Privacy Hedges

Despite Consumer Concerns, New Laws Guarding Personal Data Face Long Odds

WASHINGTON — As many Americans now know, the National Security Agency has access to data that allows analysts to track the keystrokes Internet users make while composing emails or surfing the Web.

Last month, five men were indicted for hacking into various firms — and stealing more than 160 million creditcard numbers. Google, one of the most powerful Internet companies in existence, has photographed every neighborhood in the world and continues to put more information online. And websites already know the names, faces, addresses and search histories of users.

It’s safe to say that American consumers’ privacy is threatened as never before. Many people are getting worried, and with good reason. The concerned parties include President Obama — who has pushed for a digital privacy bill of rights — as well as members of Congress.

The resolution of these thorny issues could have profound implications for cable operators and programmers, which are also broadband providers and online publishers.

The less secure consumers feel about their data, the more likely they are to opt out of targeted advertising or website cookies on their computers and mobile devices, according to a recent survey by ad-agency giant Omnicom Group. And 51% of teenage users have avoided apps due to privacy concerns, according to a just-released survey from the Pew Research Center’s Internet & American Life Project.

But in Washington, recognizing the problem and fixing it are two different things. There are, of course, traditional political divides — always a high hurdle — but especially now, they are more like fractures. There is bipartisan agreement that both privacy and Internet commerce are important, but no consensus on how to balance those interests.

Moreover, the issue of privacy is complicated by the speed, power and complexity of a technology that is redefining ubiquity. The American consumer wants the ability to watch or order anything online in an instant, yet still expects a baseline of privacy with every keystroke. Few in the administration or Congress, though, want to be responsible for damaging the nation’s broadband engine and hurting the targeted advertising model that supports all that free online content.


President Obama has pushed for voluntary privacy codes of conduct, but needs industry buy-in. Internet-service providers, advertisers, online publishers and app developers are coming to the table, but would understandably prefer self-regulation without a government minder. Congress, though, is unlikely to agree on putting legislative muscle behind the administration’s bill of rights.

With its call for legislation to undergird its privacy bill of rights going unheeded to date, the Obama Administration has charged the National Telecommunications and Information Administration, an arm of the Commerce Department, and the Federal Trade Commission, charged with enforcing privacy guidelines, with getting industry and the public-interest community on the same Web page when it comes to voluntary standards.

Industry players — including cable ISPs and content companies with websites and apps — are looking to avoid legislation mandating the privacy bill of rights. Government mandates would discourage innovation in the online and app space and are unlikely to be as responsive to a marketplace that morphs at the speed of light, they have argued.

“I think they do see the utility in the effectiveness of our [self-regulatory] programs,” Stuart Ingis, an attorney with Venable LLP who represents the Digital Advertising Alliance and the Digital Marketing Association, said.

But consumer activists and privacy watchdog groups see self-regulation as a bid to justify continuing the lucrative business of collecting, selling and otherwise sharing information to create online profiles.

“In buying the industry’s argument that regulation would hurt the digital economy, the administration is missing the fact that by setting public-policy parameters regarding privacy, it would actually foster more confidence in e-commerce,” Consumer Federation of America director of consumer protection Susan Grant said.

The administration may be accommodating the “voluntary” vocabulary of industry, but it continues to assert that Congress needs to provide a legislative backstop. While industry players see voluntary codes of conduct as an alternative to new laws, the White House has made it clear it still wants Congress to put some teeth into the privacy bill of rights. The administration’s efforts to flesh out its voluntary privacy bill of rights are mixed at best. The Obama Administration delineates those rights as: “Individual Control; Transparency; Respect for Context (data used consistent with context in which consumers provided it); Security; Access and Accuracy; Focused Collection (reasonable limits); and Accountability (appropriate safeguards for data collection).”

But getting Congress to pass any legislation — much less a bill that mandates data-privacy protections — at the moment is a challenge.

Meanwhile, the FTC has limited tools to work with. Primarily, it can pursue privacy-policy violators as unfair or deceptive, but only if they have first agreed to such a policy. Outliers who don’t sign on to voluntary codes aren’t technically violating them. Welcome to Washington. The FTC has updated its enforcement of children’s online protections. And legislators continue to use their bully pulpit to call for more transparency in behavioral targeting and online data collection, including meaningful choice over online tracking.


The difficulties in coming up with a consensus are best illustrated by the recent NTIA-mentored multi-stakeholder process, which produced a voluntary draft of a mobile app “transparency code of conduct” and will be used as a template for other privacy codes of conduct.

Over multiple meetings there were walkouts, arguments over how votes were taken, then complaints from both sides about the results — there was even grumbling over meeting times and schedules.

