News Analysis: Private Matters




Congress says the Internet can’t protect consumers. Will legislation help?
In the brave new world of the Internet, advertisers want to rule. The federal government’s response: butt out of people’s personal lives if their privacy is not protected. Or else.
“Network advertisers … can track the Web sites we visit; the pages we view in Web sites; the time and duration of our visits; terms entered into search engines; purchases; response to advertisements; and the page we visited before coming to that site,” Sen. John McCain, R-Ariz., exclaimed at a privacy hearing before the Senate Commerce Committee last week.
While McCain has not decided whether legislation is necessary, he warns the industry that it will have a tough “selling job” in Congress to avoid it. Already, ad networks face a barrage of proposed bills from both parties, including:
O The Consumer Privacy Protection Act of 2000, introduced by Sen. Ernest Hollings, D-S.C. It would require Web sites to provide notice, choice, access and security to consumers and would give the FTC authority to regulate compliance.
O The Secure Online Communication Enforcement Act of 2000, introduced by Sen. Robert Torricelli, D-N.J., would require a commercial Web site to get a consumer’s permission before collecting personal information.
O The Privacy Commission Act, introduced by Rep. Asa Hutchinson, R-Ariz., and Rep. Jim Moran, D-Va., would create a 17-member panel to study online privacy, identity theft and the protection of personal medical and financial records.
O The Online Privacy Protection Act of 1999, introduced by Sen. Conrad Burns, R-Mont., would require the FTC to develop regulations to protect an adult’s privacy on the Web.
To ward off the legislative threat, Net advertisers have been negotiating with the Federal Trade Commission and the Department of Commerce to develop a set of voluntary privacy rules. Advertisers think self-regulation is the answer, but they must convince a wary public and increasingly skeptical lawmakers.
“If the industry moves aggressively, there is still a shot to forestall legislation,” says Daniel Jaye, chief technology officer for the ad network Engage, which is working on the privacy issue through a group called the Network Advertising Initiative (NAI).
Among the key issues being debated is the development of a set of “principles” that would require ad networks to disclose to consumers that data is collected, then give them the chance to opt out. Once the industry agrees to such dictates, the FTC will have the ability to enforce the rules under the existing laws governing trade practices.
A key congressional concern is online profiling–the practice of linking the anonymous data ad networks like DoubleClick and 24/7 Media collect from users to a consumer’s personal identity. Ad networks use software programs known as “cookies,” which are placed on a computer’s hard drive to record Web surfing habits and preferences.
When DoubleClick purchased Abacus Direct Corp. last year, it gained a database of consumer catalogue purchases which allows it to create detailed profiles on the public’s buying habits. The ad server plans to merge the anonymous data it collects from a Net user’s Web habits with the Abacus database of catalogue purchases to better identify and target consumers.
“We don’t serve ads based on profiles yet, but we are developing such a product,” says Jules Polonetsky, DoubleClick’s chief privacy officer. In fact, the public’s fears about privacy drove DoubleClick CEO Kevin O’Connor to announce in March that the company will stop its plans to merge the data “until there is agreement between government and industry on privacy standards.”
Meanwhile, 24/7 Media has an agreement with Naviant, which handles online product registrations for companies including IBM. Like DoubleClick, 24/7 can link the anonymous data it collects about a Web user’s surfing habits and online purchases with the Naviant database to actually identify consumers.
So far, NAI has agreed to improve the quality of privacy notices posted on Web sites and to give consumers two choices: either opt out of having any data collected or opt in if they find the advertising useful, said sources familiar with the industry’s FTC negotiations. In an effort to simplify the process, NAI has agreed to post a single page where Web users can exclude themselves from any profiling done by NAI companies.
The ad servers failed to reach a final agreement at last week’s Senate Commerce Committee privacy hearing. Some regulators think the industry’s efforts are not enough to prevent legislation.
FTC Chairman Robert Pitofsky, who has long been an advocate of industry self-regulation, doubts whether a self-policing mechanism can work. “I am troubled by who is out there watching and collecting information,” he said in a recent speech. “Would we really welcome a television ad having the technological ability to know a viewer has seen it, know to show a different ad during the next commercial break, and know what other programs and ads the viewer sees?”
In response, the FTC has called for legislation that would establish “basic standards of practice for the collection of information online.”
Web sites would be required to provide consumers with notice of a privacy policy, choice in whether they wanted information collected, access to data gathered about them, and assurance that any data collected was secure.
This decision came after the FTC’s latest survey of the 100 most popular commercial Web sites, including Amazon.com, Apple.com and eBay.com, which found that only 42 percent provided consumers with notice, choice, access and security.
The FTC’s report on online profiling, released last week, states it will not make any recommendations to Congress until it considers NAI’s self-regulatory proposal. But Jodie Bernstein, director of the FTC’s Bureau of Consumer Protection, claims an industry self-regulation system would work best if it was backed up by legislation.
Advertising lobby groups counter that any bill will turn the Net into a hostile place to navigate. “The FTC claims cookies are constantly being placed,” says Dan Jaffe, evp of the Association of National Advertisers. “If you have to stop every few seconds to opt in, this will be extremely disruptive and make the Internet a far less effective network.”
Privacy experts like Marc Rotenberg, director of the Electronic Privacy Information Center, disagrees. He believes ad networks are receiving too much personal data about consumers.
“We are really talking about the future of privacy in the 21st century, and whether there will be good standards in place to protect personal information or whether companies will be free to build secret, elaborate profiles that will determine where we go and what we see in this
new world.”