FTC’s Do-Not-Track Proposal Would Give Consumers the Right to Opt-Out of Targeted Online Marketing

December 23, 2010

In response to increasing consumer outrage and exploitation, the Federal Trade Commission has recommended the creation of a Do-Not-Track service where consumers could opt out of online data tracking by advertisers.

This proposed Do-Not-Track service is intended to be a rough internet equivalent of the Do-Not-Call registry that makes registered phone numbers off limits to telemarketers.

To test the appeal of a Do-Not-Track service, Gallup and USA Today conducted a poll over the weekend that gives some interesting insights. Gallup found Internet users are for the most part aware that advertisers use their online browsing history to target ads to their interests, but they are largely opposed to such tactics — even if they help to keep websites free.

Highlighting consumer’s attitude is a statement last month by Jeff Chester, a privacy advocate and executive director of the Washington-based Center for Digital Democracy who said ad targeting “has helped turn on a light bulb for consumers. It illustrates that there is a commercial surveillance system in place online that is sweeping in scope and raises privacy and civil liberties issues, too.”

Though the poll found that 61% of respondents said they had noticed that ads had been targeted to them, 90% said they paid little to no attention to the ads, a finding that remained consistent across all age and economic groups.

Note: The poll surveyed consumers 18 and older. It would be very interesting to see the impact of targeted advertising on children and youth with lower media literacy skills.  Particularly in light of the Children’s Online Privacy Protection Act (COPPA)’s requirements that make it illegal to collect personal information from or about a child, except under very explicit terms including: gaining verifiable parental consent, providing clear notice as to what information is collected, and how it will be used,  and so on.

This doesn’t mean that all targeted advertising that may be directed to a minor is illegal, or that consumers are wholeheartedly against targeted advertising. In fact, most poll respondents said they would prefer to allow the advertisers of their choosing to target ads to them — rather than allow all or no advertisers to do so.

What this poll’s findings mean to advertisers, consumers, services, and the FTC

According to the Interactive Advertising Bureau, online advertising accounted for $12.1 billion in revenue in the first half of this year, of which a recent editorial in AdWeek said targeted advertising that tracks consumer’s browsing histories is a “fast-growing $1.1 billion industry”. The editorial claimed that the implementation of a Do-Not-Track a measure would equate to an “apocalypse” for online advertisers that rely on these tactics to deliver targeted ads to users.

Their concern is supported by the Gallup poll’s findings that internet users overwhelmingly disapprove of advertiser’s existing practices of data mining and using consumer’s online browsing history to target ads to them.

The picture isn’t entirely black and white however. The editorial view in AdWeek is not held by all online advertisers, many of which have gone to some lengths to allow consumers to choose whether or not they will be tracked for advertising.  See these two blogs for more information about ways in which key industry members are helping consumers determine their ad tracking/do-not-track settings  PrivacyChoice.org – Another Great Site for Managing Behavioral Advertising, and Ad Stalking – When Ads Follow You Online. Additionally, some companies, like Microsoft are already building consumer tracking choices into their products. See Microsoft puts ‘Do Not Track’ function in next IE browser, as an example of this trend.

The poll results suggest that the alternative approaches outlined in the blogs that provide consumers a more thoughtful, user-driven approach to targeted advertising can be successful. When consumers have the opportunity to specifically choose the advertisers that can target them and manage the ads to ones they want to see, they are more likely to pay attention to the ads, and are much less likely to object to the data collection methods advertisers use to customize the content.

The key for the FTC if they move forward with a “Do Not Track” measure will be in creating an appropriate framework of regulatory guidelines, ad industry innovation, and consumer education.

This framework will require an approach based on an understanding that there will be ongoing tension over how to strike the right balance between corporate (and government) data collection, web services profitability,  technical implementation restrictions, and consumer’s privacy choices because there isn’t one ‘right balance’ point. Rather there will be a sliding scale that varies between situational needs and consumer comfort levels.

