+

Washingtons Privacy Tango

Searching For the Elusive Consensus

Bennet Kelley Internet Law Center

Founder of Internet Law Center in Santa Monica Former Co-Chair of Cal. Bar Cyberspace Committee Host of Cyber Law & Business Report on WebmasterRadio.fm (Weds at 10-11AM PT) Publisher of Cyber Report newsletter which won top prize at 2011 LA Press Club Awards and named a top source for internet law

This Debate Is Not New

OK, Not Quite That Old Since Advent of Internet What Has Changed

Reach/Breach Acceptance of Some Regulation Number of Players and Technologies Involved

The Framers and the Myth of Sisyphus

Futility by Design
Congress 2011
1.2% 11.4%

Public Law Passed The Rest 67.6%

1999: SPOTLIGHT ON ONLINE PROFILING

1999: FTC Conference 1999: Network Advertising Initiative launched to stop regulation 2000: Report to Congress

 Commends NAI but . . . [Recommends] legislation that would set forth a basic level of privacy protection for all visitors to consumer-oriented commercial Web sites with respect to profiling. Basic standards of practice governing the collection and use of information online for profiling, and provide an implementing agency with the authority to promulgate more detailed standards [Including] authority to grant safe harbors to self-regulatory principles which effectively implement the standards of fair information practices articulated in the legislation and subsequent rulemaking.

2001-2006: Other Priorities

Spam (2003) Spyware (2004)

+ 2007-2009 Dancing Over Self-Regulation

2007: FTC Releases Self-Regulatory Principles for Behavioral Targeting 2008: Industry Pushes Back 2009: Leibowitz Warns Industry Action is Coming Industry Responds with IAB, DMA, AAAA Guidelines

2007 Proposed Principles

Every website where data is collected for behavioral advertising should provide a clear, concise, consumer-friendly, and prominent statement that

(1) data about consumers activities online is being collected at the site for use in providing advertising about products and services tailored to individual consumers interests, and (2) consumers can choose whether or not to have their information collected for such purpose

Any company that collects and/or stores consumer data for behavioral advertising should provide reasonable security for that data,
Companies should retain data only as long as is necessary to fulfill a legitimate business or law enforcement need. Before a company can use data in a manner materially different from promises the company made when it collected the data, it should obtain affirmative express consent from affected consume. Companies should only collect sensitive data for behavioral advertising if they obtain affirmative express consent from the consumer to receive such advertising

2008 Industry Self-Regulatory Principles

Education Principle calls for organizations to participate in efforts to educate individuals and businesses about online behavioral advertising. The Transparency Principle calls for clearer and easily accessible disclosures to consumers about data collection and use practices associated with online behavioral advertising. The Consumer Control Principle provides consumers with an expanded ability to choose whether data is collected and used for online behavioral advertising purposes. This choice will be available through a link from the notice provided on the Web page where data is collected.

The Material Changes Principle calls on organizations to obtain consent for any material change to their online behavioral advertising data collection and use policies and practices to data collected prior to such change. The Sensitive Data Principle recognizes that data collected from children and used for online behavioral advertising merits heightened protection, and requires parental consent for behavioral advertising to consumers known to be under 13 on child-directed Web sites. This Principle also provides heightened protections to certain health and financial data when attributable to a specific individual. The Accountability Principle calls for development of programs to further advance these Principles, including programs to monitor and report instances of uncorrected non-compliance with these Principles to appropriate government agencies.

The Data Security Principle calls for organizations to provide reasonable security for, and limited retention of data, collected and used for online behavioral advertising purposes.

+ Emergence of the Creepiness Factor

Is it legal? Probably. Do I think it's a good idea and it makes sense? No. I don't think it passes the creepy factor, and this market isn't ready for stuff that doesn't pass the creepy factor, We are not in a place where we an do dumb things and stupid things like that, even if they're effective. Dave Morgan - Tacoda Founder

+ 2009-2011: Lawyers of the Roundtable

Tenth Anniversary of Online Profiling Conference Industry Still Fighting Regulation Complexity Increases . . . Oh and theres that Social Networking thing too.

Personal Data Eco-System

Any questions????

FTC Privacy Report

Our report and law enforcement action send a clear message to industry: despite some good actors, self-regulation of privacy has not worked adequately and is not working adequately for Americans consumers. We deserve far better from the companies we entrust our data to, and industry, as a whole, must do better. FTC Chairman Jon Leibowitz

DOC Privacy Report

Endorses baseline commercial data privacy principles that would fill any gaps in existing U.S. law; Safe harbors against FTC enforcement for practices defined by baseline data privacy or selfregulatory codes; Limited rulemaking authority over certain baseline fair information privacy practices principles if it is established that market failures require prescriptive regulatory action; and National Data Breach Standards

Market Reaction
Browser Wars

Privacy Competition
Industry Begins Policing Itself

Its Back . . .

Meanwhile . . .

No Consensus

Other Internet Battles

Net Neutrality SOPA

Consumer Privacy Bill of Rights

Individual Control: Transparency Respect for Context: Security: Access and Accuracy: Focused Collection: and

Enforcement by FTC Safe Harbors for Approved Codes of Conduct Federal Data Breach Law

Accountability

Half Empty

Relies on agreed upon self-regulatory principles and passage of comprehensive privacy legislation neither of which is on the horizon. Little different that where we were in 1999

Half Full

Jump starts moribund legislative process Got industry backing of do-not track on browser level Industry is engaging in self-regulation and enforcement already Substantial movement in industrys approach since 1999

Internet Law Center

100 Wilshire Blvd., Suite 950, Santa Monica, CA 90401 (310) 452-0401 bkelley@internetlawcenter.net www.internetlawcenter.net

Links

1999 Workshop on Online Profiling 2000 Report to Congress on Online Profiling 2007 Self Regulatory Principles (staff report) 2008 Industry Self Regulatory Principles 2010 FTC Staff Report

2010 Department of Commerce Green Paper 2011 CyLaw Report Why Johnny Cant Opt Out 2012 Consumer Privacy Bill of Rights Proposal 2012 White House Summary of Privacy Proposal