FTC’s ‘Do Not Track’ Could Doom Web Marketing
December 3, 2010On December 1, the Federal Trade Commission issued a preliminary report on new standards for Internet privacy. A central element of the proposed new standards is a "Do Not Track" list that will allow individuals to opt out of having their online behavior and personal information used by individuals and companies other than the ones that own the Websites they are surfing.
The new standards, when formalized, could have wide repercussions on how the Web works — at least within the jurisdiction of the FTC. Especially hard-hit would be companies like Google (Nasdaq: GOOG) and Facebook that provide targeted advertising to users based on their sites’ personal profiles.
Up until now, how companies share user data with third parties around "behavioral advertising" has been mostly self-regulated by the industry. But that’s about to change, in response to ongoing concerns about consumer privacy raised in response to accidental disclosures like those made by Facebook, and cases where companies failed to properly disclose release of data to third parties, such as the case involving EchoMetrix. In that recently settled dispute, the company sold data it collected from its online child behavior monitoring service for parents to third parties and buried disclosure of the practice deep in the software license agreement.
The latest FTC report offers a broad framework for the standards that the agency hopes to rapidly put in place in 2011, and the commission is looking for feedback from industry and the public on the proposal.
Some of the proposed standards aren’t as much focused on technology as they are on business practices. The FTC wants companies to simplify consumers’ privacy choices and be more transparent about how they use collected information.
At the heart of the technical requirements is a proposed mandate to build privacy into sites from the ground up, securing user information from third parties and protecting it from inadvertent disclosure. On the back-end, the FTC wants companies to incorporate privacy protection into their sites through better data security, "reasonable collection limits" on personal data, better data retention policies, and data accuracy.
But the big wildcard in the proposed standard is the "Do Not Track" list. Pointing to the capabilities promised by systems like TRUSTe’s "TRUSTed Ads" platform and the Consumer Opt-Out page set up under the Self-Regulatory Program for Online Behavioral Advertising, the FTC is seeking an industry-wide opt-out capability for consumers — a centralized site like the "Do Not Call" registry where consumers can register to not be tracked by behavioral advertising.
The FTC’s proposed standard doesn’t apply to tracking behavior within a site for "first-party" purposes — so, for example, Amazon.com Inc. (Nasdaq: AMZN)’s recommendation system, as well as similar features of Facebook, wouldn’t be directly affected. But it could have an impact on affiliate programs, advertising networks, and other cross-site services that employ user tracking. And the privacy guidelines could also require companies like Facebook and Amazon to make major changes to how they handle personally identifiable information to protect users from "sidejacking" (as demonstrated by the FireSheep browser plug-in) and other potential accidental exposure of that data in transit. Browser developers might also have to take a look at how they cache and secure users’ personal information to prevent disclosure.
The impact on the economics of Internet advertising could be huge. Mike Zeneis, general counsel for the Internet Advertising Bureau, told The New York Times that the online advertising industry would suffer "significant economic harm" if the government controlled the "Do Not Track" list. He said there was the same sort of public response to the list as the "Do Not Call" list has gotten. That impact could change the value proposition of Internet advertising for marketers, and hit companies like Google and Facebook where it hurts.