Last week’s Federal Trade Commission (FTC) online privacy report draft got a lot of attention for a call to provide a “Do Not Track” option for consumers. While that might have made the headlines, it’s important to note that the report was released by the FTC for the purpose of receiving public comments by January 31, 2011.
After this period, the FTC will finalize and release the report. What happens with it after that is a good question. The Commission hopes that Congress will use the report as a reference upon which to base privacy legislation, an initiative that may get fresh attention in the U.S. House Energy and Commerce committee.
As someone who works in the field of web analytics, I wanted to understand potential impacts to what we do. Here’s what I found.
The 118 Word Summary
The report and the recommendations are aimed squarely at ad networks, ISPs, carriers, operating system vendors, software application companies and other organizations that collect Personal Identifiable Information (PII) and sell it to third parties for marketing and behavioral targeting without identification of the collection. The report calls this third party marketing.
If you collect customer data and use it to market products from your own web site, this is considered “acceptable practice” and called first party marketing. If this is the case, the Do Not Track option would not necessarily apply to your site, nor would visitors to your site need to be given an “opt out” option.
However, all sites would benefit from plain language privacy policies that clearly disclose how the collected data will be used.
A Picture is Worth 1000 Words
As a lot of the report speaks to companies that really deal in “trafficking” personal information, it’s important to see where your organization fits in the Personal Data Ecosystem. See if you can find it in the graphic that’s included as an appendix in the report. (These graphics don't reproduce well because they are so detailed. I'd recommend you download the report.)
Chances are, your organization falls somewhere in the Data Collectors circle.
In presenting this report, the FTC is trying to move companies who deal with PII into a place where they give people clear options for control of their data. This initiative has less to do with analytics and more to do to with addressing companies that are in the business of capturing, security and access to PII.
It isn’t that none of this occurs today, FTC would like to see this institutionalized and standardized. Google (Dashboard), Yahoo (Ad Manager) and Microsoft (IE9) have all been taking preventive measures. I've described the Google and Yahoo privacy initiatives in more detail in my last post on privacy.
So, how can your site take initiative to improve transparency?
- Let’s start with your site Privacy Policy. I agree with the FTC that most Privacy Policies are a mess of legalese. So, take another look and re-write them in plain language. Make it clear and transparent. Tell people what you’re doing. If you are using the data collect for marketing and product development purposes, then just say so and get it over with. Don’t bury it.
- Give people a choice to opt out…using browser settings or analytics tool options. Make it clear how to do so.
The Federal Government recently released its own guidelines for how Federal agency web sites should deal with privacy and PII. These might serve as a good template for your organization. For more information, you might find my posting on the new Federal Government web measurement policies a good starting place.
The Good Part Starts on Page 53
If you’re not in the data collection and reselling business, the report may not seem that interesting until you reach page 53. This is where the FTC discusses “First-party marketing.”
“Companies do not need to provide choice before collecting and using consumers’ data for commonly accepted practices, such as product fulfillment.”
Among those activities considered to be commonly accepted practices include;
“ First-party marketing: Online retailers recommend products and services based upon consumers’ prior purchases on the website. Offline retailers do the same and may, for example, offer frequent purchasers of diapers a coupon for baby formula at the cash register. Some of these practices, such as where a retailer collects a consumer’s address solely to deliver a product the consumer ordered, are obvious from the context of the transaction, and therefore, the consumer’s consent to them can be inferred."
“Staff proposes that first-party marketing include only the collection of data from a consumer with whom the company interacts directly for purposes of marketing to that consumer."
"134 If a company shares data with a third party other than a service provider acting on the company’s behalf … the company’s practices would not be considered first-party marketing and thus they would fall outside of “commonly accepted practices,” …. Similarly, if a website publisher allows a third party, other than a service provider, to collect data about consumers visiting the site, the practice would not be “commonly accepted.”135"
Described in additional detail in a footnote on the same page:
“134 Staff also believes that online contextual advertising should fall within the “commonly accepted practices” category. Contextual advertising involves the delivery of advertisements based upon a consumer’s current visit to a web page or a single search query, without the collection and retention of data about the consumer’s online activities over time. As staff concluded in its 2009 online behavioral advertising report, contextual advertising is more transparent to consumers and presents minimal privacy intrusion as compared to other forms of online advertising. See OBA Report, supra note 37, at 26-27 (where a consumer has a direct interface with a particular company, the consumer is likely to understand, and to be in a position to control, the company’s practice of collecting and using the consumer’s data).”
The FTC is asking for comment on these recommendations and trying to determine if they are too broad or narrow. I think what they have currently does make sense and provides the level of flexibility that we’d like to have as web analysts.
I’d suggest putting in your comments to ensure that this recommendation goes into the final report. It’s really critical that policy makers understand the difference between what most of us do, and what most of our organizations do with respect to using data vs. third party ad networks and the use of “deep packet inspection”…the real target of the privacy initiatives.
Questions? Comments? Love to hear them.
Phil - Thanks for posting! I am glad that the report makes this distinction and think that we as a community need to help reinforce the concept of 1st party (corporations) vs. 3rd party (advertisers). I feel like we need a well constructed 2-3 minute YouTube Video that any layperson could see and easily understand the difference between what corporate web analysts do vs. sharing data across websites...Maybe one like this already exists...I feel like "a video is worth a thousand blog posts!" in today's day and age...
Adam
Posted by: Adam Greco | December 10, 2010 at 11:54 AM
Adam - Thanks for the comment. Well, you know what happens at meetings when someone has a great idea...they get nominated to make it happen. But seriously, if you'd like to put something together like this and want some help, let me know.
Phil
Posted by: Phil | December 10, 2010 at 01:25 PM
Adam, I believe you should consider involving Matt Langie and his guitar in this video. Perhaps a photoshopped image. (Guaranteed You Tube sensation!)
Phil, thank you for the summary. I too am happy to see a distinction made between the buying and selling of data, and the use of it for the individual website upon which the data is being captured.
That said, I did find it interesting the distinction made regarding behaviourally targeted advertising. It seems to suggest that advertising targeted based on behaviour within a visit is acceptable, yet targeting based on behaviour based on a previous visit is not. I understand the additional layer causing concern is the storing of information over time, however it just seems an unusual place to draw the line. I will have to read further in the original report.
Posted by: Michelehinojosa | December 13, 2010 at 10:32 PM
Any thoughts on the similar, but less detailed, approach that Europe is taking? http://www.bbc.co.uk/news/technology-12668552
Would love to hear your opinion on this as well. Seems to me like they are simply saying "you can't do this" but they don't know what "this" is nor do they know how to regulate it "this". Should be interesting, as May 25th is fast approaching!
Posted by: Ericmatisoff | March 30, 2011 at 07:23 AM