Online regulation ratchets up, but cookies live on
Deloitte predicts that during the course of 2011 online privacy will provoke more irate headlines and exasperated calls for action than ever before. However, by year-end a torrent of criticism directed at online privacy is likely to result in only minor legislative and regulatory changes to the way websites gather, share and otherwise exploit user information. Such changes are unlikely to challenge the fundamentals of the online business model.
Cookies, which are the small files of personal information that websites create on a visitor’s computer, are very likely to remain core to the online user experience. Similarly, IP (Internet Protocol) addresses will likely still be shared among multiple online companies.
A flood of news stories about digital privacy invasion -- combined with the launch of websites created to show exactly how compromising online information disclosure can be1– are unlikely to dissuade Internet users from knowingly or unknowingly sharing their information, some of which may be personally identifiable2. A campaign in 2010 that encouraged users to quit a particular social network en masse in response to its revised privacy policies was taken-up by only a tiny fraction of its members3.
But despite a lack of significantly harsher regulations, and the fact that just a small (but vocal) minority of the public is expected to clamor for more protection, the online industry will likely undertake increasingly robust measures to regulate itself, building on steps that have already been taken over the past few years4.
The underlying rationale for gathering personal information is that companies -- be they traditional retailers, business to business specialists, or online pure plays -- like to know about their customers. Knowledge is power, and understanding the customer is generally good for business. Sharing leads, reselling customer data and analyzing consumer behavior are all ways to boost revenue and help make a sale. Passing along customer data is considered a fair practice if permission is given. So is aggregating customer data and reselling it —as long as permission is given and the user cannot be personally identified5.
Malpractice related to information sharing is common in all types of businesses. But in 2011, online privacy breaches – both real and perceived -- are more likely to make the news than are offline breaches.
Some of the reasons for this are contextual. First, online companies are simply more effective than their offline counterparts at generating, accumulating and exploiting vast quantities of data -- and at using the data automatically in real time. Second, online privacy issues are currently more newsworthy, partly because the online environment is newer and less understood, and partly because of the number of people who are affected. Web-based businesses seem subject to heightened economies of scale. Market leaders tend to dominate on a global basis, and when problems arise they can affect hundreds of millions of users.
One privacy challenge unique to the online world is the use of personal information in the form of cookies and IP addresses. New legislation to be enacted in 2011 aims to clarify what, how, and with whom such data can be shared. Some of this legislation, if enacted in its current draft form, could profoundly change the way that people use the Web6.
Many of today’s websites share IP addresses with dozens of other sites. However, one draft law would require user approval every time an IP address is to be shared7. Similarly, an European Union (EU) directive8 passed in 2010 and due for implementation in 2011 will require websites to obtain consent from users whenever cookies are installed9. The EU has also proposed that Web users have the right to be forgotten: historically a user’s Web trail has been nearly indelible10. The proposed changes would require websites to delete all personal data on request. In addition, there have been calls for “do not track” buttons to be made prominent on websites11.
However, there are two reasons why it is likely that only moderate online privacy legislation will be enacted in 2011. First, the legislation that currently exists to protect personal information – both online and offline -- is considered generally robust12. Most discussions about new legislation focus only on the narrower category of personally identifiable information (PII) – and specifically whether a unique identifier to a computer, like an IP address or cookie should fall into this category. Second, the Internet has become a fundamental part of the economy. New legislation that might have a significant adverse impact on economic growth and tax revenues seems quite unlikely13. Tens of billions of dollars could be put at risk14, and many governments are simply not in a position to threaten those revenues at this time.
For instance, the US Commerce Department recently released a draft report providing recommendations for promoting online privacy. However, the recommended policies are likely to be enacted in a moderated form that also emphasizes information innovation, jobs and economic growth15. In the EU, probably most member states will determine that users should provide permission within browser settings and that the default position in the browser be set to “off” - as suggested by the directive16. Consent will not need to be given every time a cookie is used17.
In 2011, new online privacy legislation is expected to be modest and will likely draw upon fair information practices that are already generally accepted. At the same time, online companies are likely to become far more proactive when tackling privacy issues — expanding their efforts to influence legislation, and increasing their level of self-regulation with the goal of avoiding new legislation altogether.
Although changes related to online privacy may not markedly affect revenue in 2011, companies should consider increasing their investments in online privacy infrastructure, leveraging industry tools and initiatives to improve self-regulation and get in front of future legislation.
Nearly all of the new and proposed privacy requirements are based on generally accepted fair information practices. However, businesses should stay abreast of changes in public opinion and regulatory policy, including the policies proposed by the Federal Trade Commission in its Staff Report on online consumer privacy released in December 201018.
In particular, businesses that operate online might want to invest in programs and industry tools that:
- integrate “Privacy by Design”19 principles, including data security measures, reasonable collection limits, sound retention practices and data management procedures
- provide consumers with simple choices about data handling practices that are not “commonly accepted”
- establish greater transparency about how data will be collected and used -- providing simple and easy to understand notices and education, and giving customers reasonable access to their own personal information20.
These types of actions can help organizations stay ahead of the curve, create competitive advantage, and strike an appropriate balance between protecting consumer privacy and fostering performance, innovation and growth.
