On February 23rd, the White House unveiled the Consumer Privacy Bill of Rights, which seeks to give people more control over their personal data online. The Bill of Rights is an industry-wide agreement developed by the White House, FTC, Commerce Department and Digital Advertising Alliance (DAA) (which represents over ninety percent of the U.S. online advertising industry). The “rights” in the agreement include:
- Individual Control: The right to exercise control of what personal data companies collect and how that data is used
- Respect for Context: The right that companies will only use personal data consistent with the context in which users provide the data
- Security: The right to secure management of personal data
- Access and Accuracy: The right to access and edit personal data
- Focused Collection: The right to limit the collection and retention of personal data
- Accountability: The right that companies adhere to the Consumer Privacy Bill of Rights
The White House will encourage all stakeholders (including browser manufacturers, advertising networks and websites) to respect these rights; it will also work with Congress to enact legislation that enforces the rights.
Do Not Track
One way that the agreement seeks to protect privacy rights is by requiring browser makers to implement an easy-to-use Do Not Track feature. Websites and advertising networks must honor Do Not Track by not tracking users who’ve opted out of tracking via their browsers. However, there’s still an open question as to exactly what qualifies as “tracking,” and the DAA, FTC and Commerce Department will have to work through this in the coming months. For instance, Google has stated that Do Not Track will impact “some aspects of tailored advertising” but will not affect signed-in users who’ve requested personalization.
Although Do Not Track is very much a work in progress, advertising networks and browser manufacturers have already agreed to abide. Google wrote that it’s “look[ing] forward to working with our industry partners, the White House, the FTC, the DAA and all the major browsers including Google Chrome, to adopt a broadly consistent approach to these controls.” Mozilla—which already has a Do Not Track feature—commented, “As we continue to work on Do Not Track, Mozilla is firmly committed to user sovereignty and meaningful privacy choices.”
Potential Impact for Advertisers
The Consumer Privacy Bill of Rights mirrors much of what is already in the DAA’s guidelines. Thus, most of this isn’t new—many of these “rights” are currently being respected by ad networks, browser manufacturers and advertisers. For instance, Google allows users to control what personal data it collects through its Ads Preferences Manager. Additionally, many display advertising networks already have in-ad notice, which proactively tells users why an ad was served and gives them the ability to opt out. And, as previously mentioned, browsers like Firefox already have Do Not Track. Mozilla notes, however, that only 7% of desktop users choose to enable Do Not Track. Of course, whether or not more people opt out of tracking will depend on exactly how the consortium (DAA, FTC and Commerce Department) defines, structures and implements Do Not Track.
At Performics, we think that the most noteworthy part of the agreement is the requirement that ad networks and advertisers be transparent about exactly what they plan to do with users’ personal data. For example, in light of the Bill of Rights, Google may have to go beyond allowing users to control what personal data it collects; it may have to better inform users exactly how that personal data is used. This means that ad networks and advertisers must invite users to participate, i.e. ask users their comfort levels around using their personal data in various ways. When ad networks and advertisers haven’t been transparent about what they do with their participants’ personal data, it has backfired. The most visible recent example of this was Target—although offline—as reported by the New York Times. Target collected personal data like shopping habits to create a pregnancy-prediction model. It then used that data to send expectant mothers targeted coupons and advertisements for baby-related products. By not being transparent about how it used personal data, Target didn’t realize that it was being too intrusive for its participants’ tastes. As best practice, advertisers should always be transparent in how they plan to use participant data to ensure that they don’t cross the line.
Over the next few months (perhaps even years), the consortium will be working to implement practices to protect privacy rights online. The industry will then have a better idea of potential implications. In the meantime—as always—advertisers should focus on (1) providing participants with privacy controls, (2) safeguarding personal data, and (3) being transparent.
For more thoughts on the agreement, see John Battelle’s blog post.