FPF Icon Project Cited By EU Article 29 Working Party

The EU Article 29 Working Party has issued an opinion on the need under EU law for consumer opt-ins for behavioral advertising that involves online tracking. Our friends at Hogan Lovells have provided this analysis on their blog.  In calling for “simple and effective mechanisms for users to affirmatively give their consent for online behavioral advertising,” the Working Party cited the work of the Future of Privacy Forum in creating a user-friendly mechanism for notice and consent, and encouraged industry to engage in a dialogue with data protection authorities on ways to effectively and efficiently implement the opt-in requirement.  Just as the Future of Privacy Forum has contributed to the discussion of empowering consumers in the behavioral advertising space in the United States, we look forward to sharing our perspectives during the EU dialogue.

Tying IP Addresses to Offline Data

This morning Media Post’s Wendy Davis reported on ClearSight Interactive’s new behavioral targeting platform, which allows marketers to target Web users based on the profiles associated with their specific neighborhoods.   FPF’s Co-Chair and Director, Jules Polonetsky was quoted as saying, “[The practice] strains the limits of sanity to think that someone with a straight face would claim that users have opted in to being labeled ‘impotent. … This appears to be exactly the kind of behavior that regulators want to see constrained.”

To see the full article click the image below:

The Future of Privacy Legislation: A Conversation with Congressmen Rick Boucher and Cliff Stearns

boucher-stearns-picture-0023

On Wednesday, Representatives Rick Boucher (D-VA) and Cliff Stearns (R-FL), Chairman and Ranking Member of the House Subcommittee on Communications, Technology and the Internet, spoke exclusively with the Future of Privacy Forum and a select group of privacy advocates, academics, and members of the business community about the discussion draft of privacy legislation the Congressmen released on May 4.  The event was held in the Cannon House Office Building and more than a hundred participants joined either in person or via teleconference.

FPF is extremely grateful to all those who attended, and most importantly to Reps. Boucher and Stearns for their candor and willingness to participate in such a robust discussion about the future of consumer privacy legislation.

Below are several topics that were discussed during the event and some very pertinent quotes from the Congressmen.

Privacy Legislation:

The Congressmen stated that they published the bill in draft form because they wanted to receive and consider the input of public and private stakeholders before the bill’s formal introduction in Congress, and said that they have received more than seventy comments to date.  Congressman Boucher emphasized that he would like to move forward as soon as possible, but given that he wanted to take time to read and synthesize all the comments, a bill would not likely be introduced before the end of July: “When we have that satisfaction with our committee, bipartisan congressmen and stakeholders, we’ll move forward,” explained Boucher. “It is optimistic to think this will happen by end of July.  We’ll spend time digesting and thinking and seeing what level of support we can expect to receive.”

As Congressman Boucher explained, “There is a lot of concern about what information is collected and how information is shared. The lack of understanding about practices leads to a lack of trust for online consumers.”  According to the Chairman, “Our goal is to resolve the uncertainty, and to provide fundamental privacy assurances that will lead to more levels of Internet utilization.”  He added that this legislation is not designed to regulate the Internet but to provide privacy guarantees that will enhance users’ experience on the Internet.

The draft legislation aims to set baseline standards for all entities regarding how they collect, use, and share personal information in both the online and offline contexts, while recognizing that best practices are already being implemented by the largest, most reputable companies.

Targeted Advertising:

Congressman Boucher explicitly noted that his bill will not inhibit targeted advertising: “We’re internet advocates.  This is not a measure designed to regulate the internet in any way. It is designed to provide the privacy guarantees that will enhance the internet experience and lead to a greater willingness to trust online transactions.  We are not seeking to impose barriers or to inhibit targeted advertising.   We respect targeted advertising.  It is the model today that has been highly successful and it enables a lot of a very useful content to be provided for free to internet users. We don’t want to inhibit that.”

Opt-In and Opt-Out Requirements:

Congressman Boucher explained the thought process behind opt-in and opt-our requirements included in the legislation: “The first clear requirement that we have is prominent disclosure by all entities that collect information of the information that is collected, how that information is used and the circumstances under which, and the ability, at least generically of the individuals of whom that information is collected. We then provide as a second major principle control over the collection and use practice on the part of the individual from whom the information is collected.