The Consumer Federation of America abstained from the vote, as did the Center for Digital Democracy, which said the process and the result were flawed. One member of the testing subcommittee said it could never agree on how to conduct tests of language to notify app users of data collection, so the tests were never conducted.

The CDD was planning last week to issue a report criticizing the process.

Industry wasn’t satisfied either. “NTIA called time when the game wasn’t yet over,” the DAA/DMA’s Ingis said. “You had a scenario where there really wasn’t the consensus that self-regulation achieves whererby all parties agree. Few of the parties that would have to actually implement the process said [the guidelines] were yet completed.”

“A diverse group of stakeholders embraced the process, including leading consumer groups and key representatives of app developers,” an NTIA spokesman said. “The process involved true give and take, and stakeholders came together to find common ground on important issues. The vast majority of stakeholders agree that it is time to put down the drafting pen and start reviewing, testing and implementing a code of conduct. We believe this process will result in enhanced short-form privacy disclosures that will benefit consumers. While we support the multi-stakeholder process … the administration also continues to support a baseline privacy law.”

Still, the agency is planning to hold a “lessons learned” meeting this week (Aug. 29) to improve the process as it prepares to tackle issues like facial recognition software and location-based information collection.

“NTIA expects that the group will discuss a number of logistical and procedural issues, including but not limited to: how future processes might be structured to reach consensus most efficiently; how future processes might make stakeholder participation easier and more effective; and how future processes might start with one or more sessions that provide factual background on a given topic,” director of privacy initiatives John Verdi said in an email message about the meeting.

Barring a broad bill of rights or some sweeping privacy legislation, specific regulatory fixes are more likely. For instance, the FTC last fall issued guidelines for the type of facial-recognition software that could be used in a set-top box to determine the age and gender of audience members, then deliver targeted ads. Users would be required to inform viewers or Web surfers that their face was becoming familiar.

A bill was introduced in June that would essentially turn those guidelines into mandates.

Pam Dixon, executive director of public-interest research group the World Privacy Forum, said her best sources put the possibility of Hill action at “slim.” Any legislation would likely to be something targeted at, for instance, data brokers, as the U.S. Government Accountability Office and the FTC both have ongoing investigations.

“There could be some limited reforms related to what I call the ‘post- Snowden’ fallout,” said Dixon, referring to former National Security Agency contractor Edward Snowden, who leaked info about government data collection, including online tracking.

Ingis of the DAA and DMA said he sees neither the need nor the political will for legislating a privacy bill of rights. “I think the problem with a privacy bill of rights is it is a grand theory that doesn’t translate into specifics that would be required in legislation,” he said.


Making consumers feel more secure about their online information is definitely in the interest of both websites and advertisers.

According to Omnicom Group’s consumer-privacy study, users are becoming “increasingly aware and savvy about managing their online privacy”— driven recently by the revelations that the NSA was tracking online as well as phone communications — and that can translate into opting out of targeted ads. Still, nearly half of the respondents to that survey said they don’t know enough about how their information is used.

Google’s free Gmail service, for instance, has 400 million users, all of whom had to agree to allow search-based targeted marketing as the price for the service’s functions and storage capacity.

Digital advertisers agree that consumer confidence is important, arguing that’s what their own self-regulatory systems provide.

“The tenets of consumer privacy and control are critical to the growth and expansion of the entire interactive advertising ecosystem, whether on large or small screens,” Interactive Advertising Bureau president Randall Rothenberg said last month of the industry’s mobile-app privacy guidelines, which the trade group issued in advance of the NTIA-brokered guides on app transparency.

The multi-stakeholder process — in the form of industry self-regulation and the administration-mentored meetings — can be helpful, particularly when government action is the alternative, Rothenberg said.

“The idea of getting together on something that is not a negotiation toward a piece legislation or regulation but is more aimed at gaining mutual understanding, that has been pretty valuable,” he said.

The problem, according to Rothenberg, is that most people are looking for a single outcome, presumed to be some form of regulation or legislation.

“That’s not always the best outcome,” he said.


Neither politicians nor industry players have come to a consensus on how to protect consumer data online without clamping down on Internet commerce.


WASHINGTON — A second-quarter research study by Omnicom Group, intended to look at consumer attitudes toward online privacy, was extended into July and refocused on responses to revelations about National Security Agency’s PRISM program for tracking online behavior.

Among the findings of the ad giant’s study: The number of people concerned or very concerned about online privacy increased from 20% in June to 57% in July, after the NSA story broke.

Some other findings, by the numbers:

• 38% of respondents to the July poll said they adjusted their browser settings, vs. just 22% in a similar first-quarter poll;

• 23% of people in the Q2 poll said they had opted out of mobile tracking;

• 48% of people in the Q2 poll said they don’t know enough about how their information is collected and used;

• 61% of respondents in Q2 poll said they feel they have no control over how their personal data are used.

— John Eggerton