A flurry of recent events has focused attention anew on online advertising and privacy. Most significantly, the Administration has now come out in support of a "baseline" privacy law, and the Federal Trade Commission (FTC) is taking a bolder enforcement posture, highlighted by its recent settlement with Google over Google Buzz. Private industry is weighing in as well, with Microsoft announcing "anti-tracking" tools in its new version of Internet Explorer and other browser makers following suit. In this environment, businesses should examine whether their practices could bear regulatory scrutiny, with privacy policies up to date and any self-regulatory mechanism operating to provide meaningful privacy choices.
Now also is the time for businesses to consider participating in the policymaking process. This is particularly important for Internet publishers that rely on advertising to fund valuable (often free) online services, and which understand that self-regulation can work to address reasonable consumer interests.
Administration Support Gives Proposed Legislation a Boost
A recent hearing before the Senate Commerce, Science and Transportation Committee made clear that interest is growing in privacy legislation, particularly affecting online privacy but having implications for offline privacy as well.
- The Administration, speaking through a senior Commerce Department official, recommended national "baseline" privacy legislation, laying out a new policy position.
- Consumers should be able to stop tracking of their Internet activities, if they so desire, according to the FTC chairman, saying that consumers' "Do Not Track" choices should apply universally.
- Sen. John Kerry (D-MA), chairman of the Commerce Committee, said he will shortly introduce legislation establishing a consumer "privacy bill of rights," which could be a bipartisan effort with Sen. John McCain (R-AZ ).
In the background, two separate Senate Committees-the Commerce Committee and the Judiciary Subcommittee on Privacy, Technology and the Law-jockeyed over which panel has jurisdiction over online behavioral advertising. In addition, legislation has been introduced in the House of Representatives to implement "Do Not Track."
Legislation regulating business privacy practices could have profound effects on businesses large and small, both online and offline. For businesses-especially content publishers-that operate mostly online, regulation of online advertising could have adverse consequences on the bottom line.
The FTC Makes Good on Enforcement Warnings
In addition to taking an assertive policy position in the Senate, the FTC has announced two important enforcement actions regarding privacy.
Google launched Buzz in 2010 as its highly publicized foray into the rapidly growing social networking market. As part of the launch, Gmail users were greeted with a message announcing the service and providing the options "Sweet! Check out Buzz" and "Nah, go to my inbox." The FTC alleged that users who chose the "Nah" or the "Turn Off Buzz" options were still enrolled in certain Google Buzz features. Google also did not inform users who chose "Sweet!" that the service would reveal the identity of their most-emailed contacts by default.
Although Google had represented that it would use information from consumers signing up for Gmail only to provide a web-based email service, the FTC charged that it had used Gmail account information to populate its social networking service. The FTC also charged that the options available to users not interested in Buzz failed to disclose that some of their information would remain visible to others. Finally, the FTC charged Google with violating its obligations under the U.S.-EU Safe Harbor agreement to provide notice and choice before using consumer data for a purpose other than that for which it was collected.
Under the settlement, Google would be prohibited from making future misrepresentations about its privacy policies and about its compliance with the U.S.-E.U. Safe Harbor agreement. Each violation can result in a civil penalty of up to $16,000.
Google also agreed to establish a "comprehensive privacy program" to address privacy risks going forward. Furthermore, Google agreed to obtain "opt-in" consent prior to any new or additional sharing of user information with a third party that (1) is a change from stated sharing practices and (2) results from a changed, additional or enhanced product. Finally, Google agreed to independent audits of its privacy and data collection practices every two years for the next 20 years. Although the proposed FTC settlement does not involve a fine, last September Google agreed to pay $8.5 million into a privacy education fund to settle a class action lawsuit over Google's tactics used in introducing Google Buzz.
Second, in its first major settlement with an online ad company, announced March 14, the FTC accused Chitika Inc., an online advertising network, of engaging in deceptive privacy practices. Chitika is one of hundreds of companies that collects, sells and uses online tracking information about individuals online. It uses such information to target ads based on a consumer's likely interests.
In the settlement, Chitika agreed to allow consumers to opt-out from tracking and targeted ads for at least five years. The company must also delete identifiable user data collected about consumers whose opt-outs expired sooner than represented. Finally, the company must include a hyperlink in each targeted ad that would allow consumers to register "do not track" requests. To date, offering a consumer opt-out mechanism generally has not required providing an opt-out link in an online ad itself.
Microsoft Adds Enhanced Do-Not-Track to Internet Explorer 9
Against the backdrop of threatened legislation and enforcement action, industry continues to voluntarily offer consumers opportunities to opt-out from tracking. In the latest example, Microsoft Corp. announced in March that the upcoming release of Internet Explorer 9 (IE 9) will include certain "do-not-track" tools. First, IE 9 will block tracking by particular websites identified by a consumer (i.e., URLs identified on "Tracking Protection Lists"). In addition, IE 9 will allow consumers to send a generic request not to be tracked as they surf the web (e.g., a "do-not-track" header). Competing browsers, such as Mozilla's Firefox and Google's Chrome, will offer their own versions of "do-not-track" functionality. At present, it is unclear what impact these opt-out mechanisms will have on online advertising, as there is no clear legal duty to honor those mechanisms. However, website operators need to be mindful of the possibility that the FTC will take action to enforce consumer preferences registered via these mechanisms.