Kerry and McCain Work on Privacy Bill as FTC Conducts More Cases

johnkerry-privacyhearingThe online ad industry’s self-regulatory program is “promising” and is moving forward at a “far more rapid” pace lately, said Federal Trade Commission Chairman Jon Leibowitz this morning. However, speaking as a witness during a Senate Commerce Committee hearing on online privacy, he said this week’s settlement with behavioral ad firm Chitika should serve as a signal to the online ad industry of “many more” privacy cases to come.

Mobile app providers and advertisers should also beware, Leibowitz implied, noting that the FTC has “multiple investigations going on” that involve companies providing “inadequate” notice of mobile data collection and buried privacy policies.

Leibowitz expressed concern that the Digital Advertising Alliance’s self-regulatory program may be insufficient because it does not – at least in all cases – allow consumers to control the tracking and collection of personal data online. Rather it focuses on whether consumers want to be served ads that use such data – an important distinction.

In some cases, companies collecting data for analytics or other non-behavioral advertising related purposes could continue tracking and collecting data from people who have opted out through the DAA program, according to Stu Ingis, a partner at Venable, a law firm working with the industry alliance, who spoke with ClickZ recently.

One key element of the FTC’s proposed do-not-track mechanism is that it “should allow [consumers] to opt out of tracking altogether,” added Leibowitz.

Democratic Senator John Kerry, chairman of the Commerce Committee, reiterated his intention to introduce “a commercial privacy bill of rights.” Kerry said in the last six months he has worked with other lawmakers from both sides of the aisle, along with privacy experts and the “advocacy” community “to figure out why we haven’t reached a consensus on the national treatment of people’s information,” and what legislators can do to establish consensus.

Apparently, one of the lawmakers Kerry is working with to draft a bill is Republican Senator John McCain of Arizona. “I’m working, as you know, with Senator McCain very closely and he’s got some interest in this,” said Kerry at the end of today’s hearing.

“Americans cannot today demand that someone who’s collecting their information stop using it,” said Kerry, pointing to increased data collection across digital channels such as e-mail and mobile apps as well as offline by grocery stores, hotels and airlines. The bill Kerry is drafting will establish a code of conduct for data collection and use.

He indicated the proposed legislation would establish safe harbor for companies abiding by said code of conduct. “We approach this with a real open mind,” he said. Kerry called the would-be proposal more flexible than what governments associated with “the world’s largest markets” might impose on business.

Kerry has yet to announce a date for introduction of the bill, and “is talking with many players to get it right,” a spokesperson from his office told ClickZ News recently.

In his testimony, Lawrence Strickling, assistant secretary of commerce for communications and information at the U.S. Department of Commerce’s National Telecommunications and Information Administration, urged Congress to give the FTC the authority to offer a safe harbor to companies who abide by the potential code of conduct. He also stressed the need for increased global interoperability of privacy frameworks – something the Commerce Department indicated in its report on commercial data privacy published in December

In a settlement announced Monday, the FTC said it settled with behavioral ad firm Chitika. The agency alleged Chitika’s opt-out cookies were set to expire after 10 days, rendering them useless at that point. As a result of the settlement, within 30 days the company must provide a tool enabling opt-out from collecting data that could be tied to a user or includes a unique identifier. The tool must enable opt-out through no more than one click, and it must maintain opt-outs for a minimum of five years.

Related reading