FTC: Privacy Self-Regulation Not Enough, “Do Not Track” Needed

The Federal Trade Commission has released a draft report on privacy regulation, which says online advertisers and other companies have been too slow to adopt appropriate privacy rules. The report recommends a one-stop “do not track” mechanism built into websites or web browsers, which would allow consumers to turn off data collection about their online behavior. The agency admitted on Wednesday, however, that it doesn’t have the power to mandate such a move unless Congress changes the federal laws governing privacy.

FTC Chairman Jon Leibowitz said during a conference call about the report that while other legislators are talking about a budget deficit, the agency is “thinking about the privacy deficit American consumers suffer from.” In the 122-page report, entitled “Protecting Consumer Privacy in an Era of Rapid Change” (PDF link), the commission says it wants to develop “a framework to balance the privacy interests of consumers with innovation that relies on consumer information to develop beneficial new products and services,” a comment clearly directed at companies who believe their ability to track and target users based on demographic information or web-surfing behavior is crucial to their digital livelihood. The report says:

Although many of these companies manage consumer information responsibly, some appear to treat it in an irresponsible or even reckless manner. And while recent announcements of privacy innovations by a range of companies are encouraging, many companies – both online and offline – do not adequately address consumer privacy interests.

Although the commission didn’t mention any companies by name, Facebook in particular has come under fire for the way it handles users’ information, including changes to its privacy settings and more recent developments such as the fact that user IDs were being sent to third-party companies. Facebook’s handling of user privacy triggered a letter to the FTC from four senators complaining about the company’s behavior. Some third parties associated with Facebook passed on user IDs to advertisers, and in the case of Rapleaf, the marketing database company connected those user IDs to other personally identifiable information from other sources (although Rapleaf said later that this was inadvertent and that it has stopped doing so).

The biggest news out of the report is that the FTC is pushing for a “do not track” function, similar to the “do not call” list that became law after years of aggressive telemarketing by companies. The agency said this would “likely be a persistent setting on consumers’ browsers, so consumers can choose whether to allow the collection of data regarding their online searching and browsing activities.” According to a recent report from the Wall Street Journal (s nws), the Mozilla Foundation — which is responsible for the Firefox browser — has been working on a standard for such a setting, and a House subcommittee is holding hearings this week on potential do-not-track proposals. The report says:

Such a universal mechanism could be accomplished by legislation or potentially through robust, enforceable self-regulation. The most practical method of providing uniform choice for online behavioral advertising would likely involve placing a setting similar to a persistent cookie on a consumer’s browser and conveying that setting to sites that the browser visits, to signal whether or not the consumer wants to be tracked or receive targeted advertisements. To be effective, there must be an enforceable requirement that sites honor those choices.

Many advertisers and websites already allow users to opt out of being tracked, by using a “cookie” file that’s read when the user visits a site. But this system “is clumsy and fails too often,” Jules Polonetsky of the Future of Privacy Forum told the Journal. A number of online advertisers have worked together to launch a site that allows users to opt out of more than 50 different ad networks and programs with a single click, but this also appears not to be broad enough to satisfy the FTC. As director David Vladeck noted at a conference organized by the non-profit group Consumer Watchdog before the report was released, many of these opt-out services prevent users from getting targeted ads, but they don’t stop advertisers or sites from collecting data.

A number of privacy groups submitted a report last month about the ways in which medical information sites, including Google (s goog) and WebMD (s wbmd), track the search keywords, clicks and other data about users — including data from social networks — and then use that to serve targeted ads about specific medical conditions. Although the privacy groups made it clear they see this as bad, opinions differ on whether it’s always wrong for websites to offer information to users based on their interests and browsing behavior.

Some critics say they are concerned that implementing a “do not track” mechanism would require government regulation of browsers and website architecture, which is not only undesirable, but could provide a “backdoor” for governments to spy on the behavior of web users. The Technology Liberation Front also argues that some tracking of consumer behavior and activity is a necessary part of the way the web functions, since users get what amount to free services — such as email, photo hosting, discussion forums and other information — in return for accepting targeted advertising.

Leibowitz said the report was designed to give guidance to Congress around potential legislation, but was also intended to spark comments from the industry. The FTC will take those comments into account and release final recommendations next year. The commission director said the industry needs to “step up to the plate” in terms of regulating itself, and if changes were not forthcoming, he would support legislative changes to require a “do not track” mechanism. In a press conference following the release of the report, both the World Privacy Forum and EPIC called for the creation of a federal privacy agency, which would have authority to monitor and enforce legislation.

Related content from GigaOM Pro (sub. req’d):

Post and thumbnail photos courtesy of Flickr user Josh Hallett