FTC Workshop Focuses on Privacy, DMA Offers New Guidelines

Privacy issues took center stage again this week when the Federal Trade Commission and the U.S. Department of Commerce hosted a public workshop on online profiling in Washington, DC.

The workshop included an overview of the current uses of online profiling technology as well as reports and presentations from technology experts, online advertising companies, trade associations, academics, government representatives and privacy advocates well-versed in online profiling. While discussions at the workshop were far from heated, there were strong feelings expressed about the pros and cons of online profiling from all parties present.

FTC chairman Robert Pitofsky said that while consumers can clearly benefit from online advertising tied to their specific interests, “online profiling looks like it may be a very different beast,” he said. “The online entity placing the ad may have the ability to watch me as I surf across various Web sites, record what ads I already have seen, make sure I do not see them again … and all this can take place without my knowledge, let alone consent. On a personal level, I find this more than a bit disturbing.”

In its testimony, the Direct Marketing Association explained that there are three different parties involved in ad-serving technologies used in online profiling: the Web site, the company that services the banner ad and the advertiser. It said companies should notify visitors to their Web sites of third-party ad servers that collect information as a result of individuals’ interaction with Web sites. The Web sites should identify the ad servers and provide a means for the individual to contact the ad server.

“Individuals using the Internet need to be notified when data about them are being collected, whether it is personally identifiable or more generic navigational data,” said Jerry Cerasale, senior vice president of government affairs at the DMA.

The DMA also made the following recommendations:

* Notice should be included in the Web site’s posted privacy policy and include a hyperlink to the posted privacy policy of the third-party ad server.

* Consistent with the DMA's Privacy Promise, Web sites that collect personally identifiable information should provide notice of the transfer of information to third parties and provide an ability to opt out of such transfers.

* Individuals should have the opportunity to opt out of the transfer of the personally identifiable information from the Web site to the third-party ad server.

* Third-party ad servers should provide individuals with notice of the types of information that they collect from Web sites on which they serve ads.

* Third-party ad servers should provide notice of the types of information that they collect as a result of an individual's interaction with the Web site.

* If navigational data are to be used in an identifiable manner by the ad server, that should be disclosed. If they are not, but may be used in the future, that possibility should be disclosed as well.

* Where a third-party ad server collects personally identifiable information as a result of an individual's interaction at the Web site, the third-party ad server needs to provide individuals with an opt-out for the collection and use of this information.

* Opt-out of the collection of non-personally identifiable information should not be required. Third-party ad servers may offer such an opt-out as a good business practice for their industry sector; however, this should not become an industry-mandated practice.

In his presentation, Cerasale also said the DMA is sensitive to this new form of data collection and it's enhanced Privacy Policy Generator, a tool that enables business to create and post privacy policy statements and incorporates notice of third-party ad servers into the privacy notices it generates.

“This is a recent enhancement made to the Privacy Policy Generator, designed to enable sites to inform individuals in their privacy notice about the use of cookies and arrangements with third-party ad servers,” said Cerasale.

DMA president/CEO H. Robert Wientzen also will address privacy issues at the Sixth Annual National Privacy Conference in Arlington, VA, today.

Related Posts