1Please Rob Me: Site Tells The World When You're Not Home, The Huffington Post, 17 February 2010:http://www.huffingtonpost.com/2010/02/17/please-rob-me-site-tells_n_465966.html
2For a depth explanation of personally identifiable information, see: Guide to Protecting the Confidentiality of Personally Identifiable Information (PII), National Institute of Standards and Technology, April 2010:http://csrc.nist.gov/publications/nistpubs/800-122/sp800-122.pdf
3“Quit Facebook” protest day flops, Telegraph, 1 June 2010:http://www.telegraph.co.uk/technology/facebook/7792970/Quit-Facebook-protest-day-flops.html
4For example in the US, the online industry has already aggressively made steps to enhance its self-regulatory efforts. These include consumer awareness campaigns and opt out tools, such as: NAI opt-out tool; the Interactive Advertising Bureau (IAB) ‘‘Privacy Matters’’ campaign, which consists of headlines; (e.g. ‘‘Advertising is creepy’’) and icons that direct users to the ‘‘Privacy Matters’’ website; TRUSTe icon and its Behavioral Advertising Notice and Choice Program; NAI and IAB Control Links for Education and Advertising Responsibly (CLEAR) Ad Notice.
5It is regarded as unethical and occasionally illegal to target individuals with evident or known weaknesses, even if these would be willing customers. For example, those who have drunk too much should be refused a last one for the road; those with gambling habits should not be offered a free bet; female adolescents profiled as health conscious, but in fact struggling with eating disorders, should not be offered weight loss products/services.
6Do Not Track Proposal Unleashes Fresh Furor Over Online Privacy, E-Commerce Times, 12 February 2010:http://www.technewsworld.com/story/71360.html?wlc=1291337891
7For more information, see: Boucher, Stearns Release Discussion Draft of Privacy Legislation, Congressman Rick Boucher website, 4 May 2010:http://www.boucher.house.gov/index.php?option=com_content&view=article&id=1957;Best Practices Act:http://www.house.gov/apps/list/press/il01_rush/h_r_5777_the_best_practices_act_2010.pdf
8A directive requires member states to achieve a particular result without dictating the means of achieving that result. Directives leave member states with a certain amount of leeway as to the exact rules to be adopted. So indeed, the exact implementation can vary in every jurisdiction in the EU.
9EU Chews on Web Cookies, Wall Street Journal, 22 November 2010:http://online.wsj.com/article/SB10001424052748704444304575628610624607130.html
#ixzz170MrDxm7;The new EU cookie rule – so, we need to get consent then?, Computer Weekly, 23 November 2010:http://www.computerweekly.com/Articles/2010/11/23/244068/The-new-EU-cookie-rule-so-we-need-to-get-consent.htm
10EU proposes online right 'to be forgotten', Telegraph, 5 November 2010:http://www.telegraph.co.uk/technology/internet/8112702/EU-proposes-online-right-to-be-forgotten.html
11FTC wants voluntary 'Do Not Track' for the Web, CNET News, 1 December 2010:http://news.cnet.com/8301-13578_3-20024332-38.html
12For example, the Office of the Privacy Commissioner of Canada held public consultations to examine the effectiveness of the Personal Information Protection and Electronic Documents Act (PIPEDA) in handling emerging privacy issues online, including online profiling, tracking, and targeting. The report issued on October 25, 2010 confirmed that PIPEDA provides a sound framework; however, additional guidance is required to clarify how to apply the Act in new and emerging contexts. Source: Draft Report on the 2010 Office of the Privacy Commissioner of Canada's Consultations on Online Tracking, Profiling and Targeting and Cloud Computing, Office of the Privacy Commissioner of Canada website, 25 October 2010:http://www.priv.gc.ca/resource/consultations/report_2010_e.cfm
13The new EU cookie rule – so, we need to get consent then? , Computer Weekly, 23 November 2010:http://www.computerweekly.com/Articles/2010/11/23/244068/The-new-EU-cookie-rule-so-we-need-to-get-consent.htm
14Online Privacy Bills Would Hurt E-commerce, Trade Group Says ,PC World, 10 September 2010:http://www.pcworld.com/businesscenter/article/205157/online_privacy_bills_would_hurt_
15Summary of Draft Department of Commerce Privacy Green Paper, HL Chronicle of Data Protection, 15 November 2010:http://www.hldataprotection.com/2010/11/articles/general/summary-of-draft-department-of-commerce-privacy-green-paper/
16For example in the Netherlands, the original explanatory memorandum talked about “ondubbelzinnige toestemming” (unambiguous consent); the ‘ondubbelzinning’ (unambiguous) has since been dropped. The expected outcome in the Netherlands is probably also a browser based solution.
17MRS warns strict EU cookie rules could 'severely disrupt' online MR, Research Magazine, 9 December 2010:http://www.research-live.com/news/government/mrs-warns-strict-eu-cookie-rules-could-severely-disrupt-online-mr/4004220.article
18A Proposed Framework for Businesses and Policymakers, Federal Trade Commission, December 2010:http://www.ftc.gov/os/2010/12/101201privacyreport.pdf.
19Privacy by Design is an approach developed and advocated by the Information and Privacy Commissioner of Ontario, Ann Cavoukian. Seehttp://www.privacybydesign.ca.
20Expectations for Consumer Consent in Interest Based Advertising: Regulatory and Industry Positions in the United States, Europe, and Canada Jordan Prokopy and Megan Brister. BNA Privacy and Security Law Report. Vol. 9. No. 21. Pp. 775-779. 2010.