Marissa's Internet Law Blog

In a 2007 letter to the FTC, several privacy organizations, including the Electronic Frontier Foundation, Center for Democracy and Technology, and World Privacy Forum, suggested adopting definitions of common online privacy terms. Their proposed definition of “personally identifiable information” is different from that of most search engines. According to the privacy organizations, PII includes not only names, addresses, and social security numbers, but also IP addresses and “unique or non-unique identifying elements associated with a particular individual.” Information counts as PII if it can “permit a set of behaviors or actions to be consistently associated with a particular individual or computer user,” even if the individual is not identified by name or in any other way.

Additionally, the letter defined non-personally identifiable information as “aggregated data not associated with any individual or any individual identifier,” and sensitive data as PII that has to do with health, finances, sexual orientation, social security numbers, insurance numbers, or government-issued ID numbers. Behavioral tracking was defined as “the practice of collecting and compiling a record of individual consumers’ activities, interests, preferences, and/or communications over time, and behavioral targeting was defined as “using behavioral tracking to serve advertisements and/or otherwise market to a consumer based on his or her behavioral record.”

I agree with these definitions. Even though an IP address may not be PII for a search engine alone, it certainly is for an Internet service provider. Any record of an individual’s behavior enables them to be profiled and targeted, regardless of whether the record is tied to a name, postal address, or social security number. I also agree that it is important for companies, consumers, and the government to agree on the definitions of commonly-used terms such as these. Otherwise it would be impossible for consumers to be fully informed of websites’ privacy practices.

Some other principles proposed in the letter include:

1. Websites cannot help themselves to data from users’ computers and should respect users’ choices to delete cookies by not continuing to set new cookies each time a user visits the site.
2. Websites shouldn’t bury important information in long, confusing privacy policies.
3. If a website puts software on a user’s computer that the user does not want, the user should be able to delete the software. 

The letter also proposed steps the government should take to insure these principles are followed:

1. Create a Do Not Track List similar to the Do-Not-Call Registry. To do this, sites that conduct behavioral tracking must submit their domain names to the FTC, the FTC must educate the public about the Do Not Track List and make it possible to sign up on its website, and browsers must make it possible to use and update the List and prevent websites from tracking users in accordance with the preferences that they have expressed on the List.
2. Require companies that conduct behavioral tracking to provide users with access to the data held about them.
3. Make it possible for the FTC to easily check up on companies to make sure they are complying with all regulations.
4. Establish a national Online Consumer Protection Advisory Committee made up of state Attorneys General and representatives from various privacy and consumer organizations to investigate new methods of tracking and develop new laws as necessary to make sure privacy rights are protected. 

Source: 

Consumer Rights and Protections in the Behavioral Advertising Sector. <http://www.worldprivacyforum.org/pdf/ConsumerProtections_FTC_ConsensusDoc_Final_s.pdf>.