FTC principles for behavioral advertising: OK solution to wrong problem

FTC should have addressed underlying issue of personal information on the Web

The Federal Trade Commission (FTC) recently published a somewhat tweaked set of self-regulation guidelines for companies collecting information on the actions of Internet users for the purpose of providing advertising to those users. I expect the FTC does not feel it has the authority to make any binding rules without Congressional action. But, even agreeing with that limitation, these principles are underwhelming and, as demonstrated by Google, are quite limited in usefulness even where companies claim to meet them.

The four FTC principles are at the end of a staff report titled "Self-Regulatory Principles For Online Behavioral Advertising." They basically try to encourage good behavior on the part of companies engaged in behavioral advertising. The principles are:

1. Transparency and customer control - Web sites collecting data to be used in behavioral advertising should tell users that they are collecting and enable a user to opt-out.

2. Reasonable security, and limited data retention for customer data - anyone collecting such data should provide reasonable security for it and only retain the data as long as needed to meet the business need.

3. Affirmative express consent for material changes to existing privacy promises - new privacy policy should not control use of data collected under previous privacy policy without user opt-in.

4. Affirmative express consent to use sensitive data for behavioral advertising - should not use sensitive data (like Social Security numbers) without user opt-in.

These principles are OK, but have no teeth: they are voluntary and there is little if any real penalty if a company decides to ignore them. The FTC might ask the companies pretty please to stop, but that's about it.

My biggest problem with the new FTC principles is that they represent yet another point solution to a symptom rather than anything addressing the underlying cause.

Why should principles such as these be limited to the specific case of behavioral advertising? Why shouldn't we have principles that apply to any and all information about me that someone else gets a hold of in any way?

The FTC principles also have generally been diluted in favor of the advertising industry rather than being shaped primarily by your or my best interests. I note that the FTC staff lists industry representatives first when identifying who they talked to. The principles are not all one-sided -- they do include some things that the industry objected to, but not all that many.

Google has expressed support for the FTC's action, but this may be a very good example of what is lacking in these principles. As I mentioned in last week's column, Google is less than forthcoming when addressing the transparency requirement. I have not been able to figure out just what they collect about me and my actions with their various tools (including the basic search engine, Google Analytics, Google Earth and Google Latitude).

After last week's column I was contacted by someone from Google to say that my fears about Latitude were overblown because they only keep a single location, the last one received, for people who have enabled location sharing via Latitude. That is good news. When I asked where on the Google Web page the company says that, the response was that it was towards the end of a video posed to YouTube. This is a perfect example of what is wrong with the FTC principles -- Google cannot even get it together enough to put good privacy news on its Web page in a way that the user can find and understand it.

Disclaimer: Understanding underlying principles is a goal of any good educational intuition, but I know of no Harvard view on this example, so the above is my principled review.

Copyright © 2009 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022