What should be unanimously agreed upon are these three core consumer protections:

  1. Transparency – consumers must be able to see what information is being collected about them by any party, and have a clear understanding of how it’s being used – particularly if that information is shared or sold to other parties
  2. Choice – consumers must be able to easily find and modify information in their profiles, choose what types of information they will allow to have tracked, and choose who can or cannot track them.
  3. Control – consumers must have the ability to effect a one-click opt-out (or similar ease of opt-out method) of data collection, or a clear notification that the use of a service precludes this choice.

On top of these core protections, the impact and scope of tracking the behavior of minors must be uniquely addressed.

We are at a crucial fork in the road. The decisions that will be made in the next few months regarding consumer’s rights to personal privacy and control of personal information are likely to echo through history. We all have a very high stake in the outcome.



FTC Says PrivacyLock’s Data Protection Claims Deceptive; Company to Refund Users

October 10, 2010

US Search, Inc., the company behind PrivacyLock, is an online data broker that compiles public records and sells data about consumers to the public. The records may contain not only names, addresses and phone numbers, but also information such as aliases, marriages and divorces, bankruptcies, neighbors, associates, criminal records, and home values. US Search offered customers a variety of search services, including “People Search,” “Background Check,” Real Estate Reports,” and “Criminal Records/Court Records Searches.” It also offered a “Reverse Lookup” service that can return the name of an individual associated with a particular phone number or property address.

The company’s PrivacyLock service promised consumers that it would block others from seeing their personal information, but according to the FTC complaint, these claims were false. The agency alleged that since June of 2009, the PrivacyLock Service:

  • did not block consumers’ names from showing up as an associate of someone else in a search for the other person’s name;
  • did not block consumers’ information from appearing in a “reverse search” of their phone number or address, or in a search of their address in real estate records;
  • did not work if the consumer changed addresses, thereby generating new records that would not be subject to the PrivacyLock; and did not work if the consumer had multiple records – for example “John Smith” and “John T. Smith.”

The settlement bars US Search, Inc. and US Search, LLC from misrepresenting the effectiveness of their PrivacyLock Service or any other service they offer that will allow consumers to remove information about themselves from search results, websites, and advertisements. The settlement order also requires that they disclose any limitations on such services, and that they fully refund 5,000 consumers who paid $10 each for the service.

This is the latest in a series of FTC cases challenging companies’ failure to honor their privacy pledges, and we need the watchdog functionality that the FTC and organizations like the World Privacy Forum, who assisted in bringing this case forward, represent.


Prepared Statement of the Federal Trade Commission on Consumer Privacy

September 20, 2010

I am continuing my practice of sharing recent internet safety research pieces:


Remarks by the FTC:

Privacy has been central to the Commission’s consumer protection mission for more than a decade. Over the years, the Commission has employed a variety of strategies to protect consumer privacy, including law enforcement, regulation, outreach to consumers and businesses, and policy initiatives.2 In 2006, recognizing the increasing importance of privacy to consumers and a healthy marketplace, the FTC established the Division of Privacy and Identity Protection, which is devoted exclusively to privacy-related issues.3

Although the FTC’s commitment to consumer privacy has remained constant, its policy approaches have evolved over time. This testimony describes the Commission’s efforts to protect consumer privacy over the past two decades, including its two main policy approaches: (1) promoting the fair information practices of notice, choice, access, and security (the “FTC Fair Information Practices approach”); and (2) protecting consumers from specific and tangible privacy harms (the “harm-based approach”). It then discusses recent developments, including the FTC staff’s Privacy Roundtables project – a major initiative to re-examine traditional approaches to privacy protection in light of new technologies and business models. It concludes by offering general comments on both Chairman Rush’s and Chairman Boucher’s proposed privacy legislation.

I. The FTC’s Efforts to Protect Consumer Privacy

The FTC has a long track record of protecting consumer privacy. The Commission’s early work on privacy issues dates back to its initial implementation in 1970 of the Fair Credit Reporting Act (“FCRA”),4 which includes provisions to promote the accuracy of credit reporting information and protect the privacy of that information. With the emergence of the Internet and the growth of electronic commerce beginning in the mid-1990s, the FTC expanded its focus to include online privacy issues. Since then, both online and offline privacy issues have been at the forefront of the Commission’s agenda, as discussed in greater detail below.

