I thought it might be useful to republish the text of the 20 recommendations (PDF) made today by a coalition of privacy groups, along with unsolicited (italicized) commentary from Yours Truly.
To protect the interests of Americans, while maintaining robust online commerce, Congress must enact clear legislation to protect consumers’ privacy online which implements Fair Information Practices. While these recommendations are not exhaustive, they do represent areas in which the leading organizations concerned with consumer privacy are in consensus. Consumer privacy legislation should include these main points (for more detailed recommendations, please see the Legislative Recommendations Primer):
• Individuals should be protected even if the information collected about them in behavioral tracking cannot be linked to their names, addresses, or other traditional “personally identifiable information,” as long as they can be distinguished as a particular computer user based on their profile.
• Sensitive information should not be collected or used for behavioral tracking or targeting.
• No behavioral data should be collected or used from children and adolescents under 18 to the extent that age can be inferred.
• The ability of websites and ad networks to collect and use behavioral data should be limited to 24 hours, after which affirmative consent should be required.
• Behavioral data should not be retained for more than 3 months.
• Pretexting should not be used to obtain personal or behavioral data from individuals.
• Behavioral trackers and targeters should adopt policies, as relevant, for the types of data that will be collected and how that information will be maintained and used, and clearly explain those policies on their websites.
• Personal and behavioral data should not be used or disclosed in a manner that is inconsistent with published policies, except where required by law.
• Behavioral data shouldn’t be used in any way other than for the advertising purposes for which it was collected.
• Ads based on behavioral data should contain links to consumer-friendly explanations and controls.
• A targeter or tracker that has personal or behavioral data should not use the data or compiled profile in a manner that could affect an individual’s credit, education, employment, insurance, access to government benefits or resources.
• Neither personal nor behavioral data should be used in any way that would unfairly discriminate against an individual.
• Reasonable security safeguards against loss, unauthorized access, modification, disclosure and other risks should protect both personal and behavioral data.
• Individuals should have the right to confirm whether a data controller has their personal or behavioral data, request such data, and delete it.
• Each organization involved in any behavioral tracking and targeting should be accountable for complying with the law and its own policies.
• Consumers should have the right of private action with liquidated damages.
• Data collected for behavioral tracking or targeting should be protected by the constitutional safeguards that rule evidence collection.
• The FTC should establish a Behavioral Tracker Registry.
• There should be no preemption of state laws.
To protect the interests of Americans, while maintaining robust online commerce, Congress must enact clear legislation to protect consumers’ privacy online which implements Fair Information Practices. While these recommendations are not exhaustive, they do represent areas in which the leading organizations concerned with consumer privacy are in consensus. Consumer privacy legislation should include these main points (for more detailed recommendations, please see the Legislative Recommendations Primer):
• Individuals should be protected even if the information collected about them in behavioral tracking cannot be linked to their names, addresses, or other traditional “personally identifiable information,” as long as they can be distinguished as a particular computer user based on their profile. PC: Now the question is, what does “protected” mean?
• Sensitive information should not be collected or used for behavioral tracking or targeting. PC: Yes, and the government needs to crisply define what that means. Take a look at the privacy summaries for the top 10 ad networks to see how that varies in practice now.
• No behavioral data should be collected or used from children and adolescents under 18 to the extent that age can be inferred. PC: “Can be inferred” or “is inferred” would be the key distinction. They say you can identify the gender of a person within a few clicks across sites, perhaps the same is true for kids. This will be hard technically.
• The ability of websites and ad networks to collect and use behavioral data should be limited to 24 hours, after which affirmative consent should be required. PC: This is a somewhat indirect way of saying, behavioral targeting should always be on an opt-in rather than opt-out basis, (except for retargeters). If this was the law, few if any of the other recommendations would be necessary. This feels like an opening negotiating position.
• Behavioral data should not be retained for more than 3 months. PC: Even with user consent (as required by the prior recommendation)? If so, that seems paternalistic.
• Pretexting should not be used to obtain personal or behavioral data from individuals.
• Behavioral trackers and targeters should adopt policies, as relevant, for the types of data that will be collected and how that information will be maintained and used, and clearly explain those policies on their websites. PC: That’s what is supposed to be happening now, but if you read this blog, you know compliance is spotty.
• Personal and behavioral data should not be used or disclosed in a manner that is inconsistent with published policies, except where required by law. PC: Although this doesn’t sound hard hitting, it’s actually a key point: to make it clear that published privacy policies are binding obligations of the companies that post them.
• Behavioral data shouldn’t be used in any way other than for the advertising purposes for which it was collected. PC: This is good, so long as there are meaningful disclosures of those purposes.
• Ads based on behavioral data should contain links to consumer-friendly explanations and controls. PC: It seems like the stage may be set for conflict on this point. The IAB self-regulatory principles agree that in-ad disclosure is good, but also allows for in-site disclosure, perhaps because it is less disruptive to the consumer experience and easier to use. In-ad disclosure puts the burden on the consumer to watch out for ads that might be tracking them, whereas meaningful and prominent in-site exposure gives consumers all of the relevant information about sites tracking them and the opportunity opt out. See what an in-site privacy disclosure can look like with this example.).
• A targeter or tracker that has personal or behavioral data should not use the data or compiled profile in a manner that could affect an individual’s credit, education, employment, insurance, access to government benefits or resources. PC: Well put and sensible.
• Neither personal nor behavioral data should be used in any way that would unfairly discriminate against an individual.
• Reasonable security safeguards against loss, unauthorized access, modification, disclosure and other risks should protect both personal and behavioral data.
• Individuals should have the right to confirm whether a data controller has their personal or behavioral data, request such data, and delete it. PC: Wouldn’t this only apply if the behavioral information is associated with personal information that would allow retrieval? Personally, I’d rather see a ban on those associations (unless consensual).
• Each organization involved in any behavioral tracking and targeting should be accountable for complying with the law and its own policies.
• Consumers should have the right of private action with liquidated damages. PC: Gulp. I would think there will violent industry opposition to this. No doubt you would see more resources spent on compliance, but violations will be transparent to users, by and large, so where’s the recommendation on external auditing?
• Data collected for behavioral tracking or targeting should be protected by the constitutional safeguards that rule evidence collection. PC: No disagreement with that, although I don’t understand it either.
• The FTC should establish a Behavioral Tracker Registry. PC: If this means the equivalent of a Do-Not-Call registry, I have some technical questions. Tracking inherently operates at the machine or device level, which means any do-not-track implementation centers around giving the user technical tools (in browser) that either signify an optout decision or actually prevent tracking by blocking certain domains, and do so permanently. AKA Ghostery. Perhaps the law needs to be that behavioral trackers need to cooperate and not subvert these browser tools, and that their opt-out processes must remain open for folks (like us) to build privacy preference applications?
• There should be no preemption of state laws. PC: I’m sure there’s a fascinating story behind this one. Unfortunately, preemption caselaw makes my head hurt.
* * *
For those interested in diving deeper, here’s the full legislative analysis the was released with the recommendations.
privacychoice 