Privacy and Online Data Collection: At a Crossroads?

In 2010, however, there were a number of key developments that suggest that momentum may be building toward enactment of comprehensive federal data-privacy legislation. In the span of a few short months, the FTC and Department of Commerce (“DOC”) each released preliminary reports on consumer data privacy, two House bills were released (although one simply for discussion purposes), and an Executive Branch Task Force on Privacy was created. The approach taken in each of these efforts signals two important paradigm shifts in the debate over data-privacy protection in the United States.

The first shift relates to whether data-privacy regulation will hinder the development of new technologies by creating regulatory roadblocks, or will enhance their adoption by providing consumers with a necessary level of comfort regarding the use of their personal information. Those arguing against regulation assert that behavioral advertising, in which users receive targeted ads based on their online behavior, is what enables sites to offer free content and that any restrictions in this regard could have far-reaching repercussions. Nonetheless, regulators appear to be accepting the concept that data-privacy regulation may be essential to enhance technology adoption.

The second paradigm shift concerns the question of whether industry self-regulation provides a viable alternative to federally imposed regulation. Some regulators argue that the online industry has failed to provide adequate notice as to how personal information is being used and has failed to provide consumers with readily accessible means of opting out of such use. Although the door to industry self-regulation has by no means been shut, there is a clear sense that patience with this approach may be waning in Washington.

These important paradigm shifts can be attributed to two technology developments that are redefining data privacy in the digital age: the use of seemingly nonidentifiable information to “identify” an individual, and the ability of multiple entities to track a user's behavior without the user being aware of it.

Historically, while privacy advocates and the business community have differed on many issues, there was one question that was rarely in doubt: the definition of personal data. Such data were typically defined as information that could identify a specific individual, such as name and address. Recently, however, sophisticated data algorithms have allowed companies to “identify” consumers by tracking their activity on specific devices without knowing the consumers' actual names. For example, because each mobile device has a unique identifier, a company might be able to construct detailed personal information about the user of a specific mobile device, without ever learning the name of the device owner. Also, the advent of location-based information allows companies to pinpoint a user's real-time physical location and possibly track where he or she lives, works and regularly shops. The issue has become more pronounced as increasing numbers of consumers have unique devices (smartphones, tablet computers, etc.) that they do not share with multiple users, thereby allowing a device to be associated with a single individual.

Regulators must also address the fact that a consumer's behavior and personal information is increasingly being tracked by many more companies than the primary site that the consumer is visiting. Secondary, and even tertiary, players often form complex ad networks that track such data without the consumer, or even primary site, knowing about it. Moreover, data is often collected by one entity and then sold through data or ad “exchanges” to another entity that will then use that data to display a targeted ad.

Legislative Solutions

These paradigm shifts are reflected in the current debate over the need for comprehensive data-privacy legislation. For example, a House bill that was released for discussion in May 2010, and a second that was introduced in July 2010, each include device identifiers, preference profiles and browsing histories as forms of “personal information” that would be protected, even absent the name of the user. In addition, location information would be deemed “sensitive data” ' a category usually relegated to information such as medical records and religious beliefs ' and subject to affirmative opt-in consent before it could be used. See, Best Practices Act of 2010, H.R. 5777, 111th Cong. '2 (2010); www.house.gov/apps/list/press/il01_rush/h_r_5777_the_best_practices_act_2010.pdf; [Staff Discussion Draft], H.R. __, 111th Cong. '2 (2010), www.ana.net/advocacy/getfile/15698.

Along similar lines, the FTC's recent preliminary staff report proposes a “Do Not Track” mechanism that would allow consumers to opt out of their data being used for online behavioral advertising. The FTC describes “Do Not Track” as a permanent setting, stored by the user's browser, that would indicate that a consumer did not want to be tracked. The FTC notes that regulation would be required to ensure that companies honor consumer selections but suggests that “robust, enforceable self-regulation” may be an alternative to legislation. See, FTC, Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers at 66 (2010); www.ftc.gov/os/2010/12/101201privacyreport.pdf.

The House bills and agency proposals diverge with respect to selling or sharing consumer information. The bills take a hard line and would generally require companies to obtain affirmative opt-in consent before disclosing consumer information to unaffiliated third parties. Furthermore, consumers would be permitted to revoke their consent at any time. See, H.R. 5777 '104; H.R. __ '3(b). But the FTC report notes concerns that such restrictions could constrain not only data exchanges, but also content providers and other companies that directly or indirectly rely on data sale for revenue. Instead, both the FTC and DOC favor clearer notice to consumers regarding the sale of their information but do not propose explicit regulation in this area. See, DOC, Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework at
31 (2010); www.commerce.gov/sites/default/files/documents/2010/december/iptf-privacy-green-paper.pdf.

