Privacy Bills: Which One Would Ad Industry Choose?

It’s no secret most ad industry trade groups and many online marketers do not want online privacy legislation to pass. Yet, if they had to pick one of the six recently-introduced online privacy bills, some would be more palatable to their business interests than others.

Among them is what can be considered the least restrictive of the bunch, the Consumer Privacy Protection Act of 2011, a bipartisan bill cosponsored by Republican Cliff Stearns of Florida and Democrat Jim Matheson from Utah. The bill, which is nearly identical to 2005 privacy legislation, relies on privacy policies to alert consumers to data collection and usage, rather than requiring a more clear and conspicuous mechanism for opting out from such collection and usage. The bill is also cosponsored by three other Republican House Members.

Even the relatively lenient Stearns bill was deemed over-reaching by The Direct Marketing Association. Despite the fact that the industry already does much of what the bill requires, the DMA stated in a press release that “the bill is overly prescriptive and delegates too much additional authority to the Federal Trade Commission…particularly in the area of self-regulation.”

The FTC helped popularize the “do-not-track” term in its December 2010 online behavioral ad guidelines report. Since then the concept has made an appearance in three of the bills.

Do-not-track type mechanisms are called for in four of the bills, including another that is favored by some industry insiders. The Commercial Privacy Bill of Rights Act of 2011, another bipartisan bill proposed in the Senate by Democrat John Kerry of Massachusetts and Republican John McCain of Arizona, does not specifically mention do-not-track, but it grants the Federal Trade Commission the right to develop rules for a clear and conspicuous online mechanism for opting out from data transfer for behavioral and location-based advertising, and gives the agency oversight of a requirement that companies offer one.

Ad networks and other online ad tech companies thrive on the ability to collect and employ data for sophisticated digital ad targeting. Valueclick is an early participant in the industry’s broad-reaching self-regulatory program, and believes “that self-regulation creates the most balanced framework for protection of consumer privacy and innovation as industry is in the best position to adjust to the advances in technology in the most efficient and adaptable manner,” according to Tanya Tan, the company’s assistant general counsel and VP, privacy and legislative affairs.

“However, if legislation proves to be necessary in the area of online advertising,” she continued, “we believe that the Commercial Privacy Bill of Rights Act of 2011 introduced by Senator John Kerry and Senator John McCain, as currently drafted, is the bill that best balances consumer privacy protections and the value of online advertising. Both Senators acknowledge the importance of online advertising and made it clear that both business interests and consumer interests were considered. It also contains a safe harbor provision that feasibly allows for self-regulatory efforts by industry to continue.”

Indeed, the bill gives the FTC authority to establish a safe harbor program and to approve of and monitor non-governmental initiatives – such as an industry self-regulatory program – for providing consumers a “clear, conspicuous, persistent, and effective” opt-out from data transfer for behavioral ads or “location-based advertising.”

None of the bills specifically mentions the Digital Advertising Alliance, the coalition leading the online ad industry’s self-regulatory program. Just two of the six bills – the Kerry/McCain bill and Bobby Rush’s Best Practices Act – provide for a safe harbor for companies participating in an industry self-regulatory program. Rather than actually mentioning safe harbor specifically, the Do-Not-Track Online Act of 2011 from Senator Jay Rockefeller calls on the FTC to consider mechanisms that have already been developed when creating online privacy standards and rules.

“The biggest concern with [the Kerry/McCain] bill is it’s very complicated and very regulatory in structure even though it’s attempted to create rational proposals,” said Stu Ingis, a partner at Venable law firm and until recently the de facto head of the Digital Ad Alliance. Ingis added the bill, “treats marketing data…as subject to a higher standard than other data.” The Alliance recently hired Peter Kosmala, formerly of the International Association of Privacy Professionals, as its first managing director.

Comparing the Privacy Bills
Bill Name Sponsor/s Does It Mention Do-Not-Track? Civil Action/Penalties Safe Harbor for Industry Self-Regulation Notes
Commercial Privacy Bill of Rights Act of 2011 (Senate) John Kerry (D-MA), co-sponsor John McCain (R-AZ) Doesn’t specifically mention DNT, but grants FTC right to develop rules for opt-out mechanism. Lets FTC impose civil penalties on self-reg groups running noncompliant programs. FTC power to establish safe harbor program and monitor self-regulatory program for opt-out. Gives FTC power to make rules requiring cos provide “clear, concise, and timely notice” of personal data collection, use, transfer.
Do-Not-Track Online Act of 2011 (Senate) Senate Commerce Committee Chairman Jay Rockefeller (D-WV) Yes – FTC to create standards for mechanism allowing users to indicate personal data collection preferences. States can bring civil action against violators, violators subject to FTC enforcement penalties. No mention of “safe harbor,” but calls on FTC to consider mechanisms in existence that let users indicate personal data collection preferences. Rockefeller chairs the committee in which he introduced the legislation, so it may have greater likelihood of passage.
Best Practices Act (House) Bobby Rush (D-IL) No specific mention of DNT, calls for FTC to approve a self-reg program for opt-out mechanism prohibiting data sharing with 3rd parties Allows FTC and states to slap civil penalties on violators. Allows for safe harbor for companies in compliance with FTC-approved self-reg program A Capitol Hill Insider called the bill “dead on arrival,” suggesting Rush, a House minority member, has little clout without a committee chairmanship.
Do Not Track Me Online Act of 2011 (House) Jackie Speier (D-CA) Yes – calls for FTC to determine standards for “online opt-out mechanism” Gives states the right to bring a civil action on behalf of residents against violators N/A Bill is short in length compared to other privacy bills, and seen as a way for Speier to establish a stance on online privacy issue.
Consumer Privacy Protection Act of 2011 (House) Cliff Stearns (R-FL), co-sponsors Brian Bilbray (R-CA), John Duncan (R-TN), Donald Manzullo (R-IL), Jim Matheson (D-UT) No specific mention of DNT, only calls for “brief, concise, clear, and conspicuous” privacy policies. N/A No mention of Safe Harbor, but bill gives FTC power to approve a self-reg program. The most industry-friendly of the lot. Relies on privacy policies rather than requiring a more clear and conspicuous mechanism for opting out from data collection and use.
Do Not Track Kids Act of 2011 (House) Ed Markey (D-MA), co-sponsor Joe Barton (R-TX) Yes – calls on FTC to create regulations for site and app operators to provide “clear and conspicuous” explanation of personal data collected and how it’s used. Bill calls for FTC to require operators to implement “Eraser Buttons” allowing users to eliminate personal data from a site or app. Gives states right to bring a civil action against violators, makes violators subject to FTC enforcement penalties. N/A Restriction of collection and use of children’s and teens’ location data is a key focus.

Related reading