Monday, December 06, 2010

Internet Privacy and the 'Do Not Track' Proposal: The FTC is Open to Comments

Last Tuesday morning, the House Subcommittee on Commerce, Trade and Consumer Protection opened hearings on Internet privacy for consumers in a session entitled Do-Not-Track Legislation: Is Now the Right Time?

Dealing with how companies collect, compile and sell information about visitors to their commercial Web sites, the outcome of this discussion has the potential to create radical changes in consumer protection online, and a fundamental shift in the practices of almost every company that conducts business online.

The hearings may sound like something straight off the desk of Senator John McCain, but actually center around a plan by the Federal Trade Commission to allow consumers to opt out of having their personal information and Internet browsing habits be collected by commercial sites. Indeed, the plan goes one step further in protecting consumer rights by prohibiting any such tracking of Internet behaviors except where permission has been explicitly provided by consumers. In other words, individuals would have to opt in before their information could be tracked, stored, or sold, which is nearly an about face from current Internet business practices that rarely broadcast when profiles are created for visitors, or when -- and to whom -- those profiles are sold.

Similar in title to the widely popular Do-Not-Call Implementation Act of 2003, which gave the Federal Trade Commission powers to enforce the National Do-Not-Call Registry, the Do-Not-Track proposal also shares a significant framework with that Law. Both are structured around a year 2000 document from the FTC called Fair Information Practice (FIP) Principles.

Similarities between the proposed Do-Not-Track plan and the Do-Not-Call Registry are very intentional. No word on whether either apply within a women's correctional facility.

Foremost among the FIP principles are notice and awareness, with the following items "recognized as essential to ensuring that consumers are properly informed before divulging personal information":

Identification of the entity collecting the data;
Identification of the uses to which the data will be put;
Identification of any potential recipients of the data;
The nature of the data collected and the means by which it is collected if not obvious (passively, by means of electronic monitoring, or actively, by asking the consumer to provide the information);
Whether the provision of the requested data is voluntary or required, and the consequences of a refusal to provide the requested information; and
The steps taken by the data collector to ensure the confidentiality, integrity and quality of the data.

One key difference that the FTC recommends, however, is that while the Do-Not-Call Registry requires a unique identifier for each opt out (i.e., a specific telephone number to be added to the block list), Do-Not-Track legislation should NOT require a unique identifier -- because that would effectively identify individuals who have asked specifically NOT to be uniquely identified. Instead, the FTC proposed in their testimony that the most effective opt out would "likely involve placing a setting similar to a persistent cookie on a consumer’s browser, and conveying that setting to sites that the browser visits, to signal whether or not the consumer wants to be tracked or receive targeted advertisements."

Questions remain on how current browser privacy options do or do not comply with the FTC's stated goals, and whether a browser setting provides enough of desired protections. The plan is an interesting beginning, however, to a needed conversation on expectations of Internet privacy and the realities of online commerce.

The FTC's full report is available as a PDF: Protecting Consumer Privacy in an Era of Rapid Change. You can also watch a streaming video of the hearing or download that video by following the links at the bottom of this FTC page.

Click the image to see a PDF copy of the FTC's proposed Internet Privacy plan.

The FTC is also accepting Public Commentary on its plan for Internet Privacy. Public comments will be accepted until January 31, 2011. To file a public comment electronically, please click here and follow the instructions.

1 comment:

  1. Anonymous12:28 PM

    found this during a google blog search. i don't mind if websites track what i look at online.i have nothing to hide.but ONLY if my name isn't selling my search info with my name is troublesome,cause companies buy email lists as well just to send spam or to steal your personal info.

    i also never buy things online or even do personal business online.i'm probibly 1 of a handfull of people who don't.but still,asking permission to collect your info should of been in place at the beginning of the internet age.