Just as governments – including our own – are pursuing aggressive new initiatives to gather information about our individual browsing habits and electronic communications for law enforcement purposes, the FTC has decided to advise Congress on sweeping initiatives to prevent direct marketers from engaging in far less invasive practices that present none of the grave risks attendant to enhanced government surveillance. Indeed, many of the commercial practices targeted by the FTC actually benefit consumers by assisting Internet sellers to configure their web sites, adjust their product offerings, and tailor advertising to the specific needs and interests of consumers. While the FTC shrilly intones that consumer information about Internet browsing has been used by an unidentified "some" in "an irresponsible or even reckless manner," it fails to acknowledge forthrightly that the vast majority of direct marketers use such information solely to better serve their customers, and that new laws and FTC initiatives are unlikely to faze the tiny group of Internet pirates who misuse consumer data.
Although most headlines have focused on the FTC's proposal for a "do not track" list, the FTC report is about much more than that. It foretells a highly aggressive new regulatory strategy that may change the landscape of Internet privacy without any concern for the cost impact on industry or a realistic assessment of the privacy interests of consumers. It sweeps so broadly against business as to suggest that–if the FTC has its way–even entirely benign and non-intrusive information collection practices that do not track individual consumers will be sharply curtailed. At the same time, new and intrusive requirements will be injected multiple times into virtually every consumer experience on the Web. If you do business on the Internet, you need to know what the FTC is hoping to unleash on eCommerce.
If the FTC has its way, you will need to redesign your web sites and emails to provide real-time notice and choice to every consumer, whether or not they make any purchases. The overarching theme of the report is highly paternalistic, suggesting that consumers are incapable of making informed choices about their buying decisions and Internet browsing activities. Thus, privacy policies and full disclosure of information collection practices are viewed dimly by the FTC. Instead, it commands that “consumers should [repeatedly] be presented with choice about collection and sharing of their data at the time and in the context in which they are making decisions.” Not only would implementation of such a scheme add substantially to the programming costs of commercial web sites, it could interfere significantly with the consumer purchasing experience. It is hard to imagine Web sales not suffering.
The FTC's "Do Not Track" Initiative Creates a Presumption Against Collecting Information About Web Site Usage, Even If that Information Is Not Individually Identifiable. The item in the report receiving the largest amount of press is the “do not track” recommendation. It would obligate direct marketers to implement technology – through something “similar to a cookie,” according to the FTC – that would prevent the collection of web browsing activities by individuals or individual browser installations. This would be mandated even if retailers do not actually collect individually-identifiable personal information. Indeed, the FTC report supports doing away with the line drawn in existing law between information that is personally identifiable and that which is not, claiming that “traditional distinctions between the two categories of data are eroding.” Because "some" companies allegedly find surreptitious ways to connect non-personal information to specific individuals, the FTC is ready to recommend that all companies be prevented from collecting even aggregate usage data, which could be a significant blow to retailers who use this data to obtain helpful information for their businesses. Data collection serves important functions that parallel the physical retail environment, including the measuring of foot traffic in certain areas of a store. Denying this data to retailers in its non-personally identifiable form suggests a significant lack of government understanding of – or at least a gross lack of sensitivity to – legitimate industry needs.
At present, the FTC, itself, believes that it does not have authority to implement a tracking system without further action by Congress. But, the pressure is on for Congress to enact a potentially sweeping new set of powers for the agency. In the interim, the makers of at least one popular browser, Firefox, are exploring ways to implement a “do not track” feature that leaves it to consumers to choose whether they will be tracked. Microsoft has already implemented a similar feature in its most recent release of Internet Explorer. This approach is far less onerous for retailers, but may rob them of the very data they need to present consumers with meaningful purchasing choices through targeted advertising. The least effective and most intrusive recommendation – that the FTC appears to favor – involves a “do not track” list that may leave it to Internet companies to figure out whether a person who is visiting their web site has chosen to place themselves on a list. Because the specifics have yet to be determined, it is unclear what this list would even look like. The FTC claims that a list of machine specific identifiers (as might be embedded in an operating system or hardware) or IP addresses is not a likely option.
Prepare to Open Your Files. Some of what the FTC report recommends is positive for the industry, including “standardized” privacy-related notices (which might reduce uncertainty surrounding potential challenges by privacy rights groups, among other things), but the context – including whether federally mandated notices would preempt individual states from enacting different or more complicated disclosure requirements and whether class action lawsuits would be permitted against violators – remains a mystery, and the potential perils for eCommerce are significant. Other FTC recommendations are chilling, including the requirement that companies provide customers “reasonable access” to all the data maintained about them and that the Children’s Online Privacy Protection Act’s onerous obligations be extended to cover children between the ages of 13 and 17.
What's Next? The FTC has asked for industry comments as it pushes forward with its new privacy initiative. This is a critical moment for direct marketers to be heard in petitioning the government to create and implement a more sensible, uniform approach to privacy protection that balances a realistic assessment of the potential harm to consumers against potentially dramatic and commerce-suppressing costs.