At the end of February, the heads of the Federal Trade Commission and the Federal Communications Commission announced their intention to “harmonize” the two agencies’ approach to privacy in an effort to develop a “comprehensive and consistent framework,” something that Digital Content Next and other industry groups have pushed for in the past.
Developing a consistent approach to consumer privacy would help to rebuild consumer trust in the digital ecosystem.
As the FCC and FTC begin this important work, we thought it would be useful to outline the framework developed by the Digital Advertising Alliance, the self-regulatory body for the U.S. digital marketplace. Comprising representatives from every category of company, the DAA developed a comprehensive set of principles which govern the collection and use of consumer data in the digital world. Importantly, the DAA’s thoughtful approach is technology-neutral — they apply whether a company collects data by using a cookie or by finger-printing a device.
Rightly so, the DAA’s approach revolves around consumer expectations. Wherever consumers are likely to be surprised that their data will be collected and used, there are transparency and choice requirements for companies. Where transparency and consumer choice naturally exist, the DAA Principles do not prescribe duplicative measures.
First parties: When consumers visit www.washingtonpost.com, they would expect the Post to collect data about how they navigate the site. This data — collected by a first party or companies acting solely on behalf of the first party — is typically used to ensure the site is working properly or to recommend articles readers might be interested in. The Post might even be tracking these consumers on its site if they have reason to believe they might not be human but rather a bot that’s part of a network attempting to take over the site.
If consumers don’t like being tracked by the Post on its site, they can complain to the Post’s consumer affairs department or, ultimately, leave the site. The Washington Post and other reputable website owners are acutely aware that consumers can go elsewhere for news and entertainment. The point is, consumers expect this kind of data collection and they have a choice about which sites they visit.
It’s important to note that a first party only gets this treatment for data collection and use on their own site. If a first party wants to retarget a consumer off their site, then they must abide by all the rules of third parties. Again, it all comes back to consumer expectations.
Third parties: On most sites with advertising, there are likely to be many companies collecting and using data to serve advertisements. Third parties can add a lot of value to a site. These third parties can help to deliver contextual or behaviorally-targeted advertising or to provide the means for consumers to share content via a social network. Google’s ad network, DoubleClick, serves a majority of advertisements (contextual and behavioral) across the web. DoubleClick is always a third party.
Wherever you see a Facebook “like” button, Facebook is considered a third party until the consumer intentionally interacts with the widget. For third parties, the DAA principles prohibit data collection and use for making decisions about insurance, employment, credit, or health care treatment eligibility. They also prohibit the collection and use of “financial account numbers, Social Security numbers, pharmaceutical prescriptions or medical records…without opt-in consent.”
For the collection and use of all other data, third parties are required to offer consumers the means to opt-out. The DAA “power i” icon you see on ads is the most commonly used method for providing an opt-out method. After a consumer opts out, third parties can still collect data for the benign purposes of IP protection, consumer safety, authentication and fraud prevention, billing, reporting, and market research or development.
So, the DAA strikes a healthy balance of prohibiting bad behavior that would lead to consumer harm (i.e. use of sensitive data without consent), allowing benign data collection that consumers would expect (i.e. fraud prevention) and providing consumers the opportunity to opt-out of targeted advertising. In all fairness, consumer privacy advocates have concerns about the effectiveness of the DAA opt-out program — Ad Choices — but its principles of transparency and choice for third-party data collection are sound. Even the World Wide Web Consortium, a preeminent internet standards setting body, has embraced a similar framework.
Service providers: Finally, the DAA Principles identify a third category of company, the “service provider.” This is any company that “collects and uses data from all or substantially all URLs traversed by a web browser across a website in the course of the entity’s activities as a provider of internet access service, a toolbar, an internet browser, or comparable desktop application or client software and not for its other applications and activities.” That’s a mouthful!
In layman’s terms, service providers are ISPs, mobile broadband providers, and browsers. It might also include Facebook because their “like” button and ad network are so pervasive. For these companies, the DAA sets a slightly higher bar. In addition to transparency, security and a prohibition on the use of sensitive data, the DAA stipulates that “Service Providers should not collect and use data for online behavioral advertising purposes without consent.” (DAA Self Regulatory Principles for Online Behavorial Advertising, p. 14, Section III. B. 1.)
Later in the document (p. 23), “consent” is defined as “an individual’s action in response to a clear, meaningful and prominent notice…” So, under the DAA, broadband providers and other companies that collect “all or substantially all” of a consumer’s activity on the web must offer more than just an opt-out, they must obtain consent from consumers.
As the DAA rightly recognized, consumers expect their broadband provider to collect data about how they use the internet to improve the service or to manage the network. But consumers don’t expect their ISP to be tracking them across the web in order to personalize advertising to them. What’s more, it’s not easy for a consumer to change an ISP or browser.
As the FTC and FCC look for ways to harmonize their approach to privacy, we hope they’ll adopt the collaborative framework built by industry leaders from every corner of the ecosystem. This consistent approach to consumer privacy will help set clear rules of the road for companies and help to build consumer trust.
If you want to comment on this post, you need to login.