We generally apply an opt-out principal and the mechanism for control. We apply opt-out, for example, to all first-party transactions. We apply opt-out to interactions between a first party and a service provider, whose services are necessary to complete the first party transaction.  That information is subject to opt-out. We apply opt-out to affiliates of the first party, [and] we apply opt-out and exemptions generally for operational and transactional collection of sharing.  We apply opt-in in limited instances and those instances fall into two categories: First of all, sensitive information.  We define that as information that is very personal to the individual, such as financial information, medical information, information about children and adolescents, geographic location-specific information.  For the most sensitive information, opt-in would be required before that could be collected or used.   The second major way in which we apply opt-in is that it would generally apply to the sharing of information with unaffiliated parties.  But we have a major exception to that requirement: the sharing of information with unaffiliated parties. Advertising networks, for example would be permitted under the ‘opt-out’ principles where those advertising networks or similarly situated parties follow the best business practices.

Let’s be specific about what these are.  These are opt-out if each advertisement that is received from any of the entities on an advertising network has a link associated with that ad that identifies the derivation of the ad, and says that it stems from the creation and use of a preference profile.  And this provides access to the preference profile. And the opportunity for that user to modify that profile, So access to the profile, and the opportunity to modify would be the first requirement.  Second requirement is that those advertisements have a link associated with it that enables upon activation the elimination of information sharing about that individual within the advertising network.  So the individual could choose not to have the individual about them distributed within the advertising network.  If those two requirements are met—and I’ll stress again, these are requirements that are in practice today by some advertising networks, then opt-out would apply with regard to information sharing, even among the unaffiliated parties.”

Privacy Notices and Privacy Policies:

Prompted from a question about the length of privacy policies from FPF Co-Chair Christopher Wolf, Congressman Stearns discussed the issue at length: “As policymakers, Rick and I have to decide to what degree to do and what degree not to do.  When I had these hearings and recognized how difficult it was to come up with a privacy bill, I almost thought that a “Good Housekeeping” seal of approval—let the private sector develop this seal of approval by talking to the Federal Trade Commission, and the FTC would give them a seal and they would use that on the webpage so that the consumer, rather than reading through the long contract about privacy, he could just use that seal of approval and that would be sufficient.

This is sort of the easy way out on this, because then the private sector is doing it and we don’t have the FTC issuing fines or perhaps we don’t have complicated bills.  But at the same time, some of this, as Rick pointed out, sometimes the consumer has a right to know what they are collecting and he or she should be able to opt-out of that collection.”

Stearns went on to explain that, “When we had a hearing they [the FTC] could not answer when and where the dialogue boxes should come up.   It didn’t come up at that point the legal language, but many of us don’t read the privacy forums that are popping up now because there is so much legalese.  So I think what you need is a general understanding of what the dialogue boxes contain, and sort of a checklist if that’s in there.  There’s got to be something so that the consumer doesn’t have to read the legal contract in detail, because one: he or she won’t know what it means; and two: it’ll scare them.  We don’t want in the long run to have consumers deterred from using the internet through these dialogue boxes that pop up that are hugely legalese.  So in the end it’s got to be up to the FTC but at the same time consumer friendly, so in the end we don’t feel as though we’re putting ourselves in a legal situation.”

Congressman Boucher added, “We are in an almost daily conversation with the FTC about privacy principles.” Boucher also noted that the FTC would have final say over the regulations of bill including the language of the privacy notices.

Innovation with Notices:

FPF Co-Chair Jules Polonetsky highlighted the inclusion of better transparency and control tools that appear to be a piece of the draft legislation, which would mirror the recent development of the “Power-I icon,” which was created by FPF and WPP in the past year.  This discussion prompted Congressman Boucher’s comments about how similar innovations are already being seen with innovations in the mobile technology sphere: “Many of the mobile providers have already begun a very productive consideration of how to ensure and enhance levels of privacy.  I’m reminded, for example, of the universal “opt-in” that occurs when you start a Smartphone for the first time.  It basically says, ‘Do we have the permission to track your geographic location for various applications that you may decide to employ on this device?’ … With one click affirmatively at that point [users] can decide to allow the tracking of geographic-specific information.”

US vs. EU

Congressmen Boucher and Stearns noted that even if privacy legislation is enacted, the FTC would still have the discretion to bring enforcement actions regarding the language and manner of privacy disclosures (including for Apps and mobile devices, which they also confirmed are covered by the draft bill).  They also discussed privacy regulation in general and the compatibility of European and global standards – commenting that despite supposedly stricter privacy regimes overseas, enforcement is more robust in the United States – and stated that their legislation would aim to honor practical applications over cumbersome regulatory policy.