Consumer-Based Solutions

On the self-regulation front, new initiatives to inform and empower consumers are emerging. For example, a variety of trade groups have collaborated to develop the aboutads.info initiative, which would display an icon on targeted ads to inform consumers about the collection and use of their information and allow them to opt out. In addition, new technologies, including browser features and stand-alone software, are being developed to enable consumers to better detect and control tracking of their online activities. Industry standards could also offer the flexibility of public-private collaboration and enhance consumer awareness and control without stifling innovation. The DOC report, for example, contemplates voluntary enforceable codes of conduct to be developed by collaboration between regulators and industry groups, and that would provide complying companies with a “safe harbor” against enforcement actions. One challenge that remains, however, is determining which party is responsible for providing notice to consumers when the entity collecting the data is unrelated to the entity that is ultimately using the data to display a targeted ad.

Conclusion

Several key questions about online privacy and the appropriate scope of regulation (if any) remain unanswered. Indeed, both the FTC and DOC report include extensive requests for further study regarding online privacy issues. Most important, it remains difficult to discern whether consumers even care, from a privacy perspective, about the collection and use of their information. A consumer researching new car information may not be concerned that his or her behavior is being tracked and shared with advertisers or other sites. However, that same consumer may feel far differently if the behavior being tracked relates to political issues or medical conditions he or she is researching. Similarly, a consumer using location-based services might be willing to disclose his or her location data to receive targeted ads from local establishments, but may be unwilling to allow that same data from being traded on data exchanges for use by unrelated services. The reality is that consumers are themselves still determining where they want this line to be drawn. Until some type of consensus emerges, the tension between online data collection and data privacy will likely remain.

During the past two years, the collection of personal information through a consumer's online activities has expanded to unprecedented levels. This is due, in part, to a proliferation of new devices through which consumers disclose personal information, and also to increasingly sophisticated behavioral analytics. In response, regulators and legislators are beginning to consider more closely whether comprehensive federal data-privacy legislation is appropriate. This article explores these unfolding developments and the challenges they present to regulators, consumers and the online business community.

Self-Regulation

Data privacy is protected in the United States today through an amalgamation of industry self-regulation and legislation. Specific laws cover certain “high risk” data ' primarily financial, credit and health information, as well as information concerning minors. However, other personal information is generally protected only if an entity engages in “deceptive trade practices,” thereby coming under the enforcement powers of the Federal Trade Commission (“FTC”) or, in certain cases, state attorneys general or private actions by individuals.

In 2010, however, there were a number of key developments that suggest that momentum may be building toward enactment of comprehensive federal data-privacy legislation. In the span of a few short months, the FTC and Department of Commerce (“DOC”) each released preliminary reports on consumer data privacy, two House bills were released (although one simply for discussion purposes), and an Executive Branch Task Force on Privacy was created. The approach taken in each of these efforts signals two important paradigm shifts in the debate over data-privacy protection in the United States.

The first shift relates to whether data-privacy regulation will hinder the development of new technologies by creating regulatory roadblocks, or will enhance their adoption by providing consumers with a necessary level of comfort regarding the use of their personal information. Those arguing against regulation assert that behavioral advertising, in which users receive targeted ads based on their online behavior, is what enables sites to offer free content and that any restrictions in this regard could have far-reaching repercussions. Nonetheless, regulators appear to be accepting the concept that data-privacy regulation may be essential to enhance technology adoption.

The second paradigm shift concerns the question of whether industry self-regulation provides a viable alternative to federally imposed regulation. Some regulators argue that the online industry has failed to provide adequate notice as to how personal information is being used and has failed to provide consumers with readily accessible means of opting out of such use. Although the door to industry self-regulation has by no means been shut, there is a clear sense that patience with this approach may be waning in Washington.

These important paradigm shifts can be attributed to two technology developments that are redefining data privacy in the digital age: the use of seemingly nonidentifiable information to “identify” an individual, and the ability of multiple entities to track a user's behavior without the user being aware of it.

