Google, Microsoft Call for Privacy Legislation

Both the U.S. Senate and the House of Representatives held hearings in July on privacy issues related to Internet advertising that is tailored to users’ interests and online activities—so-called behavioral advertising.

Witnesses testifying before Congress sent conflicting messages that challenge the conventional wisdom that companies seek to avoid regulation at all cost. While a senior official for the Federal Trade Commission urged lawmakers to allow the self-regulatory process to address the concerns identified—executives from several major companies called for new legislation.

“Google supports the passage of a comprehensive federal privacy law that would accomplish several goals such as building consumer trust and protections,” said Google Senior Privacy Counsel Jane Horvath in a statement summarizing her testimony at a July 9 hearing before the Senate Committee on Commerce, Science, and Transportation.

The concerns of Google and others seem to be primarily twofold: that the absence of a federal blueprint will create a vacuum in which states will act on their own, and the fear that unscrupulous parties will damage the credibility of the online advertising community. Further, companies that operate internationally already are subject to the auspices of European Union privacy and data protection directives.

Federal privacy law, Horvath stated, should be aimed at “establishing a uniform framework for privacy, which would create consistent levels of privacy from one jurisdiction to another; and putting penalties in place to dissuade bad actors.”

Similarly, Microsoft Corporation’s Associate General Counsel Michael D. Hintze warned in testimony submitted at the same hearing that the domination of the online community by a few major players could tempt some companies to dilute their privacy practices to increase profits.

“This could bring about a ‘race to the bottom’ on privacy as other companies weaken their privacy practices in an effort to catch up to the market leader,” he stated.

Microsoft, too, called for federal legislation. “In addition to supporting self-regulatory efforts, we have long advocated for legislation as a component of effective privacy protections,” Hintze stated. “We were one of the first companies to actively call for comprehensive federal privacy legislation.”

FTC Efforts Underway

In contrast to the statements by Microsoft and Google, the FTC’s Director of the Bureau of Consumer Protection, Lydia Parnes, told the Senate committee that “the Commission is cautiously optimistic that the privacy concerns raised by behavioral advertising can be addressed effectively by industry self-regulation.”

Parnes pointed to the FTC’s proposed principles on behavioral advertising, released in December 2007, which establish certain guidelines the agency recommends the online advertising industry follow in developing a self-regulatory framework.

“The proposed Principles address the central concerns about online behavioral advertising expressed by interested parties; they also build upon existing ‘best practices’ in the area of privacy, as well as (in some cases) previous FTC guidance and/or law enforcement actions,” Parnes stated in prepared comments.

“At the same time, the Principles reflect FTC staff’s recognition of the potential benefits provided by online behavioral advertising and the need to maintain vigorous competition in this area.”

Despite the differences in recommended approaches, those testifying agreed on one point: the online marketing industry has coalesced behind three major components viewed as necessary for the establishment of effective online privacy policies and practices:

• Transparency – companies should disclose their information-gathering policies
• Choice – companies should allow consumers some amount of control over the information that is gathered
• Security – companies should take measures to protect consumer information

Naturally, the devil is in the details, and companies and advocates disagree over whether consumers should have to opt-out of information-gathering techniques or whether they should opt-in, and under what circumstances. Another issue of contention is whether certain types of information, such as information regarding children’s online browsing habits, health care and finances should be off-limits to tracking for behavioral advertising purposes.

House Hearing

At a similar hearing held July 17 before the House Committee on Energy and Commerce Subcommittee on Telecommunications and the Internet, a provider of behavioral advertising technology testified that his company has taken significant steps to protect consumers’ privacy.

NebuAd, Inc. “uses a select set of a user’s Internet activities to construct anonymous inferences about likely interests, which are then used to select and serve the most relevant advertisements,” explained CEO Bob Dykes in a statement submitted at the hearing. Dykes emphasized, however, that “NebuAd’s service is designed so that no one – not even the government – can determine the identity of our users.”

He noted that in contrast to the European Community, where omnibus privacy law covers all industries, in the Unites States, privacy protections have developed along sector-specific lines. There are common threads running through many privacy statutes, however, such as requirements for increased protection for the collection of sensitive data and personally identifiable information, Dykes stated.

“NebuAd supports this privacy paradigm, which provides users with consistent expectations and substantial protections,” he said.

He warned lawmakers of the need to take a flexible approach to developing privacy protections. “The Internet is a highly dynamic environment, where new technologies are constantly developed to address new challenges, and we both want and need to take advantage of them,” said Dykes.

But a representative of the Center for Democracy & Technology (CDT) compared the technology used to support behavioral advertising to opening and reading people’s mail.
Deep packet inspection—the ability to collect and analyze the Internet transmissions of millions of users simultaneously—“is the equivalent of postal employees opening envelopes and reading the letters inside,” stated CDT Chief Computer Scientist Alissa Cooper in prepared remarks.

“[D]eploying a DPI system likely defies the expectations consumers have built up over time,” she said. “Absent unmistakable notice, consumers simply do not expect their ISP or its partner to be looking into the content of their Internet communications.”

Cooper disputed the premise that Internet users are willing to sacrifice privacy for free content, citing a Harris Interactive/ Alan F. Westin study in which 59 percent of respondents said they were not comfortable with online companies using their browsing behavior to tailor ads and content to their interests, even when they were told that such advertising supports free services.

Companies that do not provide clear notice of their information-gathering techniques may be violating existing law, Cooper charged.

“[W]e conclude that cable-based ISPs that wish to disclose the content of Internet packets to advertising networks would … have to meet the consent requirements of the Cable Communications Policy Act,” she stated.

The CDT is in favor of comprehensive privacy legislation, Cooper added.

“This Subcommittee should set a goal of enacting in the next year general privacy legislation covering both the online and offline worlds. CDT has long argued for simple, flexible baseline consumer privacy legislation that would protect consumers from inappropriate collection and misuse of their personal information while enabling legitimate business use to promote economic and social value.”

Why This Matters:  The FTC has urged the development if industry-specific online advertising guidelines. However, certain groups are pushing Congress to establish general privacy principles that apply across technological platforms and industry sectors.

Editor’s Note:  For previous ABR coverage of the issue, see:  "Senate to Consider Issues in Behavioral Advertising; Is Self-Regulation Being Given a Chance?" and
“FTC Staff Proposes Online Behavioral Advertising Privacy Principles; Seeks Comments from Advertisers”

Publication date : August 15, 2008

Last updated : August 15, 2008