As Boucher stated, “We are not looking to imitate the EU. We want a lighter regulatory touch. The EU has always honored the law over practical applications.”

Stearns added, “EU privacy policy is very onerous. We don’t want the same burden. So I don’t think you can ever make them happy. We don’t want that in the U.S. [and] that’s why [the] lite draft bill is good.”

June 25, 2010 – House Panel Wants Apple To Explain Privacy Changes, Sci-tech-today

June 18, 2010 – Supremes: Stop (texting) in the name of love, eCampusNews

FPF's Comments in Response to Department of Commerce Privacy NOI

The Department of Commerce is examining the nexus between privacy and innovation in the Internet economy, as reflected in its recent Notice of Inquiry (NOI) to which the Future of Privacy Forum submitted this document.  After detailing the importance of privacy to the success of the Internet economy, our submission provides examples of innovations in online privacy such as:

We also identify areas of needed online privacy improvement such as:

Finally, we make suggestions on ways the Department of Commerce can exercise leadership to advance online privacy.

To read the full comments from FPF click here!

FPF Submits Comments in Response to Department of Commerce Privacy NOI

The Department of Commerce is examining the nexus between privacy and innovation in the Internet economy, as reflected in its recent Notice of Inquiry (NOI) to which the Future of Privacy Forum submitted this document.  After detailing the importance of privacy to the success of the Internet economy, our submission provides examples of innovations in online privacy such as:

We also identify areas of needed online privacy improvement such as:

Finally, we make suggestions on ways the Department of Commerce can exercise leadership to advance online privacy.

To read the full comments from FPF click here!

A New “Must-Read” for Smart Grid Enthusiasts

This morning, I moderated a panel at the Computers Freedom and Privacy Conference entitled, “The Smart Grid: Can we be smart and private?” and focused on the privacy challenges and opportunities posed by the development of the smart grid.

We at FPF have been working on smart grid issues for the last year and were pleased to co-author a white paper, Privacy by Design: Smart Privacy for the Smart Grid, with Ann Cavoukian, Ontario Privacy Commissioner and FPF advisory board member.  The Commissioner is now out with a follow up to our initial publication; this one developed in partnership with Hydro One and Toronto Hydro, two of the major electrical utilities in Ontario.

The whitepaper, “Privacy by Design: Achieving the Gold Standard in Data Protection for the Smart Grid,” is a must-read for policy makers, businesses, media and anyone else who gives a hoot about the future of the grid.   As usual, Commissioner Cavoukian shows how business goals can be achieved in a manner that respects privacy.

Getting this right is essential, since data flows are critical to the success of the grid’s goals of effective power management, improving the environment, green jobs, economic savings and unleashing innovation in the home.

Jules Polonetsky

June 17, 2010 – High court: Go ahead, search cop’s sexy texting, BusinessWeek

Guest Blog on Privacy Safe Harbors

The following is a guest post to the FPF Blog from Ira Rubinstein, a Senior Fellow at the Information Law Institute and Adjunct Professor at New York University School of Law

In early May, Reps. Rick Boucher (D-VA) and Cliff Stearns (R-FL) released a discussion draft of comprehensive privacy legislation. The draft bill would require companies that collect and use personal data to disclose their privacy practices and obtain consent for various uses of such data, including express consent for the collection or use of sensitive information. The bill also regulates online ads and specifically addresses targeted ads based on a user’s Web browsing history. Section 3(e) requires opt-in consent for third-party information sharing (e.g., with advertising networks) but offers a very narrow “safe harbor” exception for firms that follow certain defined practices (such as allowing a person to manage their preference profiles and to opt-out of receiving targeted ads).

Safe harbors are a very powerful regulatory instrument. In what follows, I offer some fairly radical ideas for greatly expanding the use of safe harbors in privacy law by adopting a regulatory approach sometimes referred to as “co-regulation.” I have written about these ideas at greater length in a law review article, Privacy and Regulatory Innovation: Moving Beyond Voluntary Codes, I/S: A Journal of Law and Policy for the Information Society (forthcoming Winter 2011) available at http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1510275. All page references below are to the draft version currently posted on SSRN…

To read Rubinstein’s full blog about this issue click here