A. The FTC’s Fair Information Practices Approach

Beginning in the mid-1990s, the FTC began addressing consumer concerns about the privacy of personal information provided in connection with online transactions. The Commission developed an approach by building on earlier initiatives outlining the “Fair Information Practice Principles,” which embodied the important underlying concepts of transparency, consumer autonomy, and accountability. In developing its approach, the FTC reviewed a series of reports, guidelines, and model codes regarding privacy practices issued since the mid-1970s by government agencies in the United States, Canada, and Europe.

From this work, the FTC identified four widely accepted principles as the basis of its own Fair Information Practices approach: (1) businesses should provide notice of what information they collect from consumers and how they use it; (2) consumers should be given choices about how information collected from them may be used; (3) consumers should be able to access data collected about them; and (4) businesses should take reasonable steps to ensure the security of the information they collect from consumers. The Commission also identified enforcement – the use of a reliable mechanism to impose sanctions for noncompliance with the fair information principles – as a critical component of any self-regulatory program to ensure privacy online.

To evaluate industry’s compliance with these principles, the Commission examined website information practices and disclosures; conducted surveys of online privacy policies, commented on self-regulatory efforts, and issued reports to Congress. In 2000, the Commission reported to Congress that, although there had been improvement in industry self-regulatory efforts to develop and post privacy policies online, approximately one-quarter of the privacy policies surveyed addressed the four fair information practice principles of notice, choice, access, and security.7 A majority of the Commission concluded that legislation requiring online businesses to comply with these principles, in conjunction with self-regulation, would allow the electronic marketplace to reach its full potential and give consumers the confidence they need to participate fully in that marketplace.

Click here to learn more: Prepared Statement of the Federal Trade Commission on Consumer Privacy


FTC Asked to Review Stealth Collection of Consumer Data

April 11, 2010

Calling for an investigation into companies conducting stealth collection of consumer data, the Center for Digital Democracy, US PIRG and World Privacy Forum have filed a complaint with the FTC today.

At issue are the recent developments in online profiling and behavioral targeting that now enable massive commercial aggregation of consumer’s information without your knowledge or consent, and the threat these actions represent to your privacy.

This data aggregation merges each individual’s online browsing and purchasing behavior plus any comments or actions you’ve taken on social networking or other sites (for Gmail users, this includes analysis of your email content), and combines this with your credit information, your age, location, income, whether you own a home, any criminal records, voting records, etc.

In short, advanced data collection companies aggregate all available online (including mobile devices) and offline information about you as an individual, and then sell it to whomever is bidding.

The sale of your specific information is often done in real time, where advertisers bid for the ability to direct a message at an individual Web surfer at the very moment they are doing something online that the advertiser is interested in. These trades take a breathtakingly short 50 milliseconds to complete.

These business practices affect virtually every individual – whether you’re an internet user or not

Some of the companies listed in the filing you’ll have heard of – and it shouldn’t come as a surprise that Google is listed first in the filing. But most of the companies you don’t even know exist: PubMatic, TARGUSinfo, MediaMath, eXelate, Rubicon Project, AppNexus, Rocket Fuel, Rapleaf, and more.

Consider the numbers

The filing includes the following statistics. Yahoo’s Right Media Exchange processes 9 Billion transactions daily. MediaMath serves more than 13 billion transactions daily. TARGUSinfo delivers more than 62 Billion transactions a year. PubMatic processes more than 100,000 data transactions per second. The Rubicon Project has information on ‘more than 500 million unique internet users”. BlueKai provides “actionable data” on over 200 million retail, travel, education and financial product shoppers – and they give buyers access to over 10,000+ combinations of intent, demographic, lifestyle, B2B data, and additional segments.”

