Marissa's Internet Law Blog

If I were a member of the FTC I wouldn’t necessarily block the Google-DoubleClick merger, but I would set restrictions to protect consumers’ privacy. In a perfect world, with laws like the ones I talked about two posts back, mergers would not present the privacy concerns that they do now, because people would have the freedom to opt out of having any personally-identifiable data collected by the new company and would be able to see and request deletion of any data that the company already has.

 However, with the lack of legal privacy protections that exist in today’s world, the Google-DoubleClick deal would result in one entity controlling an unacceptably large amount of information about individual users’ online activities. If I were a member of the FTC I would recommend that Google-DoubleClick implement a tool similar to the AskEraser, allowing users to opt out of having uniquely-identified data collected about them. DoubleClick’s opt-out cookies are a start, but I would be surprised if many people knew about them. I bet most people who see DoubleClick ads online are unaware that the ads are even coming from DoubleClick, and even fewer bother to visit DoubleClick’s home page, the only place from which the opt-out service is available.

I would require Google-DoubleClick to have an easy-to-find opt-out mechanism, accessible via a link on Google’s home page. Opting out would mean that Google-DoubleClick could collect aggregated data about the user, but could not use unique cookie IDs or IP addresses. The opt-out policy would apply to Google’s search engine and other services, as well as to third-party sites that serve ads from DoubleClick.

Additionally, I would require Google-DoubleClick to allow users to review the data that the company has amassed about them and to request deletion of all unique identifiers, including IP addresses and cookie IDs, from the data.

To all readers: I hope you have enjoyed reading my blog. The project is due tomorrow, so this is my last official post, but I will try to update once in a while with new developments in the Google-DoubleClick deal as well as any important Internet-privacy-related news.

I found an interesting Pew/Internet survey that I thought was worth mentioning. According to the survey, people are concerned about their privacy online. Although most respondents did not know what cookies are, 24% of those who did configured their browsers not to accept them, even though doing so can make it impossible to use websites that require users to sign in.

45% of the people surveyed had never voluntarliy given their name or other personal information in order to use a website, and 61% of those people would not be willing to do so. 24% of the respondents had created fake personal information when asked to register at a site.

 When asked how they felt about websites tracking the pages they visit, 27% of respondents said it would be “helpful, because the company can provide you with information that matches your interests,” while 54% said it would be “harmful, because it invades your privacy.” 63% thought that websites should not be allowed to track their visitors’ activities, and 79% said that Internet companies should ask for permission before using personal information. Finally 62% of the respondents thought that web users should have the most say over how Internet companies track people’s online activities and use personal information, while only 6% thought companies should have the most say.

In my last couple of posts, I will explain what laws I think should be implemented in order to protect privacy. The debate over Internet privacy can basically be thought of as a tension between two interests:

1. Companies’ interest in amassing as much data on people as possible so that they can better target advertisements and therefore make more money on the advertisements, and
2. Consumers’ interest in being able to choose who gets information about them 

Right now the law leans too far in favor of interest 1. Attempts at self-regulation have not remedied this imbalance. The principles proposed by the FTC in December (see my earlier post) are a great idea, and the industry should be given a chance to comply with them through self-regulation. However, if most of the major commercial websites and advertising companies have not adopted them after a specified amount of time, the FTC needs to step in and create laws that protect consumers’ privacy. In order to strike a fair balance between the interests of companies and consumers, the new laws should accomplish the following goals:

1. Consumers should be made aware of what data is being collected. There should be a national law that is similar to (and maybe stricter than) the California Online Privacy Protection Act. Any site that automatically tracks users’ IP addresses, gives them uniquely numbered cookies, or in any way creates a record of an individual user’s online behavior, should have a privacy policy that is easy to find and understand. The privacy policy should tell users what data is collected, how the data is used, when (if ever) it will be deleted, under what conditions the data will be shared with third parties, and what will happen if the privacy policy changes. A link to the privacy policy should be located on the website’s home page. The privacy policy should be concise enough that the average person would read it, and it should be easy to find the important information listed above.
2. Companies, consumers, and the government should agree on the meanings of commonly-used terms so that there is no confusion over what companies’ privacy policies actually mean. The FTC should consider adopting the definitions proposed by the World Privacy Forum and other organizations (1).
3. Consumers must be able to opt out of any type of behavioral tracking. The easiest way to do this would be to create a national Do Not Track List, like the one that the World Privacy Forum proposed (1). The FTC should create a website where consumers can sign up for the List and should publicize the list so that the public is generally aware of it. The List should be free of charge and should give consumers the ability to choose which sites can track them and which can’t. It would also be a good idea to have an option that lets consumers opt out of tracking by all websites with a single click. In order for the list to work, all companies that conduct behavioral tracking should be required to submit their URLs to the list, and browsers should be required to adopt technology that stops sites from tracking people in accordance with the List.
4. Consumers should be able to see, edit, and delete any PII that a company has collected about them. If someone has not opted out of tracking but later decides to opt out, that person should be able to delete any embarrassing information that has been collected. Additionally, it is important that people be able to correct any inaccuracies that may be present in data collected about them.
5. Sensitive information should only be collected on an opt-in basis. I don’t think it’s necessary to ban the collection of such data, because different people may have different ideas of what information is sensitive. Some people may not mind if companies know how much money they make, since that would help ads to be more relevant, but other people may want to keep that information private. However, sensitive information (according to the World Privacy Forum’s definition) should only be collected if users choose to have it collected. Not collecting this information should be the default action.
6. Privacy laws should be strictly enforced. It should be easy for people to report violations of their privacy rights, perhaps through a website that the FTC sets up. Offending companies should be fined significant amounts of money so that they have a strong incentive to obey the law.
7. The FTC should keep privacy regulations up to date, as new tracking technology is constantly being developed. A body such as the proposed Online Consumer Protection Advisory Committee (1) should be created to report on new developments, and the FTC should pass new laws to protect privacy if the need develops.  

These proposed laws would still permit consumers to reap the benefits of customized web content and more relevant ads if they choose to be tracked. Companies could still benefit financially from behavioral targeting of the consumers who don’t opt out, and they could collect aggregated data from all users, which should still enable them to conduct research that improves their sites.

Source:

1. Consumer Rights and Protections in the Behavioral Advertising Sector. World Privacy Forum. 7 Jan. 2008 <http://www.worldprivacyforum.org/pdf/ConsumerProtections_FTC_ConsensusDoc_Final_s.pdf>.