On June 18, 2009, Congressman Rick Boucher (D-Va.) participated in a House subcommittee hearing on behavioral advertising, and gave an opening speech in which he outlined his desire to introduce behavioral advertising legislation for consideration by this Congress. In this speech, Congressman Boucher admitted to being both a supporter and beneficiary of targeted advertising, and he recognized that “online advertising supports much of the commercial content, applications and services that are available to Internet users without charge.” By his own admission, his proposed legislation will not disrupt this business model. The full text of Congressman Boucher’s speech can be read here.

In the approximately seven weeks since giving this speech, Congressman Boucher has revealed little about how he intends to craft legislation that is sensitive both to the commercial needs of online businesses and the privacy needs of consumers. Last week, in a speech given to The Congressional Internet Caucus Advisory Committee during the State of the Net West conference, Congressman Boucher gave a preview of the privacy bill he is planning to introduce in the near future.

Based upon the excellent recap from Professor Eric Goldman (who helped organize the event), and first-hand accounts of a number of twittering attendees, we can expect that Congressman Boucher’s bill will include:

  • A requirement to prominently post a privacy policy (which is something that any reputable web-based business should already be doing)
  • A split in treatment between “data sharing necessary to enable first party ads” and targeting based upon information shared with third parties. Users can opt-out of first-party targeted ads, but must opt-in to having their information shared on behavioral ad networks.
  • A grant of enforcement authority to both the FTC and state attorneys general

Clearly a lot remains to be seen with this proposed legislation, but a few initial questions come to mind. First, how will the "opt-in/opt-out" switch work? What kinds of user authentication will be required for this? Will it be more than just a simple screen name and password? Perhaps a social security number or other unique identifier so one cannot sign another up for behavioral tracking? But such a high level of user authentication may come with its own issues (e.g., security of SSNs).

Second, there may be issues with trying to define the difference between “data sharing necessary to enable first party ads” and "data sharing among behavioral networks." Will a distinction be made for corporate siblings or other affiliated entities? Consider Amazon.com’s “Recommended for You” program. At first blush, this may seem to be “first party” ad targeting. However, a consumer can easily purchase items from sellers that are not Amazon.com, but who use Amazon.com for their web infrastructure. If Amazon.com were to store this purchase history in your profile, would this be “first party” or “third party” information under the proposed bill? Will Amazon.com be required to treat this information differently from information gleaned from its own sales? Does it at all matter if the consumer doesn’t know or doesn’t care about the difference?

Finally, with industry groups like ANA and IAB promulgating self-regulatory codes of conduct, will there be room for self regulation in Congressman Boucher’s legislative regime?