Last Thursday the White House hosted a major event on online privacy. Much of the public attention focused on a long-awaited White House report and a commitment by an online advertising self-regulatory group to implement components of the Do Not Track technology. Both the Electronic Frontier Foundation and the Center for Democracy and Technology have written detailed reviews of what transpired.
There has been scant focus on Federal Trade Commission Chairman Jon Leibowitz’s brief remarks on Do Not Track. That’s a mistake.
The FTC was an early, vocal proponent of Do Not Track with its December 2010 preliminary staff report on online privacy. FTC staff have frequently cajoled companies and trade groups to implement Do Not Track, and they have participated in every meeting of the World Wide Web Consortium’s Do Not Track working group. Chairman Leibowitz himself attended a recent meeting in Brussels.
The FTC’s thinking matters. The agency can—and does—bring enforcement actions against web trackers (e.g. Chitika, ScanScout) and the websites that facilitate them (e.g. Facebook). The FTC can call for Do Not Track legislation. Further, under the new White House proposal, the agency would be vested with both veto power over self-regulatory codes and enforcement authority for baseline privacy requirements.
FTC commissioners tend to shy from staking out their individual policy views. The FTC is a law enforcement agency, and it only “speaks” through a vote of the commission. Chairman Leibowitz in particular has relied on subtlety and nuance in his policy addresses.
Last Thursday’s speech was unusually direct. Chairman Leibowitz gave the clearest articulation yet of his thinking on Do Not Track—and he got it completely right. Here’s a summary.
- The FTC does policy, not just enforcement. And it’s the agency that will continue to lead on Do Not Track, not the White House or the Commerce Department.
Since our founding in 1914, the FTC also has had a policy function, which has focused recently on privacy.
With the encouragement of this Administration – which has so keenly recognized the link between protecting consumer privacy online and engendering consumer trust in Internet commerce – an impressive public-private partnership has made a beginning, coming together around one small agency’s Do Not Track initiative.
A consumer’s Do Not Track preference must do more than stop behavioral ad targeting.
We envisioned a [Do Not Track] mechanism that would . . . allow consumers to limit how much data is gathered about them online (and not just how many targeted ads they see) . . . .
- At present, online advertising self-regulation only stops behavioral ad targeting. (Some stakeholders have termed the program “Do Not Target.”)
For the past several years, the online advertising industry has been working to develop an icon that consumers could click to opt out of receiving targeted ads.
- A consumer’s Do Not Track preference must affect all third-party websites, including advertising companies, analytics services, and social networks.
While these developments are encouraging, we still need to ensure that all companies that track users – not just advertisers – are at the table.
- The World Wide Web Consortium is the multi-stakeholder forum for establishing Do Not Track technology and policy.
To that end, the World Wide Web Consortium (W3C), an Internet standards-setting body, gathered engineers, consumer groups, and participants across the broad technology industry to create a universal standard for Do Not Track. We look forward to their deliberations also bearing fruit over the coming year.
- The FTC will continue to enforce on web tracking issues, especially when a company violates a consent order with the agency.
Today, although it is still a work in progress, the ad industry has obtained buy-in from companies that deliver 90 percent of online behavioral advertisements; and, with the Better Business Bureau, it has established a mechanism with teeth to address non-compliance, backed up with FTC enforcement. Said differently, if they don’t enforce it, we will.
Most notably, last year, two of the largest Internet companies entered into consent orders with the FTC that require both to honor their privacy commitments to hundreds of millions of consumers worldwide and to hire outside auditors to monitor their privacy practices.
- The Do Not Track technology is the “
DNT: 1” preference signaling mechanism, and consumers are already using it. Microsoft’s Tracking Protection List technology has merit, but it’s a different proposal.
In a related effort, very early on the companies that make web browsers stepped up to our challenge to give consumers choice about how they are tracked online, sometimes known as the browser header approach. Just after the FTC’s call for Do Not Track, Microsoft developed a system to let users of Internet Explorer prevent tracking by different companies and sites. Mozilla introduced a Do Not Track privacy control for its Firefox browser that an impressive number of consumers have adopted; Apple included a similar Do Not Track control in Safari.
European policymakers have already articulated their positions on advertising self-regulation and Do Not Track. In December the European Union’s Data Protection Working Party issued a formal opinion that found current advertising self-regulation inadequate under EU privacy law and that signaled support for the W3C’s Do Not Track standards process. European Commission Vice-President Neelie Kroes indicated in January that she shares those views; she reaffirmed her position in response to last week’s event.
Now the head of the chief U.S. consumer protection agency has chimed in, and he agrees. The FTC’s upcoming report on consumer privacy online will clarify where the other commissioners stand.
There is an increasingly clear transatlantic consensus: online advertising self-regulation is not enough. The W3C’s Do Not Track standards process is the way forward for providing meaningful consumer choice about third-party web tracking.