Privacy In D.C. Spotlight

What Operators, Networks and Advertisers Should Expect

WASHINGTON — As TV and data go everywhere online, and old media companies remake themselves in search of new revenue streams, identifying and targeting audiences online and on the move has become a given — and a potential gold mine.

Annual digital marketing budgets represented 2.5% of the typical U.S. company’s total revenue in 2012, according to research and advisory firm Gartner’s 2013 Digital Marketing Report. Among media firms, that percentage was the highest, at 3.9%, Gartner said.

Spending on digital advertising surpassed the $100 billion mark in 2012, according to, and will grow by more than 15% to just under $120 billion this year. Such marketing is often driven by online profiling and tracking, or using information collected about individual consumers over the Internet — with or without their knowledge — to target ads and information to those users.


“Everyone is collecting and using more consumer data, regardless of what device you’re using,” said Jeff Chester, executive director of the Center for Digital Democracy, which focuses on online privacy and media marketing issues. “The television industry’s stakes are high because that [data collection] will give them the revenue they need to compete with the Googles of the world. This is an issue that is going to draw the involvement of the media industry writ large.”

And the privacy and protection issues are larger still. From do-not- track proposals that limit the collection of online data, to rules as to how the government can access emails and YouTube videos stored in the cloud, regulations on machine-to-machine communications, there are a dizzying array of privacy and security questions that go along with the inexorable transition to broadband audio, video, email and the “Internet of things.”

The resulting strains have left Washington scrambling to determine how to protect its constituencies from invasions of privacy while not undermining the emerging digital economy — and the Obama administration has been leading that charge. Despite that sense of urgency, though, politics has been holding matters hostage, to some degree.

The ascendancy of privacy as policy is thanks to a combination of factors, including President Obama’s executive order mandating industry cybersecurity best practices with privacy protections baked in.

The best chance to spur near-term government action on data collection for targeted advertising could come from the Federal Trade Commission’s quiet move to have its Privacy and Information Protection division enforce rules regarding advertising to kids. New chairwoman Edith Ramirez has sounded a call for progressive action on that front.


Despite the obvious and immediate threat from nation states, hacktivists and organized and unorganized crime, cybersecurity legislation in this Congress remains a tough sell.

Cable operators are again backing a Republican bill, the Cyber Intelligence and Sharing Protection Act, reintroduced two weeks ago by Rep. Mike Rogers (R-Mich.), chairman of the House Permanent Select Committee on Intelligence.

Rogers’ bill is identical to a measure that passed the Republican-controlled House last April 248-168, in essentially a party-line vote. But the administration has suggested that a bill focused on information-sharing misses the mark.

Tired of waiting for Congress to agree on something — anything — Obama last fall issued an executive order that mandated a voluntary framework for cyber security best practices. That had been a non-negotiable part of the Democratic-based cybersecurity bill in the last Congress.

The administration said it was limited in the executive order to the voluntary framework and to making it easier for government to share information with industry. Legislation is required to set the parameters for sharing industry information with government or among companies, and to establish the liability protections for that information round robin.

But such legislation requires Congress to agree. In the meantime, it will take at least a year to implement the voluntary framework — an eternity in Internet time. That’s perhaps why industry players failed to raise a big stink over the order.

Obama administration officials have been mounting something of a charm offensive over the last few weeks, repeating that the cybersecurity framework will be industry-driven.


A more pressing issue for a media industry increasingly in the online marketing business could be privacy enforcement by the FTC under new chairwoman Ramirez.

According to one online privacy attorney speaking on background, behavioral advertisers should be on notice about the FTC’s decision to shift enforcement of the Children’s Online Privacy Protection Act, which restricts online tracking of and marketing to kids under 13, from the Advertising Practices division to the Privacy and Identity Protection (PIP) division, a move launched under former chairman Jon Leibowitz.

“The idea is to centralize the privacy programs under one roof, so that the COPPA side can take advantage of the expertise that the privacy division already has,” an FTC source told Multichannel News.

The FTC recently issued updates to its enforcement that strengthen the protections, including bringing geolocation, cookies (plug-ins) and behavioral targeting explicitly within the rules. The move makes sense, given that PIP was not around when COPPA was first adopted in 1996.

But to many, the move also makes sense from a political standpoint. “The FTC has been publishing a lot of statements, and policies and staff reports in the privacy area,” the attorney points out. The FTC’s rulemaking authority is limited, so it regulates primarily by suing over false or deceptive advertising claims and providing warnings to industry through those reports and guidelines.

