Both Yahoo! and AT&T have already implemented a trial run for one of the icons at www.green.yahoo.com/living-green/ and www.yellowpages.com, respectively. In addition, the two icons are now being tested with an internet survey of 2600 users to quantitatively determine their utility as a means of providing effective notice and to select the most effective symbol and language.
Today Future of Privacy Forum (FPF) released two proposed icons designed to communicate to web users about the efforts of advertisers to tailor ads based on the websites they visit.
In February 2009, the Federal Trade Commission expressed concern that privacy policies were not being read or understood, and urged the industry to develop new methods of providing notice to users about behavioral advertising practices. Leading trade groups have drafted self regulatory principles requiring new notices to users to appear alongside ads or on web sites.
With this in mind, FPF partnered with a number of divisions of WPP, the global marketing communications company, to launch a consumer focused effort that would rely on the skill of advertising and communications professionals to engage users about efforts to provide relevant banner advertising. A creative team from Ogilvy designed a collection of symbols, Greenfield Research conducted focus groups to test the symbols that showed the most promise, and teams from Kantar Group and Lightspeed launched an online quantitative study. Leading academics Mary Culnan and Manoj Hastak worked with FPF director Jules Polonetsky to structure and design the consumer testing.
“Legal statements and privacy policies play a key role in binding companies to their online commitments,” said FPF co-chair Christopher Wolf. “But if the goal is communicating a complicated concept to users, it makes sense to turn to the best communications experts and challenge them to help companies communicate in terms consumers can understand.”
“Instead of focusing on privacy statements and disclaimers, we sought to openly tell consumers how companies were seeking to use data to tailor the ads they were shown,” explained Jules Polonetsky, FPF co-chair and director. “Only by being more transparent and dispelling the notion that behavioral advertising is a secret process can businesses partner with consumers to deliver personalization that will be valued.”
George V. Pappachen, Chief Privacy Officer at WPP’s Kantar Group, said, “Our approach was to create a touch-point that could engage users to learn more about the ads they are seeing. Both of these designs that have risen to the top of the list do just that.”
The icons are now being tested with an internet survey of 2600 users to quantitatively determine their utility as a means of providing effective notice and to select the most effective symbol and language.
One icon features a lowercase “i” with a partial circle around it. Focus group participants associated this image with “Information” links, interest-based ads, a power on/off switch alluding to the opt-out option, and the Internet in general.
The other leading symbol features an asterisk with a human-like shape. Focus group participants understand that the symbol indicates “personalization” and an alert that there was more information about the advertising available.
Polonetsky explained, “We do not think that simply displaying an icon and a few words is a full solution to the challenge of online privacy and personalization. Transparency needs to be supported with users having access to their profiles and with strict limits on use of sensitive data and children’s data. Opt-out choices need to work and data retention should be minimized. The entire process needs meaningful oversight and effective enforcement.”
“But the first step is respecting users enough to let them know what is going on. That is what we hope to accomplish with these symbols.”
The icon winner will be announced soon so please stay tuned for more information.
Please visit the links below to see our work on this topic.
Kick-Off Announcement:
Comments by the FTC Chairman:
http://fpf.org/2009/05/20/kind-words-from-the-ftc-chairman/
Link to Relevant Research page on our Wiki:
http://fpf-noticeproject.wikispaces.com/Relevant+Research
Saul Hansell’s New York Times Bits Blog: “Seeking a Symbol for ‘This Ad Knows About You”
The Commerce Department/NIST Information Security and Privacy Advisory Board (ISPAB) is holding its December meeting tomorrow in Washington, DC. On the agenda is a discussion about privacy, security and the smart grid, led by FPF Co-Chair Jules Polonetsky, Dave Dalva, Senior Security Strategist at Cisco, and Lynn McNulty, Director of Government Affairs at (ISC)2.
ISPAB advises NIST, the Secretary of Commerce and the Director of the Office of Management and Budget on information security and privacy issues pertaining to Federal Government information systems.
Nymity, a global privacy and data protection research services firm and FPF supporter, just published an interview with Jules which provides a nice overview of our activities. You can sign up for Nymity’s free newsletter at www.nymity.com.
Some of the leading privacy analysis related to the smart grid has been carried out by Rebecca Herrold, a.k.a @PrivacyProf to her Twitter followers. Her most recent post, an effort to begin to map privacy standards to potential grid privacy concerns, does not disappoint. We are looking forward to having her on our smart grid privacy panel at the next IAPP Summit. Keep an eye on her site, RealTime IT Compliance, for great privacy updates on the grid and beyond (and of course continue to keep an eye on smartgridprivacy.org, FPF’s central resource site for the grid and privacy).
EU companies are heaving sighs of relief after obtaining some text changes in the EU telecoms package passed this week in Brussels. Concerns that the proposed amendments to the ePrivacy Directive would have required cookies used for secondary purposes to be “opt-in” had trade groups scrambling, but elimination of the words “prior” and “after having been provided” seem to provide some basis for broader interpretation.
Here is the new final language as approved:
“Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.”
