A matter of privacy

Congress is drafting bills that could limit the data marketers collect about online shoppers.

Allison Enright

Republicans and Democrats in Washington D.C. are working on bills that advance recommendations set forth by the Federal Trade Commission’s December report on protecting consumer privacy online.

Massachusetts Sen. John Kerry, a Democrat, and Florida Rep. Cliff Stearns, a Republican, announced their plans to introduce separate bills that give consumers more control over how their data is collected and shared online. “The goal of the legislation is to empower consumers to make their own privacy choices,” said Stearns in a presentation before the Technology Policy Institute, a think tank, earlier this month. “My draft legislation requires covered entities to provide consumers in clear and easy-to-understand language what information is being collected and how that information is being used.” Stearns also said that his bill will include a provision for an FTC-approved self-regulatory program. Stearns’ office declined to say when he plans to introduce the legislation. 

The online advertising industry is a proponent of self-regulation over mandated legislation. The industry introduced last year a program designed to inform consumers about how their data is being used and give consumers a way to opt out of receiving ads based on their prior online browsing behavior.

Meanwhile, Internet browsers, including Microsoft’s Internet Explorer and Mozilla Firefox, are adding features that give consumers more privacy controls. Microsoft’s latest version of Internet Explorer includes a tracking-protection tool designed to let consumers block their information from being shared with web sites beyond the one they are visiting. Mozilla Firefox users can opt to use a private browsing tool that doesn’t store cookies, which are the bits of code that web sites install on consumers’ computers to identify them, and that are the primary tool used to track online behavior.

Kerry declared his intention to introduce legislation in a presentation before the Senate Commerce Committee last week. Kerry described the legislation as bringing a “common sense” approach to commercial privacy. “The entire goal of the drafting process we are using to write a Commercial Privacy Bill of Rights is to win pro-privacy, pro-innovation experts over to the side of establishing a common code of conduct so that customers are not just protected when working with them, but generally protected in the course of commerce,” he said. “Either we establish clear, flexible rules for behavior in new legislation or our enforcement agencies will have to step up enforcement against unfair and deceptive practices through a process of strong cases built on less clear direction.”

Marketing industry leaders say they think the self-regulatory programs put in place will do a better job at giving consumers control. “Self-regulation provided by industry is more beneficial to consumers than anything the government can recommend or implement, precisely because businesses are able to move more quickly in answering consumer needs than the legislative or regulatory processes ever could,” says Lawrence M. Kimmel, CEO of the Direct Marketing Association

Reed Taussig, president and CEO of fraud prevention firm ThreatMetrix, also is leery of the government’s ability to legislate a program that strikes the right balance between consumers’ desire for protection and e-retailer’s need to track behavior for security purposes. He’s concerned that giving consumers too much control over cookies will hinder fraud detection firms such as his own from gathering information required to identify fraudulent transactions online. For example, some fraud detection programs deposit cookies on customers’ computers, which are then used to identify returning customers. For legitimate purchases, it makes approving a transaction easier. But if a computer, tracked by its cookie, is known to be used to make fraudulent purchases, fraud detection systems flag the transaction and alert the e-retailer to the risk. He says ThreatMetrix uses a combination of cookies and non-cookie tools to identify devices because criminals often delete cookies. He says he’s keeping tabs on the FTC recommendations and the moves by legislators to make sure they understand that fraud-tracking cookies should be considered differently and be excluded from any legislation.

Even if privacy legislation does get enacted, Taussig thinks that web sites might just make accepting cookies a requirement to access them. For example, he says Facebook or Twitter simply might require consumers to accept cookies as part of their terms of service. Consumers would agree to accept cookies from some sites because they want that information, but decline others they might be less motivated to share with. “As with many things the government gets involved with, there are unintended consequences. This could create an oligopoly of information providers on the Internet,” he says. “It could make the Internet a less interesting and less competitive place. Content is king, and those that are recognized as rich in content will be able to force you to opt in, and those others will suffer economically for reduced traffic.”


Cliff Stearns, cookies, Direct Marketing Association, Facebook, Federal Trade Commission, Firefox, Internet Explorer, John Kerry, lawrence m. kimmel, marketing technology, online advertising, online browsing behavior, online fraud, privacy, Reed Taussig, ThreatMetrix, U.S. Congress, Web browsers