A major component of the FTC report, Protecting Consumer Privacy in an Era of Rapid Change, is the idea of consumer choice.  This is the idea that when a consumer provides a company with certain types of information, the consumer should be informed as to what that company intends to do with that information and then should be able to choose whether or not to continue the interaction.  One of the goals outlined in the FTC report is to allow “consumers the ability to make informed and meaningful choices” regarding the use of their information for data collection purposes.  The FTC further states that businesses interacting with consumers should present choices “clearly and concisely,” while offering “easy-to-use choice mechanisms.”  Exactly what is determined to constitute an informed choice in the final regulations is likely to have a significant impact on every company that is subject to these regulations.

            As the FTC notes in its report, there are many considerations to weigh in determining how to best present this choice for the consumer.  First, there is a question of when the necessary disclosure and consumer control mechanism should be presented.  In the case of a website where the company is providing retail or other service directly to the consumer, common sense tells you that the consumer should be presented with the choice mechanism at the point of sale or exchange of data.  This question becomes more complicated, however, when one considers the example of a social media service where the relationship between the consumer and the company might be ongoing, and where the nature and scope of the information being exchanged often changes over time.  In this scenario, should the consumer be continually prompted to provide consent to the use of their information?  Alternatively, should all potential exchanges of information between the consumer and the company be included in the initial disclosure and consent?      

            A second consideration for establishing the proper consumer choice mechanism is the content of the disclosure itself.  As the FTC report makes clear, the Commission staff believes that disclosures and the choices presented buried within lengthy privacy policies will not result in meaningful, informed consent by consumers.  While the Commission staff clearly prefers a simple and widely-accessible approach to providing this choice, their report provides little evidence of how they intend to apply these ideas to the varying types of consumer interaction with different websites, services and products.  For instance, how would the developer of an application used on a mobile device both clearly and accurately provide the consumer with the required disclosure when those disclosures might involve describing complicated relationships between third-parties?  Further, is it feasible to believe that a consumer who might download such an application while commuting on the subway will read the disclosures on their mobile phone and then be able to provide an informed consent?     

            Despite fact that this question of consumer choice will likely be a central element of any new regulations related to the protection of consumer privacy and the use of consumer data, the FTC’s proposals provide many more questions than answers on this issue.   One of the proposed approaches is some version of an “opt-in” or “opt-out” consent provided to consumers when they seek to engage with a particular company.  Similar to the concerns over the “Do Not Track” proposal, there is a significant possibility that this simplistic, all-or-nothing approach might encourage consumers to simply choose to “opt-out,” without much consideration to the trade offs involved with the exchange of data for the services of the company.  As consumers opt-out, companies who up to that point have relied on the use of consumer data as a way to keep the cost of their services low (or free), will likely need to raise prices on the consumer.  On the other hand, should consumers choose some sort of general “opt-in” when they purchase or begin to use a product or service, the regulations likely will not have the intended effect of increasing consumer knowledge and control over the use of their personal data.  

            As with most elements of the FTC’s report, these issues do not lend themselves to simple, blanket solutions.  As stated in its title, the purpose of this report is to protect consumer privacy; however, the framework in its current form is weighted too heavily on the side of privacy, without enough consideration for the practical implications for the businesses that provide many different products and services to consumers.  All parties would benefit from a regulatory approach that takes into account the nuanced and complex relationship between consumers and businesses in this increasingly data-driven sector of the economy. 

First-party marketing: Online retailers recommend products and services based upon consumers’ prior purchases on the website.  Offline retailers do the same and may, for example, offer frequent purchasers of diapers a coupon for baby formula at the cash register.  Some of these practices, such as where a retailer collects a consumer’s address solely to deliver a product the consumer ordered, are obvious from the context of the transaction, and therefore, the consumer’s consent to them can be inferred.

Staff proposes that first-party marketing include only the collection of data from a consumer with whom the company interacts directly for purposes of marketing to that consumer.

Basically, online behavior that is analogous to offline behavior (Macy's giving you a discount on your next purchase or taking down your address to deliver goods, etc.) is likely to be OK under the new rules, whatever they may eventually be, and, by the way, it should be.

The real rub occurs when companies start doing things that are not analogous to mainstream offline behavior, particularly when a company shares data with a third party or allows a third party to collect data about consumers visiting that company’s site.

As the FTC puts it:

If a company shares data with a third party other than a service provider acting on the company’s behalf … the company’s practices would not be considered first-party marketing and thus they would fall outside of “commonly accepted practices,” …. Similarly, if a website publisher allows a third party, other than a service provider, to collect data about consumers visiting the site, the practice would not be “commonly accepted.

The underlying rationale appears to be that the FTC believes that consumers expect, or can be inferred to expect, online business models to mimic offline business models.  If you are doing, or planning to do, something different and creative, you are likely going to have to meet a much higher regulatory burden than if you stick with the status quo. 

This regulatory framework is, of course, great for the status quo.  If you are doing regular stuff that the FTC imagines most consumers understand and expect, then you probably can keep doing it without much additional new regulatory intervention.  Hence, Amazon can keep on tracking your purchases and recommending books.  Google probably gets a bye as well.

But, what if you come up with something new.  Google was new once, although that was a long time ago in technology years.  I even remember being pleasantly surprised to receive book buying suggestions from Amazon. 

I don’t know what will come next.  The pace of technological innovation in this area is staggering.  Consider the rate at which Google, Facebook and Twitter evolved.  If you come up with something new, how expensive and time consuming will it be to get the FTC to say it is OK? 

Right now the US is, without question, the world leader in the communications/social media world because it is by far the best innovator.  This brings jobs and, by the way, money (as Google, Facebook et al expand overseas) into our economy.  Without some lower bar for innovative companies, the FTC may be putting lead weights on the wings of the goose that laid the golden egg.

