Senator Rockefeller (D-WV) recently introduced a bill entitled the “Do-Not-Track Online Act of 2013” (hereinafter, the DNT Act). The main purpose of the DNT Act is to require the Federal Trade Commission (FTC) to promulgate rules and regulations to govern data brokers and to provide users with more choice over the information that is gathered about their online browsing activities through website tracking technologies. Although the DNT Act was initially introduced two years ago, there was no movement in the Senate due to the fact that industry groups agreed to work together to address online behavioral advertising and Internet user tracking. Because industry groups failed to make substantial progress, Senator Rockefeller determined that it was time for the FTC to step in to regulate this area.
The DNT Act sets forth specific requirements for steps to be taken by the FTC to create standards for a do-not-track mechanism as well as accompanying rules, exceptions to those rules, and defines the penalties for violations of the rules promulgated under the Act. Specifically, the DNT Act sets forth the following:
FTC Requirements. Under the DNT Act, the FTC will be required to do the following:
- Promulgate regulations that set standards for the creation of a do-not-track mechanism by which a user could indicate his/her preferences regarding having personal information collected by providers of online services and mobile applications and services; and
- Establish rules that govern providers of online services and mobile applications and services to require them to respect user preferences that are relayed via the established mechanism.
In developing the standards for a do-not-track mechanism, the FTC is instructed to consider a number of factors including the covered conduct, technical feasibility, cost, mechanisms currently in place, and how to publicize a newly developed mechanism.
Exceptions. The DNT Act provides for two exceptions to the rule requiring providers to recognize the established do-not-track mechanism. Specifically, providers may collect information from those users that have opted out using the mechanism if:
- The collection is necessary to provide a requested service and the collected information is either anonymized or deleted upon provision of such service; or
- The user is provided with clear, conspicuous, and accurate notice and provides his/her affirmative consent.
The FTC is instructed to more fully define the above and determine what standards would apply to the exceptions. Additionally, the FTC is instructed to consider what would be consider “anonymized data” and how information can be collected on a truly anonymous basis so that it can be exempt from the requirements of the established rules.
Violations of the DNT Act will be treated as unfair and deceptive acts and practices under Section 18(a)(1)(B) of the FTC Act and the FTC would be granted the authority to pursue such violations under the FTC Act. States would also be permitted to prosecute violations of the Act as long as they provide the FTC with appropriate notice. The FTC is permitted to intervene in State actions under the Act. The maximum liability for violation of the Act is currently set at $15 million but will be adjusted for inflation.
All data brokers and businesses involved in online behavioral advertising should be aware of the DNT Act. If passed, the relevant FTC regulations could have a large impact on the way that such companies do business.