral advertising market over the next five years? Will information be collected through technological means other than cookies? Is behavioral advertising moving beyond the Internet into other technologies?

Do you have an opinion on any of the above topics? Tell me what you think, maybe I will compile all responses and provide on this blog for future. And if I get selected on the panel I will take your voice to this town hall meeting.
Here is my previous post on FTC

Google Doubleclick deal concerns Privacy Advocates

The Electronics Privacy Information Center (EPIC), The Center for Digital Dempcarcy (CDD), The U.S. Public Interest Research Group (U.S. PIRG) has filed a complaint with Federal Trade Commission (FTC) that Google’s acquisition of Double will compromise privacy of internet users. Read the complete detail of this complaint at http://www.democraticmedia.org/PDFs/google_complaint.pdf

I have been talking about Google and Behavioral Targeting even before the acquisition of Double click was announced. As I wrote in my first post on Google and Behavioral Targeting Google has been putting it’s footprint all of the internet even before Doubleclick acquisition. Acquisition of Doubleclick bought them way closer to building the biggest behavioral targeting network.

This is what these Privacy advocates are worried about.


According to CNET:

Privacy advocates are particularly worried that Google will merge the data from users' search queries with DoubleClick's records of people's general Web-surfing habits in order to build a centralized database of consumer profiles.

Google executives have said that for now, the company does not plan to merge personally identifiable information such as names and e-mail addresses, with search histories and Web-surfing habits. Rather, it hopes to combine both companies' (Google and Doublelclick) non-personally identifiable data, such as search histories and Web-surfing habits linked to a computer's IP address, so that it could better target advertisements.
But EPIC's argument is that an IP address can, with a little work, be linked to an individual, even if a name or address isn't associated with the IP number.
"Identity can be inferred," Marc Rotenberg, executive director for EPIC and author of the complaint, said in an interview with CNET News.com. "We believe that this complaint provides an opportunity for (the) FTC to look closely at whether the online-advertising industry provides adequate privacy protection for Internet users and (to) consider the privacy impact of non-personally identifiable information collected through search histories."
Source: CNET

We will have to wait and see how Google responds to this complain and the next steps by FTC. I will keep you posted as I get more information.

So what is the solution to all these privacy concerns?

I believe that if consumers are provided proper education (I will write about consumer benefits in one of my future posts) than they can infect benefit from Behavioral Targeting. It will be a win-win situation for all the parties involved. Proper education and disclosures by advertisers, publishers and networks will ease the concerns regarding Behavioral Targeting. Consumers have the right to opt out of Behavioral Targeting but what is lacking is proper education on how to do so. The networks currently opt-in users by default; however, in my opinion the proper process should be opt-out by default and opt-in if user chooses to opt-in, just like we do for emails and newsletters. This process will move the burden from users to the advertisers, publishers and networks.

In short run this could result in a lower reach for BT providers. But if the benefits to consumers are properly stated then most of the consumers will be willing to participate. If you (network or advertiser) tell a consumer that he/she does not need to go looking for deals or offers of products/services that he/she is in the market for, these deals/offers will be provided to him/her based on her online behavior no matter where in the network she is in, I think consumer will love it. If a consumer knows the process and she knows that she is willingly participating in the BT, the click-through rate on the ads will be higher too. Why force users into Behavioral Targeting and raise privacy concerns when you can offer them what they want (when they want) and make them your raving fans.