That’s your information whizzing by

Extolling the virtues to businesses of Real-Time Bidding (RTB) for individual consumer’s access, the filing cites Pubmatic’s “Understanding Real-Time Bidding from the Publisher’s Perspective (Feb 2010). This material states that RTB “is the fastest growing segment of U.S. online advertising…With RTB, advertisers have the great level of transparency available on the individual user in real-time… Having greater transparency…provides great insights to advertisers, but it is the difference in how media [your information] is bought and sold with real-time bidding is the game changer…” RTB “can buy impressions [advertising space] to reach specific users or reject them as the [ad] campaign is in progress.” In another report PubMatic states that “RTB allows advertisers to reach the right user, in the right place, at the right time – and assign an individual value to a particular ad impression.” If you’re the ideal candidate, PubMatic earns more.

The filing also quotes the chief revenue officer at eXelate’s comments to ClickZ News, “Who a user is is becoming more important than where they are.” Then he highlighted the types of data that are particularly valuable to advertisers, such as information on household income, interests and purchase intent.

Excerpts from Instant Ads Set the Pace on the Web,” New York Times, 11 Mar. 2010, and included in the filing further highlight this point: “Now, companies like Google, Yahoo and Microsoft let advertisers buy ads in the milliseconds between the time someone enters a site’s web address and the moment the page appears. The technology, called real-time bidding, allows advertisers to examine site visitors one by one and bid to serve them ads almost instantly….’It’s a lot about being able to get to the right users, but it’s also about passing on certain instances where we don’t think you’re in the market, based on what you’ve been doing in the past hour..”

While advertisers are having a heyday with your information, your privacy is evaporating

It’s easy to see how all these advances in consumer information collection help businesses, and there is an argument to be made that these advances benefit consumers by providing more relevant advertising – but at what cost to privacy? And who gave permission?

You have no idea what information has been collected about you, where that information has been aggregated – or to whom it has been sold. (there’s a whole separate issue about whether the information aggregated about you is actually your information at all, or whether, for example, your good name has been associated with someone else’s criminal record). You don’t even know if you somehow gave ‘permission’ along the way as the so-called ‘privacy protections’ in place for consumers are frequently ineffective or misleading.

This filing is critically important to your privacy

As individuals, trying to fight large enterprises you’ve never heard of, to wrest control of information about you that don’t even know they have, is virtually impossible. And, should you be successful at one point in time, there is no assurance that it will last.

This point was driven home to me when I demanded my phone number be removed from a large aggregator’s search result. After the hassle of figuring out what it would take to have it removed and then getting it deleted, I was informed that there was no assurance that the same information wouldn’t be supplied to them from another ‘data source’ and therefore be displayed in the future, so the onus was on me to check and repeat the process as needed.

So while the company agreed to remove the info, they would not honor my request to filter out the information should it be supplied to them the future. It took less than a week to again find my number in their search results.

It is only through concerted efforts, like this one that consumers have a chance of dictating their own privacy and safety boundaries. My hat is off to the Center for Digital Democracy, US PIRG and World Privacy Forum for their dedication to our collective rights.

I urge each of you to support this filing, and to urge the FTC to take clear, consumer friendly action.

Read the full filing here


Lifelock fined $12m for False claims regarding their Identity Theft Prevention and Data Security

March 26, 2010

“While LifeLock promised consumers complete protection against all types of identity theft, in truth, the protection it actually provided left enough holes that you could drive a truck through it,” said FTC Chairman Jon Leibowitz, when announcing the $12 million settlement between LifeLock, Inc. and the FTC.

According to the FTC’s press release, Lifelock “will pay $11 million to the Federal Trade Commission and $1 million to a group of 35 state attorneys general to settle charges that the company used false claims to promote its identity theft protection services, which it widely advertised by displaying the CEO’s Social Security number on the side of a truck.”

The case represents one of the biggest FTC-state coordinated settlements on record and a tremendous win for consumers.

Errant industry players have been put on notice that product claims of internet safety and privacy had better measure up. And protects consumers mislead by the false claims.

“This agreement effectively prevents LifeLock from misrepresenting that its services offer absolute prevention against identity theft because there is unfortunately no foolproof way to avoid ID theft,” Illinois Attorney General Lisa Madigan said. “Consumers can take definitive steps to minimize the chances of having their personal information stolen, and this settlement will help them make more informed decisions about whether to enroll in ID theft protection services.”

Hats off to the FTC and the participating attorneys general.