“It has been communicating a policy direction for a long time,” the attorney continued. “Every nine months, they come out with a policy statement saying the industry is still not doing a good job of doing this, as if there is a standard out there that the industry is not meeting.”

The FTC’s biggest changes to COPPA were to definitions. So, if suddenly a persistent identifier is personal information — not “could be” but “is” — that is a big change.

And there is pressure from Congress — primarily from Democrats — and the White House for broader personal ID protections for adults as well as kids. In a speech last fall. Ramirez called for enactment of general privacy legislation for everyone, regardless of age.

While the standards for marketing to kids have not so far been applied to adults, the move of COPPA enforcement to a new division could move the needle. Targeted behavioral marketing, based on how people behave on websites, is currently a violation of the COPPA rule. But if you put COPPA enforcement in the same space as general privacy enforcement, there could be some mission creep.

“[I]t helps to have the COPPA rule right there,” the attorney said. “Because it’s like, ‘If that’s so bad for children under 13, why should it be OK for people who are 15?’ ”

Chester agreed that the move matters. One factor that could mitigate the threat to online advertisers is the administration’s laser-like focus on a “broadband everywhere” strategy that relies on a healthy Internet model. Boosting online protection for kids has been one of the FTC’s focuses. But as with other online issues — like the cybersecurity framework — the Obama administration has emphasized voluntary guidelines, not government dictats. Too much so for some online activists’ liking.


While Democrats are more pro-regulation as a rule, online privacy is one Internet-related issue that could dampen that inherent drive. That’s because the administration’s focus on broadband deployment and adoption reflects a desire to tread more lightly in the online business space for fear of discouraging investment or the ad-supported model that the root of all free online content.

“I think the administration has a lot of good rhetoric, but at the end of the day, it would prefer to look the other way and let companies it favors expands their practices,” the Center for Digital Democracy’s Chester said.

But there could be new vigor in online privacy enforcement with Ramirez, at least in Chester’s view. “Under her leadership, we expect the FTC to blaze new ground on privacy.”

At a Capitol Hill hearing on communications privacy — one of several over the past few weeks to touch on the subject — Rep. Jim Sensenbrenner (R-Wis.) summed up the challenge. “Americans should not have to choose between privacy and the Internet,” he said.


As media firms look to boost their online revenue, Washington, D.C., is putting online marketing practices in the crosshairs.

She’ll Be Watching

WASHINGTON — Earlier this month, Edith Ramirez succeeded Jon Leibowitz as chairwoman of the Federal Trade Commission. She backs the FTC’s voluntary privacy-by-design framework of embedding privacy and security in products from the outset, collecting only the information needed for a specific business purpose, disposing of it afterwards, protecting it beforehand and having institutional processes and procedures to ensure all of the above.

But Ramirez also said that regime should not be reduced to “hiring a chief privacy officer, mandating employees to watch a privacy training video or to fill out a checklist or inserting a privacy policy into an app.”

In a speech last June, when she was still a commissioner, she sounded a warning for non-volunteers. “Many companies face intense pressure to maximize profits from the use of consumer data, and some believe that giving consumers choices about their data will limit that profit potential. In my view, that is a short-sighted approach that ignores the benefit of using privacy as a selling point. But it is a view that many hold, and one that privacy authorities cannot ignore.”

— John Eggerton

Privacy Guide

WASHINGTON — With or without a scorecard, it’s is tough to keep up with all the online privacy and security issues bouncing around inside the Beltway from do not track (online marketing) to do not attack (cybersecurity). A guide to key privacy regulatory efforts:

Going for Brokers: One possible target of government action are data brokers, the third parties that buy and sell online data. The Federal Trade Commission is collecting its own huge amounts of data on nine brokers, having subpoenaed information from Acxiom, Corelogic, Datalogix, eBureau, ID Analytics, Intelius, Peekyou, Rapleaf and Recorded Future. The FTC has called on brokers to improve transparency about what data they are collecting and why.

Separately, Sen. Jay Rockefeller (D-W.Va.) has asked for information from his own list of brokers and is awaiting a Government Accountability Office report on the industry. Also seeking data from brokers were Reps. Ed Markey (D-Mass.) and Joe Barton (R-Texas), co-chairmen of the Congressional Privacy Caucus. Center for Digital Democracy executive director Jeff Chester said he thinks restrictions on data brokers might be the best chance for some kind of privacy legislation.

