In conclusion

In my last couple of posts, I will explain what laws I think should be implemented in order to protect privacy. The debate over Internet privacy can basically be thought of as a tension between two interests:

  1. Companies’ interest in amassing as much data on people as possible so that they can better target advertisements and therefore make more money on the advertisements, and
  2. Consumers’ interest in being able to choose who gets information about them 

Right now the law leans too far in favor of interest 1. Attempts at self-regulation have not remedied this imbalance. The principles proposed by the FTC in December (see my earlier post) are a great idea, and the industry should be given a chance to comply with them through self-regulation. However, if most of the major commercial websites and advertising companies have not adopted them after a specified amount of time, the FTC needs to step in and create laws that protect consumers’ privacy. In order to strike a fair balance between the interests of companies and consumers, the new laws should accomplish the following goals:

  1. Consumers should be made aware of what data is being collected. There should be a national law that is similar to (and maybe stricter than) the California Online Privacy Protection Act. Any site that automatically tracks users’ IP addresses, gives them uniquely numbered cookies, or in any way creates a record of an individual user’s online behavior, should have a privacy policy that is easy to find and understand. The privacy policy should tell users what data is collected, how the data is used, when (if ever) it will be deleted, under what conditions the data will be shared with third parties, and what will happen if the privacy policy changes. A link to the privacy policy should be located on the website’s home page. The privacy policy should be concise enough that the average person would read it, and it should be easy to find the important information listed above.
  2. Companies, consumers, and the government should agree on the meanings of commonly-used terms so that there is no confusion over what companies’ privacy policies actually mean. The FTC should consider adopting the definitions proposed by the World Privacy Forum and other organizations (1).
  3. Consumers must be able to opt out of any type of behavioral tracking. The easiest way to do this would be to create a national Do Not Track List, like the one that the World Privacy Forum proposed (1). The FTC should create a website where consumers can sign up for the List and should publicize the list so that the public is generally aware of it. The List should be free of charge and should give consumers the ability to choose which sites can track them and which can’t. It would also be a good idea to have an option that lets consumers opt out of tracking by all websites with a single click. In order for the list to work, all companies that conduct behavioral tracking should be required to submit their URLs to the list, and browsers should be required to adopt technology that stops sites from tracking people in accordance with the List.
  4. Consumers should be able to see, edit, and delete any PII that a company has collected about them. If someone has not opted out of tracking but later decides to opt out, that person should be able to delete any embarrassing information that has been collected. Additionally, it is important that people be able to correct any inaccuracies that may be present in data collected about them.
  5. Sensitive information should only be collected on an opt-in basis. I don’t think it’s necessary to ban the collection of such data, because different people may have different ideas of what information is sensitive. Some people may not mind if companies know how much money they make, since that would help ads to be more relevant, but other people may want to keep that information private. However, sensitive information (according to the World Privacy Forum’s definition) should only be collected if users choose to have it collected. Not collecting this information should be the default action.
  6. Privacy laws should be strictly enforced. It should be easy for people to report violations of their privacy rights, perhaps through a website that the FTC sets up. Offending companies should be fined significant amounts of money so that they have a strong incentive to obey the law.
  7. The FTC should keep privacy regulations up to date, as new tracking technology is constantly being developed. A body such as the proposed Online Consumer Protection Advisory Committee (1) should be created to report on new developments, and the FTC should pass new laws to protect privacy if the need develops.  

These proposed laws would still permit consumers to reap the benefits of customized web content and more relevant ads if they choose to be tracked. Companies could still benefit financially from behavioral targeting of the consumers who don’t opt out, and they could collect aggregated data from all users, which should still enable them to conduct research that improves their sites.


1. Consumer Rights and Protections in the Behavioral Advertising Sector. World Privacy Forum. 7 Jan. 2008 <>.

Comments are closed.

Log in