Proposes Browser Setting So Consumers Can Make Choices About Online Tracking
The Federal Trade Commission told Congress today that while the Commission recognizes that consumers may benefit in certain ways from the practice of tracking consumers online to serve targeted advertising, the agency supports giving consumers a "Do Not Track" option because the practice is largely invisible to consumers, and they should have a simple, easy way to control it. The FTC proposes that Do Not Track would be a persistent setting on consumers' Web browsers.
David Vladeck, Director of the FTC's Bureau of Consumer Protection, told the House Committee on Energy and Commerce Subcommittee on Commerce, Trade and Consumer Protection that the practice of tracking consumers' activities online to target advertising, known as behavioral advertising, holds value for consumers because it supports content and services on the Web and delivers more personalized ads. He noted, however, that more transparency and consumer control regarding the practice are needed.
The testimony describes the FTC's efforts to protect consumer privacy for 40 years through law enforcement, education, and policy initiatives. It also provides highlights from the FTC staffs new report on consumer privacy, released yesterday, and proposes a framework to promote privacy, transparency, business innovation, and consumer choice.
The testimony states that while some in the industry have taken steps to improve consumer control of behavioral advertising, industry efforts have largely fallen short. Given the limitations of existing mechanisms, "the Commission supports a more uniform and comprehensive consumer choice mechanism for online behavioral advertising," sometimes referred to as "Do Not Track."
The most practical way to do that "would likely involve placing a setting similar to a persistent cookie on a consumers browser, and conveying that setting to sites that the browser visits, to signal whether or not the consumer wants to be tracked or receive targeted advertisements," according to the testimony.
The testimony states that such a mechanism could be accomplished through legislation or potentially through robust, enforceable self-regulation. "If Congress chooses to enact legislation, the Commission urges Congress to consider several issues," including:
It should not undermine the benefits online behavioral advertising provides consumers, including funding content and services;
Unlike the FTC's Do Not Call Registry for telemarketers, it should not require a registry of unique identifiers; rather, the Commission recommends a browser-based mechanism;
It should consider an option that lets consumers choose to opt out completely or to choose certain types of advertising they wish to receive or data they are willing to have collected about them;
The mechanism should be simple, and easy to find and use;
The FTC should be given Administrative Procedures Act rulemaking and the ability to fine violators to "provide a strong incentive for companies to comply with any legal requirements, helping to deter future violations."
The Commission vote approving the testimony and its inclusion in the formal record was 4-1, with Commissioner William E. Kovacic dissenting. Copies of the testimony can be found on the FTC's website and as a link to this press release.
The Federal Trade Commission works for consumers to prevent fraudulent, deceptive, and unfair business practices and to provide information to help spot, stop, and avoid them. To file a complaint in English or Spanish, visit the FTC's online Complaint Assistant or call 1-877-FTC-HELP (1-877-382-4357). The FTC enters complaints into Consumer Sentinel, a secure, online database available to more than 1,800 civil and criminal law enforcement agencies in the U.S. and abroad. The FTC's website provides free information on a variety of consumer topics.
In testimony before the Senate Committee on Commerce, Science and Transportation, the Federal Trade Commission discussed its efforts to protect consumer privacy through enforcement actions, consumer education, and policy initiatives like the FTC staffs recent preliminary privacy report. The report proposes a framework to balance consumer privacy with industry innovation by: 1) building privacy protections into everyday business practices ("privacy-by-design"); 2) simplifying privacy choices for consumers; and 3)improving transparency with clearer, shorter privacy notices.
The Commission told Congress that industry stakeholders have made important progress in implementing Do Not Track, a mechanism proposed in the staff's preliminary privacy report last December that would allow consumers to choose not to have their Internet browsing tracked by third parties. The testimony noted that two of the major Internet browsers - Microsoft and Mozilla - "have recently announced the development of new choice mechanisms for online behavioral advertising that seek to provide increased transparency, greater consumer control, and improved ease of use."
"Do Not Track is no longer just a concept, it is becoming a reality," said FTC Chairman Jon Leibowitz. "It's encouraging to see companies responding positively to our call for more consumer choice about their online privacy."
The testimony notes that consumers may want to opt out of more than targeted ads. They may want to avoid having their browsing habits used for other purposes, including by prospective employers or insurers. An effective Do Not Track system would go beyond simply opting consumers out of receiving targeted advertisements; it would opt them out of having their behavior tracked online, the testimony states.
