Professional Documents
Culture Documents
Washington's Privacy Tango: Bennet Kelley
Washington's Privacy Tango: Bennet Kelley
Founder of Internet Law Center in Santa Monica Former Co-Chair of Cal. Bar Cyberspace Committee Host of Cyber Law & Business Report on WebmasterRadio.fm (Weds at 10-11AM PT) Publisher of Cyber Report newsletter which won top prize at 2011 LA Press Club Awards and named a top source for internet law
OK, Not Quite That Old Since Advent of Internet What Has Changed
1999: FTC Conference 1999: Network Advertising Initiative launched to stop regulation 2000: Report to Congress
Commends NAI but . . . [Recommends] legislation that would set forth a basic level of privacy protection for all visitors to consumer-oriented commercial Web sites with respect to profiling. Basic standards of practice governing the collection and use of information online for profiling, and provide an implementing agency with the authority to promulgate more detailed standards [Including] authority to grant safe harbors to self-regulatory principles which effectively implement the standards of fair information practices articulated in the legislation and subsequent rulemaking.
2007: FTC Releases Self-Regulatory Principles for Behavioral Targeting 2008: Industry Pushes Back 2009: Leibowitz Warns Industry Action is Coming Industry Responds with IAB, DMA, AAAA Guidelines
Every website where data is collected for behavioral advertising should provide a clear, concise, consumer-friendly, and prominent statement that
(1) data about consumers activities online is being collected at the site for use in providing advertising about products and services tailored to individual consumers interests, and (2) consumers can choose whether or not to have their information collected for such purpose
Any company that collects and/or stores consumer data for behavioral advertising should provide reasonable security for that data,
Companies should retain data only as long as is necessary to fulfill a legitimate business or law enforcement need. Before a company can use data in a manner materially different from promises the company made when it collected the data, it should obtain affirmative express consent from affected consume. Companies should only collect sensitive data for behavioral advertising if they obtain affirmative express consent from the consumer to receive such advertising
Education Principle calls for organizations to participate in efforts to educate individuals and businesses about online behavioral advertising. The Transparency Principle calls for clearer and easily accessible disclosures to consumers about data collection and use practices associated with online behavioral advertising. The Consumer Control Principle provides consumers with an expanded ability to choose whether data is collected and used for online behavioral advertising purposes. This choice will be available through a link from the notice provided on the Web page where data is collected.
The Material Changes Principle calls on organizations to obtain consent for any material change to their online behavioral advertising data collection and use policies and practices to data collected prior to such change. The Sensitive Data Principle recognizes that data collected from children and used for online behavioral advertising merits heightened protection, and requires parental consent for behavioral advertising to consumers known to be under 13 on child-directed Web sites. This Principle also provides heightened protections to certain health and financial data when attributable to a specific individual. The Accountability Principle calls for development of programs to further advance these Principles, including programs to monitor and report instances of uncorrected non-compliance with these Principles to appropriate government agencies.
The Data Security Principle calls for organizations to provide reasonable security for, and limited retention of data, collected and used for online behavioral advertising purposes.
Tenth Anniversary of Online Profiling Conference Industry Still Fighting Regulation Complexity Increases . . . Oh and theres that Social Networking thing too.
Endorses baseline commercial data privacy principles that would fill any gaps in existing U.S. law; Safe harbors against FTC enforcement for practices defined by baseline data privacy or selfregulatory codes; Limited rulemaking authority over certain baseline fair information privacy practices principles if it is established that market failures require prescriptive regulatory action; and National Data Breach Standards
Market Reaction
Browser Wars
Privacy Competition
Industry Begins Policing Itself
Its Back . . .
Meanwhile . . .
No Consensus
Individual Control: Transparency Respect for Context: Security: Access and Accuracy: Focused Collection: and
Enforcement by FTC Safe Harbors for Approved Codes of Conduct Federal Data Breach Law
Accountability
Half Empty
Relies on agreed upon self-regulatory principles and passage of comprehensive privacy legislation neither of which is on the horizon. Little different that where we were in 1999
Half Full
Jump starts moribund legislative process Got industry backing of do-not track on browser level Industry is engaging in self-regulation and enforcement already Substantial movement in industrys approach since 1999
Links
1999 Workshop on Online Profiling 2000 Report to Congress on Online Profiling 2007 Self Regulatory Principles (staff report) 2008 Industry Self Regulatory Principles 2010 FTC Staff Report
2010 Department of Commerce Green Paper 2011 CyLaw Report Why Johnny Cant Opt Out 2012 Consumer Privacy Bill of Rights Proposal 2012 White House Summary of Privacy Proposal