tracking

Do Not Track: The FTC's Latest Proposal

Dec 14, 2010
Oshyn Labs

Today the  FTC provided more information on the commission's "Do Not Track" proposal. I recommend reading the FTC's testimonial here: rather than basing facts entirely off of content generated by others (like me). 

I'll share some highlights of the testimonial before sharing my thoughts: 

David Vladeck, Director of the Bureau of Consumer Protection of the Federal Trade Commission, began the testimonial by stating that "privacy" has been central to the commision's consumer protection mission for forty years. He soon gives some examples of how the FTC has protected consumers, "The Commission has an aggressive privacy enforcement agenda. In the last fifteen years, it has brought 29 data security cases; 64 cases against companies for improperly calling consumers on the Do Not Call registry; 83 cases against companies for violating the Fair Credit Reporting Act (“FCRA”);2 96 spam cases; 15 spyware cases; and 15 cases against companies for violating the Children’s Online Privacy Protection Act (“COPPA”)." Vladeck presents several examples of how the FTC has protected consumers online including enforcing data security issues surrounding Twitter's Private Messages. One of the most surprising examples Vladeck discusses is a case involving Sears:


"Last year the Commission settled allegations that Sears violated Section 5 of the FTC Act by failing to disclose adequately the scope of consumers’ personal information collected via software that Sears represented would merely track their “online browsing.”9 The FTC charged that the software, in fact, monitored consumers’ online secure sessions as well including those on third-party websites and collected information such as the contents of shopping carts, online bank statements, email headers and subject lines, drug prescription records, and other sensitive data. In addition to requiring that Sears destroy information previously collected, the settlement provides that if Sears advertises or disseminates tracking software in the future, it must clearly and prominently disclose the types of data the software monitors, records, or transmits and whether any of the data will be used by a third party. This disclosure must be made prior to installation of the tracking software and separate from any user license agreement."


Now that kind of case makes me cringe. At this point in the testimony I'm thinking there should certainly be some definitive separation on companies that collect information about people who visit their website or respond to online ads or clickthru links in emails VERSUS a company that elaborately obtains information as far as bank account information or any other information no specifically related to that consumer's behavior on said company's website, when creating a Do Not Track Policy. 

This section of the testimony makes a lot of sense: 

"The proposed framework contains three main concepts. First, the Commission staff proposes companies should adopt a “privacy by design” approach by building privacy protections into their everyday business practices. Such protections include providing reasonable security for consumer data, collecting only the data needed for a specific businesspurpose, retaining data only as long as necessary to fulfill that purpose, safely disposing of data no longer in use, and implementing reasonable procedures to promote data accuracy."

Vladeck goes on to suggest that website visitors should be perhaps be protected by having a "Just In Time" methodology for companies to seek consent at the time the consumer is about to provide personal data. That also makes sense and it can work in favor of the company: consumers (both savvy and wary) experience "friction" when they're about to provide personal data. Having a standardized approach to providing this information could improve online business in general because consumers will know exactly how/where to understand how their information will be used. 

When Vladeck starts to discuss Do Not Track, he does note that tracking for online advertising can have benefits but can be of great concern to website visitors. Oddly enough, last night two of my friends who work in Risk Management and I were discussing the relevancy of ads in Facebook, Gmail and Hotmail. One friend said he'd noticed that when looking at Friend's profiles on Facebook the relevancy of the ads on their profile was specific to their interests - not his. We all agreed that we were surprised at the relevancy of the ads we see in Gmail. I commented that out of frustration of  having banner ads of magnified sperm served to me in a banner ad campaign on Hotmail (showing me giant sperm - the campaign was on conception - yeah I'm a 35 year old woman!) I changed several Hotmail settings (age/country) and started receiving different banner ads. So yes, the means of gathering info can provide us with relevant information but it can also be annoying and invasive: FYI on Facebook I get a lot of ads for online dating (yeah I'm a 35 year old SINGLE women. LOL). 

The report offers a suggestion for Do Not Track:

"The most practical method of providing uniform choice for online behavioral advertising would likely involve placing a setting similar to a persistent cookie on a consumer’s browser, and conveying that setting to sites that the browser visits, to signal whether or not the consumer wants to be tracked or receive targeted advertisements. To be effective, there must be an enforceable requirement that sites honor those choices."

From a marketing perspective, will such a mechanism influence a large number of consumers to attempt to opt-out of everything - thus unable to experience AWE? I would rather have an adaptive experience, like that of Amazon.com. But I do not agree in general with companies sharing data they collect about consumers with other companies without their explicit permission. I don't really think we need Do Not Track. I think we need a better way to hold companies accountable who violate the privacy of individuals and standardize what the privacy rules are. For companies and consumers those rules should be easy to understand and easy to enforce. For example, often when we subscribe to something or buy something on a website we are asked if that company can share our data with 3rd party companies. To me, that doesn't really make a lot of sense anymore.  I immediately wonder, and who is that 3rd party? Now if a company I've done business with contacts me and says, can we provide your data to company X, I have better information to make a choice. Sure the method is more complex but it will provide better data to both consumer and business. Seth Godin made a lot of valid points in his book Permission Marketing. I can't remember off hand if this was a point it stated (and I don't have the book handy) but it seems that asking permission at the right point is the most valuable method for all. 

What do you think about about the FTC's proposal?