Foreign Affairs: The European Union is preparing to enact a new online privacy law — a worry for both U.S. companies doing business in Europe and the Obama administration, both of which are concerned about the impact of tough privacy laws on trade policy.

To get in front of the issue, law firm Hogan Lovells last week launched a new Coalition for Privacy and Free Trade. The goal is to keep disparate privacy and data-protection laws from becoming non-tariff trade barriers as the U.S. prepares to negotiate a new Transatlantic Free Trade Agreement.

In a blog post earlier this month, Google global privacy counsel Peter Fleischer, speaking for himself, cautioned that the U.S. needed a simpler privacy protection narrative to counter suggestions by some EU regulators that the U.S. has no privacy policy. In fact he suggested, the dense “patchwork” of state and federal privacy and consumer-protection laws, patrolled by class-action lawyers, makes for “a robust legal framework to protect privacy.”

The Cop on the Net Beat: The issue of what level of access law enforcement should get to stored electronic communications — such as email messages, texts and YouTube videos stored in the cloud — heated up big-time last week.

There are efforts in both the House and Senate to update the Electronic Communications Privacy Act (ECPA). ECPA is the law that details the protections from illegal search and seizure of user data stored by service providers.

A Senate bill was introduced last week that would update those protections for a digital age undreamed of when the bill was passed in 1986, or for technologies newer than its last update in 2001. There was also a House Judiciary Committee hearing at which the issue was declared a priority for that committee.

The American Civil Liberties Union last week got together with Grover Norquist’s Americans for Tax Reform and the Center for Democracy and Technology to form a new group pushing for an update to ECPA to make sure protections from government overreach apply online as well as off.

The groups are concerned about government access to information stored in the cloud, or about the tracking of cellphone locations over time. Government officials have argued before Congress that access to geolocation information can be an important law-enforcement tool.

Bill of Rights: The White House continues to work on legislation to backstop its proposed privacy bill of rights. And elsewhere on the rights front, The National Telecommunications & Information Administration has been heading up an effort by stakeholders to come up with voluntary guidelines for mobile app privacy, one of the priority items in the Bill of Rights. In the meantime, the FTC last fall published a guide to help developers comply with current truth in advertising requirements and “basic privacy principles.”

The Internet of Things: In a blog post last week titled “Privacy in an Age of Connected Washers, Televisions and Refrigerators,” Broadband for America (a group including the National Cable & Telecommunications Association) suggested that the rise of machine-to-machine connections (M2M) — for instance, TV sets to laptops to gaming consoles, smart appliances to the grid or RFID tags in clothing — raise their own new set of privacy issues.

“It’s one thing for the electric grid to determine that your house is heated (or cooled) to 75 degrees during the day when no one is home,” said the group. “It is something else again for the grid to record that information and either automatically adjust the temperature or report your personal information to another device or individual. These are privacy concerns that impact all parts of the Internet ecosystem.”

— John Eggerton

The ‘Lyon’ on Privacy Hot Spots

WASHINGTON — Susan Lyon is co-chair of the privacy practice group of law firm Cooley LLP and advises communications, advertising and Internet companies on privacy and data-security issues. She is former in-house privacy counsel to Microsoft.

She shared with Multichannel News her thoughts on the some of the privacy hot spots in D.C.

Cloud technology: Discussions regarding cloud privacy and security will continue to amplify as the discussion shifts from data in the cloud to “big data” in the cloud. Companies are realizing the benefits to consumers, the public, and business of combining and compiling data for analysis. With this trend to bigger data will come bigger privacy and security concerns.

Mobile: The Federal Trade Commission has stated recently that is it actively investigating numerous mobile companies for alleged privacy and security violations. Accordingly, we should expect to see even more announcements of settlements around mobile activities this year. With those settlements will come further guidance about what mobile activities the FTC considers to be unfair practices under Section 5 of the FTC Act.

Cross-border data transfers: U.S. companies are closely eyeing developments around proposed new European Union privacy regulations. These regulations, in part, could expand jurisdiction of EU regulators over more U.S. e-commerce companies having no EU-based servers or offices.

Children’s privacy: Amendments to the children’s online privacy rules go in to effect July 1. Among other things, these amendments will potentially increase risk to mobile game developers and publishers and other apps that direct activities to kids under 13 or that knowingly collect info from kids under 13. The amended rules also extend the Children’s Online Privacy Protection Act to certain third-party plug-ins and partners that integrate information-collecting features into these games and apps.