According to the testimony, five issues should be considered for any Do Not Track regime:
it should be implemented universally, so consumers do not have to opt out as they go from site to site;
the opt-out mechanism should be easy to find and easy to use;
any choices offered should be persistent and should not be deleted if, for example, consumers clear their cookies or update their browsers;
it should be effective and enforceable; and
it should let consumers opt out of being tracked for reasons other than commonly accepted uses, such as fraud prevention.
The call for Do Not Track in the staff's preliminary privacy report is only one component of the FTC's agenda to protect consumer privacy. The testimony states that protecting consumers' privacy has been a Commission priority for 40 years. "During this time, the Commission has employed a variety of strategies to protect consumer privacy, including law enforcement, regulation, outreach to consumers and businesses, and policy initiatives."
According to the testimony, in the last 15 years, the FTC has brought more than 300 privacy-related actions, including: 32 data security cases, 64 cases against companies for improperly calling consumers on the Do Not Call registry, 86 cases against companies for violating the Fair Credit Reporting Act (FCRA), 97 spam cases, 15 spyware (or nuisance adware) cases, and 15 cases against companies for violating the Children's Online Privacy Protection Act (COPPA). Where the FTC has authority to seek civil penalties, it has aggressively done so. It has obtained $60 million in civil penalties in Do Not Call cases; $21 million in civil penalties under the FCRA; $5.7 million under the CAN-SPAM Act; and $3.2 million under COPPA.
In addition, the FTC has been aggressive in its efforts to educate consumers and business about their rights and responsibilities in protecting consumer privacy. Most recently, the FTC released a consumer education publication on the safe use of wi-fi hot spots. The publication, available on the FTC and OnGuard Online websites, explains that when using wireless networks, consumers should convey personal information only if it is encrypted - either through an encrypted website or a secure network. The piece notes that an encrypted website is one whose URL begins with "https." rather than "http," it further notes that in order to be secure, a wi-fi network must be password-protected.
In December 2010, FTC staff proposed a framework for protecting consumer privacy to inform policymakers and industry as they develop steps to improve consumers privacy protection. The proposed framework included three main concepts.
First, the staff proposed that companies adopt a "privacy by design" approach by building privacy protections into their everyday business practices. Such protections include providing reasonable security for consumer data, collecting only the data needed for a specific business purpose, retaining data only as long as necessary to fulfill that purpose, safely disposing of data no longer in use, and implementing reasonable procedures to promote data accuracy.
Second, the staff proposed that companies provide simpler and more-streamlined choices to consumers about their data practices. To be most effective, choices should be clearly and concisely described and offered at a time and in a context in which the consumer is making a decision about his or her data.
Third, the staff report proposed a number of measures that companies should take to make their data practices more transparent to consumers. For instance, in addition to providing the contextual disclosures described above, companies should improve their privacy notices so that consumers, advocacy groups, regulators, and others can compare data practices and choices across companies, thus promoting competition among companies.
The Commission vote to approve the testimony was 4-1, with Commissioner William E. Kovacic dissenting. Copies of the testimony can be found on the FTCs website and as a link to this press release.
The Federal Trade Commission works for consumers to prevent fraudulent, deceptive, and unfair business practices and to provide information to help spot, stop, and avoid them. To file a complaint in English or Spanish, visit the FTC's online Complaint Assistant or call 1-877-FTC-HELP (1-877-382-4357). The FTC enters complaints into Consumer Sentinel, a secure, online database available to more than 1,800 civil and criminal law enforcement agencies in the U.S. and abroad. The FTC's website provides free information on a variety of consumer topics. "Like" the FTC on Facebook and "follow" us on Twitter.
The FTC put the online advertising and user tracking industry on notice Monday that it's time to clean up its act and start treating users' data with respect, laying out broad guidelines for companies to follow. But the agency stopped short of calling for federal regulation of online data collectors, amid protests from online companies that regulation would kill a vibrant industry.
The report adds more weight to the Commerce Department's own recent report and the White House's call for an online bill of rights. The FTC's report (.pdf) outlines broad principles that the FTC wants browser makers, ISPs, online ad companies, search engines and social networks - as well as offline data collecting entities - to pledge to obey.
Companies that do pledge to obey the code, but then fail to uphold them, could then be investigated by the FTC for "unfair business practices," much as the FTC has fined and penalized companies for violating their own privacy policies (even though there's no national requirement to publish a privacy policy). That's how the FTC imposed 20-year privacy audits on both Facebook and Google - using their own privacy policies against them.