Online ad privacy regulation unveiled


The IAB’s (Interactive Advertising Bureau) nightmare: Reps. Rick Boucher (D-VA), and Rep. Cliff Stearns (R-FL) introduced online ad privacy legislation 5/4. More than a year in the making, the draft legislation proposes regulating Internet companies’ tactics for collecting information about Web visitors and the use of that data for ad targeting. It also could apply to the practices for collecting consumers’ information in the offline world.

Advertisers and Internet companies have been scrambling to head off such regulation by their own set of rules. They say legislation will hamper growth of online advertising and they are capable of regulating themselves and privacy legislation threatens to stifle the $23 billion Internet ad market.

IAB CEO Randall Rothenberg said in an op-ed earlier this year that such a bill (then only being touted by Boucher) will stunt the growth of the online media market and put 3.1 million jobs at risk: “Advertising is the engine of the consumer economy, and fundamentally the only way American shoppers can compare prices, discover products, and learn about new stores and sales in their neighborhood – and the sole way businesses can get this information to them. Yet the Congressman wants to legislate its elimination.”

Boucher, Chairman of the Subcommittee on Communications, Technology, and the Internet, and Stearns, Ranking Member of the Subcommittee, released the following statements:

“Our legislation confers privacy rights on individuals, informing them of the personal information that is collected and shared about them and giving them greater control over the collection, use and sharing of that information,” said Boucher.

“Our goal is to encourage greater levels of electronic commerce by providing to Internet users the assurance that their experience online will be more secure.  That greater sense of privacy protection will be particularly important in encouraging the trend toward the cloud computing,” Boucher said.

 “Online advertising supports much of the commercial content, applications and services that are available on the Internet today without charge, and this legislation will not disrupt this well established and successful business model. It simply extends to consumers important baseline privacy protections,” Boucher noted.

“I have been working for years to enact meaningful privacy protection legislation and this draft is advancing the process.  While I may not support everything in the current draft bill, it is important to get the input of stakeholders.  I look forward to working with Chairman Boucher to improve upon his hard work,” Stearns said.

The draft measure would protect individuals’ privacy by requiring the following:
Disclosure of privacy practices: Any company that collects personally identifiable information about individuals must conspicuously display a clearly-written, understandable privacy policy that explains how information about individuals is collected, used and disclosed.

Collection and use of information: As a general rule, companies may collect information about individuals unless an individual affirmatively opts out of that collection. Opt-out consent also applies when a website relies upon services delivered by another party to effectuate a first party transaction, such as the serving of ads on that website.

No consent is required to collect and use operational or transactional data – the routine web logs or session cookies that are necessary for the functioning of the website – or to use aggregate data or data that has been rendered anonymous.

Companies need an individual’s express opt-in consent to knowingly collect sensitive information about an individual, including information that relates to an individual’s medical records, financial accounts, Social Security number, sexual orientation, government-issued identifiers and precise geographic location information.

Disclosure of information to unaffiliated parties: An individual has a reasonable expectation that a company will not share that person’s information with unrelated third parties. If a company wants to share an individual’s personally-identifiable information with unaffiliated third parties other than for an operational or transactional purpose, the individual must grant affirmative permission for that sharing.

Many websites work with third-party advertising networks, which collect information about a person or an IP address from numerous websites, create a profile and target ads based on that profile.  As an exception to the general rule requiring opt in consent for third-party information sharing, Opt-out consent would apply to sharing of an individual’s information with a third-party ad network if there is a clear, easy-to-find link to a webpage for the ad network that allows a person to edit his or her profile and, if he chooses, to opt out of having a profile, provided that the ad network does not share the individual’s information with anyone else.

Implementation and enforcement: The Federal Trade Commission would adopt rules to implement and enforce the measure. States may also enforce the FTC’s rules through State attorneys general or State consumer protection agencies.

“This measure reflects broad areas of consensus among the Members who are circulating it today. We look forward to working with stakeholders and with our colleagues on the Energy and Commerce Committee to advance this timely and essential measure,” Boucher concluded.