Last week’s Federal Trade Commission (FTC) online privacy report draft got a lot of attention for a call to provide a “Do Not Track” option for consumers. While that might have made the headlines, it’s important to note that the report was released by the FTC for the purpose of receiving public comments by January 31, 2011.
After this period, the FTC will finalize and release the report. What happens with it after that is a good question. The Commission hopes that Congress will use the report as a reference upon which to base privacy legislation, an initiative that may get fresh attention in the U.S. House Energy and Commerce committee.
As someone who works in the field of web analytics, I wanted to understand potential impacts to what we do. Here’s what I found.
The 118 Word Summary
The report and the recommendations are aimed squarely at ad networks, ISPs, carriers, operating system vendors, software application companies and other organizations that collect Personal Identifiable Information (PII) and sell it to third parties for marketing and behavioral targeting without identification of the collection. The report calls this third party marketing.
If you collect customer data and use it to market products from your own web site, this is considered “acceptable practice” and called first party marketing. If this is the case, the Do Not Track option would not necessarily apply to your site, nor would visitors to your site need to be given an “opt out” option.
However, all sites would benefit from plain language privacy policies that clearly disclose how the collected data will be used.
A Picture is Worth 1000 Words
As a lot of the report speaks to companies that really deal in “trafficking” personal information, it’s important to see where your organization fits in the Personal Data Ecosystem. See if you can find it in the graphic that’s included as an appendix in the report. (These graphics don't reproduce well because they are so detailed. I'd recommend you download the report.)
Chances are, your organization falls somewhere in the Data Collectors circle.
In presenting this report, the FTC is trying to move companies who deal with PII into a place where they give people clear options for control of their data. This initiative has less to do with analytics and more to do to with addressing companies that are in the business of capturing, security and access to PII.
It isn’t that none of this occurs today, FTC would like to see this institutionalized and standardized. Google (Dashboard), Yahoo (Ad Manager) and Microsoft (IE9) have all been taking preventive measures. I've described the Google and Yahoo privacy initiatives in more detail in my last post on privacy.
So, how can your site take initiative to improve transparency?
- Give people a choice to opt out…using browser settings or analytics tool options. Make it clear how to do so.
The Federal Government recently released its own guidelines for how Federal agency web sites should deal with privacy and PII. These might serve as a good template for your organization. For more information, you might find my posting on the new Federal Government web measurement policies a good starting place.
The Good Part Starts on Page 53
If you’re not in the data collection and reselling business, the report may not seem that interesting until you reach page 53. This is where the FTC discusses “First-party marketing.”
“Companies do not need to provide choice before collecting and using consumers’ data for commonly accepted practices, such as product fulfillment.”
Among those activities considered to be commonly accepted practices include;
“ First-party marketing: Online retailers recommend products and services based upon consumers’ prior purchases on the website. Offline retailers do the same and may, for example, offer frequent purchasers of diapers a coupon for baby formula at the cash register. Some of these practices, such as where a retailer collects a consumer’s address solely to deliver a product the consumer ordered, are obvious from the context of the transaction, and therefore, the consumer’s consent to them can be inferred."
“Staff proposes that first-party marketing include only the collection of data from a consumer with whom the company interacts directly for purposes of marketing to that consumer."
"134 If a company shares data with a third party other than a service provider acting on the company’s behalf … the company’s practices would not be considered first-party marketing and thus they would fall outside of “commonly accepted practices,” …. Similarly, if a website publisher allows a third party, other than a service provider, to collect data about consumers visiting the site, the practice would not be “commonly accepted.”135"
Described in additional detail in a footnote on the same page:
“134 Staff also believes that online contextual advertising should fall within the “commonly accepted practices” category. Contextual advertising involves the delivery of advertisements based upon a consumer’s current visit to a web page or a single search query, without the collection and retention of data about the consumer’s online activities over time. As staff concluded in its 2009 online behavioral advertising report, contextual advertising is more transparent to consumers and presents minimal privacy intrusion as compared to other forms of online advertising. See OBA Report, supra note 37, at 26-27 (where a consumer has a direct interface with a particular company, the consumer is likely to understand, and to be in a position to control, the company’s practice of collecting and using the consumer’s data).”
The FTC is asking for comment on these recommendations and trying to determine if they are too broad or narrow. I think what they have currently does make sense and provides the level of flexibility that we’d like to have as web analysts.
I’d suggest putting in your comments to ensure that this recommendation goes into the final report. It’s really critical that policy makers understand the difference between what most of us do, and what most of our organizations do with respect to using data vs. third party ad networks and the use of “deep packet inspection”…the real target of the privacy initiatives.
Questions? Comments? Love to hear them.