Voluntary “privacy policies” but deceptive trade practice not to followEndorsement guidelines apply to sponsored posts/blogs, but no statutory penaltiesNo Not Track legislation died in 2007Leibowitz June ’10 Senate Commerce testimony: "To this end, one idea we may explore in the context of behavioral advertising is a do-not-track mechanism that's more comprehensive and easier to use than the procedures currently available. Under such a mechanism, users could opt out of behavioral advertising more easily rather than having to make choices on website-by-website basis." But he acknowledged, with some disappointment, that the FTC is limited in the extent to which it can exercise oversight authority over the online advertising industry. Staff behavioral advertising report recommended: 1. Transparency and consumer control 2.Reasonable security/limited data retention 3. Affirmative opt-in for material changes to privacy promises, and 4. Affirmative opt-in for “sensitive data” (medial, children, etc.)
The Electronic Communications Privacy Act limits the disclosure of certain online communications, but the privacy protections may not apply to data collected from website visitors via cookies and other similar methods. See In re DoubleClick, Inc. Privacy Litigation, 154 F. Supp.2d 497 (S.D.N.Y. 2001).
FTC rulemaking grant in financial reform bill stripped at advertisers’ insistenceCDD:Recent developments in online profiling and behavioral targeting—including the instantaneous sale and trading of individual users, which increasingly involve the compilation and use of greater amounts of personal data—have all contributed to what is now standard practice online. A vast ecosystem of online advertising and data auctions and exchanges, demand-and supply‐side platforms, and the increasing use of third‐party data providers that bring offline information to Internet profiling andtargeting, operates without the awareness or consent of users.In 2009-10 three states -- Connecticut, Massachusetts and New York -- introduced bills to regulate behavioral ads, none of which passed.
United States<br />FTC rules the domain, without rules<br />Website privacy policies<br />Endorsement guidelines<br />Feb. ‘07/09 Staff Reports re behavioral advertising<br />“Do Not Track” list<br />House Bi-Partisan Privacy Caucus inquiry (Markey, Barton)<br />Privacy legislation—BEST PRACTICES Act (H.R. 5777)<br />
Legal Issues<br />CFAA, ECPA/SCA<br />Invasion of Privacy Act (Cal. Penal Code § 631)<br />FTC COPPA review (“sensitive” and children’s data)<br />Antitrust (Google/AdMob, etc.)<br />Spyware and DPI, e.g., Valentine v. NebuAd, No. CV-08-5113 (N.D. Calif.).<br />
Battlegrounds <br />IAB self-regulation, CDD complaint<br />Dueling House bills (Reps. Boucher/Stearns v. Rush)<br />Wall Street Journal expose 4 Aug. 2010<br />On the Web's Cutting Edge, Anonymity in Name Only<br />DoC Internet Policy Task Force (NOI)<br />State legislation/preemption, e.g., 2009 New York S.B. 616<br />
Europe<br />New EU Directive passed Nov 2009<br />Article 29 WP Opinion June 2010<br />Opt out not enough<br />Must be informed consent<br />‘simple and effective mechanisms’<br />No behavioural ads to children<br />
UK existing law<br />Data Protection Act 1998<br />Privacy and Electronic Communications (EC Directive) Regulations 2003<br />Consumer Protection from Unfair Trading Regulations 2008<br />
OFT<br />Market Study published in May<br />Close working with IAB<br />Clear notices and opt-in<br />ICO prosecutions<br />Use of fair trading laws<br />
ICO Consultation<br />New Code of Practice July 2010<br />Special effort on ‘behind the scenes’ processing e.g. airline pricing<br />‘simple means of disabling’<br />Recognition of the role of browser<br />
Resources<br />Computer Weekly – www.tinyurl.com/jpa012<br />Webcasts - www.tinyurl.com/jpa007<br />ICO Code of Practice – www.tinyurl.com/jpa020<br />OFT – www.tinyurl.com/jpa019<br />