Historically, while privacy advocates and the business community have differed on many issues, there was one question that was rarely in doubt: the definition of personal data. Such data were typically defined as information that could identify a specific individual, such as name and address. Recently, however, sophisticated data algorithms have allowed companies to “identify” consumers by tracking their activity on specific devices without knowing the consumers' actual names. For example, because each mobile device has a unique identifier, a company might be able to construct detailed personal information about the user of a specific mobile device, without ever learning the name of the device owner. Also, the advent of location-based information allows companies to pinpoint a user's real-time physical location and possibly track where he or she lives, works and regularly shops. The issue has become more pronounced as increasing numbers of consumers have unique devices (smartphones, tablet computers, etc.) that they do not share with multiple users, thereby allowing a device to be associated with a single individual.

Regulators must also address the fact that a consumer's behavior and personal information is increasingly being tracked by many more companies than the primary site that the consumer is visiting. Secondary, and even tertiary, players often form complex ad networks that track such data without the consumer, or even primary site, knowing about it. Moreover, data is often collected by one entity and then sold through data or ad “exchanges” to another entity that will then use that data to display a targeted ad.

Legislative Solutions

These paradigm shifts are reflected in the current debate over the need for comprehensive data-privacy legislation. For example, a House bill that was released for discussion in May 2010, and a second that was introduced in July 2010, each include device identifiers, preference profiles and browsing histories as forms of “personal information” that would be protected, even absent the name of the user. In addition, location information would be deemed “sensitive data” ' a category usually relegated to information such as medical records and religious beliefs ' and subject to affirmative opt-in consent before it could be used. See, Best Practices Act of 2010, H.R. 5777, 111th Cong. '2 (2010); www.house.gov/apps/list/press/il01_rush/h_r_5777_the_best_practices_act_2010.pdf; [Staff Discussion Draft], H.R. __, 111th Cong. '2 (2010), www.ana.net/advocacy/getfile/15698.

Along similar lines, the FTC's recent preliminary staff report proposes a “Do Not Track” mechanism that would allow consumers to opt out of their data being used for online behavioral advertising. The FTC describes “Do Not Track” as a permanent setting, stored by the user's browser, that would indicate that a consumer did not want to be tracked. The FTC notes that regulation would be required to ensure that companies honor consumer selections but suggests that “robust, enforceable self-regulation” may be an alternative to legislation. See, FTC, Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers at 66 (2010); www.ftc.gov/os/2010/12/101201privacyreport.pdf.

The House bills and agency proposals diverge with respect to selling or sharing consumer information. The bills take a hard line and would generally require companies to obtain affirmative opt-in consent before disclosing consumer information to unaffiliated third parties. Furthermore, consumers would be permitted to revoke their consent at any time. See, H.R. 5777 '104; H.R. __ '3(b). But the FTC report notes concerns that such restrictions could constrain not only data exchanges, but also content providers and other companies that directly or indirectly rely on data sale for revenue. Instead, both the FTC and DOC favor clearer notice to consumers regarding the sale of their information but do not propose explicit regulation in this area. See, DOC, Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework at
31 (2010); www.commerce.gov/sites/default/files/documents/2010/december/iptf-privacy-green-paper.pdf.

Consumer-Based Solutions

On the self-regulation front, new initiatives to inform and empower consumers are emerging. For example, a variety of trade groups have collaborated to develop the aboutads.info initiative, which would display an icon on targeted ads to inform consumers about the collection and use of their information and allow them to opt out. In addition, new technologies, including browser features and stand-alone software, are being developed to enable consumers to better detect and control tracking of their online activities. Industry standards could also offer the flexibility of public-private collaboration and enhance consumer awareness and control without stifling innovation. The DOC report, for example, contemplates voluntary enforceable codes of conduct to be developed by collaboration between regulators and industry groups, and that would provide complying companies with a “safe harbor” against enforcement actions. One challenge that remains, however, is determining which party is responsible for providing notice to consumers when the entity collecting the data is unrelated to the entity that is ultimately using the data to display a targeted ad.

Conclusion

Several key questions about online privacy and the appropriate scope of regulation (if any) remain unanswered. Indeed, both the FTC and DOC report include extensive requests for further study regarding online privacy issues. Most important, it remains difficult to discern whether consumers even care, from a privacy perspective, about the collection and use of their information. A consumer researching new car information may not be concerned that his or her behavior is being tracked and shared with advertisers or other sites. However, that same consumer may feel far differently if the behavior being tracked relates to political issues or medical conditions he or she is researching. Similarly, a consumer using location-based services might be willing to disclose his or her location data to receive targeted ads from local establishments, but may be unwilling to allow that same data from being traded on data exchanges for use by unrelated services. The reality is that consumers are themselves still determining where they want this line to be drawn. Until some type of consensus emerges, the tension between online data collection and data privacy will likely remain.