The previous proposed language did address the use of browser settings as a possible way to imply consent. That language was moved to the less binding and more advisory introduction to the legal language of the law. Here is how it reads:
“Third parties may wish to store information on the equipment of a user, or gain access to information already stored, for a number of purposes, ranging from the legitimate (such as certain types of cookies) to those involving unwarranted intrusion into the private sphere (such as spyware or viruses). It is therefore of paramount importance that users be provided with clear and comprehensive information when engaging in any activity which could result in such storage or gaining of access. The methods of providing information and offering the right to refuse should be as user-friendly as possible. Exceptions to the obligation to provide information and offer the right to refuse should be limited to those situations where the technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user. Where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC, the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application. The enforcement of these requirements should be made more effective by way of enhanced powers granted to the relevant national authorities.” Read the full text of the bill here.
It is important to understand that this law is operative at the EU level, meaning that it has no direct effect on companies. Rather, EU countries are now obligated to incorporate the new law into their own national legislation. How will this play out is unclear. Many data regulators already maintain that their current national laws require “opt-in” for cookies used to develop behavioral profiles or for other robust uses that they consider to be “personal”.
Rather than declare victory and head off to fight the next stage of this battle in every national jurisdiction, now might be a very good time for EU ad networks, publishers and advertisers to step up efforts to demonstrate innovative ways to provide users with more transparency and control. If top EU officials consider cookies used for ad related purposes to be “spy cookies”, there is real work to be done to demonstrate that online data can be used in a manner that demonstrates respect for users. We have learnt a great deal from colleagues at data protection authorities abroad about privacy as a human right and believe the “rights” model is increasingly gaining traction over the historic US “harms” model. But perhaps some recent progress in the US may be useful as a model for global cookie use. Companies that develop cookie based profiles are increasingly providing users in the US with access to those profiles, demystifying the process of targeted advertising. In addition, much of industry has agreed to provide notices on ads or on web pages to indicate behavioral data use. A number of leading companies, advocates and academics are working with the Future of Privacy Forum to conduct consumer research to understand the best words and symbols that can be used to meaningfully engage users about how their data is being used. We will be displaying our results at the December 7th FTC “Exploring Privacy” round table event.
Perhaps we can all agree to “opt-in” to stepping up efforts to demonstrate that personalization and privacy can co-exist?
*For those interested in the process, here are the next steps:
Final vote on the reform package in a third reading in the plenary of the European Parliament (took place November 242009);
Entry into force of the whole telecoms reform package with its publication in the EU’s Official Journal (December 2009);
Establishment of the European Body of Telecoms Regulators BEREC (spring 2010);
Transposition of the telecoms reform package into national legislation in the 27 EU Member States (by June 2011).
Jules Polonetsky will be participating in the FTC’s “Exploring Privacy” Roundtable on Monday, December 7 in Washington, D.C.
Jules will be participating on Panel 2: Consumer Expectations and Disclosures from 11:00-12:15.
Click on this link for more details: http://www.ftc.gov/bcp/workshops/privacyroundtables/index.shtml
The National Association of Regulatory Utility Commissioners was scheduled to vote on a smart grid privacy resolution at their November meeting in Chicago last week. However, it appears that the regulators did not adopt the proposed resolution. Our sources tell us that it was deferred, hopefully to be taken up at the February NARUC meeting. Since the last NARUC privacy resolution was adopted in July of 2000, and data privacy issues that were barely contemplated are already the subject of intense discussion, we hope they will come back to this before companies are too far down the path to implementation.
Experts: Smart Grid Poses Privacy Risks
Washington Post – Security Fix Blog
By Brian Krebs
Wednesday, November 18, 2009
Technologists already are worried about the security implications of linking nearly all elements of the U.S. power grid to the public Internet. Now, privacy experts are warning that the so-called “smart grid” efforts could usher in a new class of concerns, as utilities begin collecting more granular data about consumers’ daily power consumption.
“The modernization of the grid will increase the level of personal information detail available as well as the instances of collection, use and disclosure of personal information,” warns a report (PDF) jointly released Tuesday by the Ontario Information and Privacy Commissioner and the Future of Privacy Forum (FPF), a think tank made up of chief privacy officers, advocates and academics.
Jules Polonetsky quoted:
“Relatively speaking, [utilities] aren’t big marketing companies with big back end databases ready to handle the tidal wave of data that’s coming,” he said. “But we’re a little worried that without some serious planning now, there’s going to be quite a challenge in a couple of years when people start realizing that maybe should think about developing some solid data retention policies that address what’s going to be done with all of this data.”
Click here to view the full blog post.
One year ago today, FPF opened its doors and promised to work to advance responsible data practices. Our goal was to work with progressive companies, advocates, academics and government leaders to find common ground on solutions that ensured that uses of consumer information provided users with transparency and control.
While FPF has grown in terms of our underwriting support and the depth of our advisory board, we are especially proud of the programs we have established to further our mission. This includes establishment of:
• A research and creative development effort to develop optimal ways to communicate about online advertising and privacy practices.
• A Smart Grid Working Group to help integrate privacy principles into the development of the internet smart power systems.
• A partnership with the George Washington University Law School to promote research and debate on privacy related law and public policy.
In the coming year, FPF will build on these to develop better ways to respect users online choices and to launch a new effort focused on social media and mobile applications. We welcome feedback, comments and criticism. To join or support our efforts, please email [email protected].