The FTC and Commerce may well be hanging a giant sign on the door reading “Whatever you do, don’t innovate.”

            By now, readers have seen by now the preliminary FTC Staff Report, Protecting Consumer Privacy in an Era of Rapid Change (the “FTC Report”) recommending implementation of a “Do Not Track” mechanism available to all Internet users.  The Staff envisions “a uniform and comprehensive way for consumers to choose to block online tracking and targeted advertising” accomplished by legislation or potentially through robust, enforceable self-regulation.  Media outlets have heralded the ill-defined mechanism as a simple and powerful tool to aid Internet users in their losing battle to elude an ever more complex and technologically sophisticated tracking bogeyman.  Sounds great!  “Where do I sign up?” ask the masses.  Slow down masses.  As with most sweeping government regulations, the devil is in the details.  More bedeviling is that there are no, or very few, details.  The Staff merely suggests that a “persistent browser cookie” might be the most practical means of implementing “Do Not Track.”  Serious technical and other challenges to implementation, and uncertainty as to whether legislation or “robust, enforceable self-regulation” would be sufficient are then acknowledged.

            In a nod to the FTC report, the recent Department of Commerce green paper: Commercial Data Privacy and Innovation in the Internet Economy (the “Commerce Green Paper”) asks how the Commerce Department can best “encourage the discussion and development” of technologies such as “Do Not Track.”  In general, the Commerce Green Paper reflects greater support for cooperative industry self-regulation regimes than does the FTC Report.  Commerce acknowledges that the rate at which new technologies and services develop, and the pace at which consumers form expectations about acceptable and unacceptable uses of personal information, is measured in weeks or months, while a rulemaking can take years and result in rules addressing long-since abandoned services.  As such, Commerce suggests engaging multi- stakeholder groups, and employing a “Dynamic Privacy Framework” as the best means of enabling Internet users to take advantage of “Do Not Track” in whatever form it emerges.  The Commerce Green Paper mentions in a footnote testimony that goes to the heart of what every stakeholder should have in mind:  “[A]greement on what is meant by the ‘do-not-track’ sign on, say, the user’s browser, is a . . . complex task, requiring agreement on policy and best practices among a number of players including users, advertisers, marketers, technology companies, and other intermediaries.”

         FTC states that the most practical method of providing uniform choice for online behavioral advertising would involve placing a setting similar to a persistent cookie on an Internet-user’s browser and conveying that setting to sites that the browser visits, to signal whether or not the consumer wants to be tracked or receive targeted advertisements.  “Do Not Track” boosters, media and the FTC trumpet the success of FTC’s popular and successful Do Not Call registry as a bellwether of what life in a “Do Not Track” world will look like.  Some have stated that the complexity of implementing “Do Not Track” would be similar to that involved with implementing Do Not Call. Unlike Do Not Call, however, it would be unnecessary, impossible, futile and kind of ironic for the government to set up a centrally administered database of people who have elected to take shelter under any FTC-enforced “Do Not Track” umbrella.  FTC’s envisioned “uniform and persistent choice” browser setting would instead send a universally recognized message to deactivate tracking technologies.

Although a “Do Not Track” mechanism could be simple to implement from a technical standpoint, to the extent that it takes the form of a simple on/off switch such a mechanism could amount to an innovation-stifling, business-model killing command and control regime enforced by bureaucrats.  The Commerce Department Green Paper recognizes that this is the worst-case scenario.  The Green Paper states that any “Do Not Track” mechanism needs to be colored by stakeholder input and ultimately more nuanced than simply allowing consumers to flip a switch to turn off all tracking technologies.  Commentators point out that this is because most Internet users like using the free stuff available on the Internet and are willing to pay for it by way of receiving certain targeted advertisements.  The question for stakeholders, then, becomes what constitutes “tracking” and what filter will users will be able to apply to tracking activities so as to personalize their experience? For example, a user may be happy to receive targeted marketing from businesses relevant to his profession, but opposed to the collection and sharing of any information concerning that rash he picked up in the hotel spa.  Stakes are high concerning the answer to the question of what tracking is, as countless innovative business models rely on monetizing information about Internet users in one way or another.

Do Not Track makes a lot of sense as a normative principle.  If an Internet user feels uncomfortable with a certain behavior, that user should be able to opt out of being subject to that behavior, whether the behavior is accomplished by way of a cookie, a flash cookie, or some other method either he or his browser has not learned how to fend off.  The problem is in figuring out how to attack the behavior (collecting and sharing information and Internet browsing behavior concerning that rash) without creating a bright-line rule against innovative, useful and responsible ways of collecting and using information in the context of informed consent.   Content providers use the information they collect to do lots of stuff that Snidely Whiplash would find downright mundane and in many cases benevolent (e.g., debugging and personalizing user experiences). 

“Do Not Track” is not like Do Not Call.  When the FTC bars a vinyl siding salesman from calling me at dinner, I am happy.  If FTC inadvertently prevents me from enjoying a personalized experience on Pandora, my utility will likely take a hit.  As such, FTC has proposed a system where users exercise “granular control” over their “Do Not Track” preferences, rather than a crudely fashioned on/off switch.  As technologies and uses of information advance, though, how can such granular control be exercised and enforced without ending up with a tome of regulations the size of the Internal Revenue Code?  This is where it is essential for stakeholders to provide input to FTC and the Commerce Department.  “Do Not Track” was conceived with the best intentions in mind, but I’m afraid with little thought beyond how great everyone thinks Do Not Call is and whether the technology exists to persistently block scary-sounding trackers.  Stakeholders need to give the FTC and Commerce Department some real-world perspective as to what a command and control “Do Not Track” regime would look like in practice and as to what alternatives there are for protecting Internet users’ interest in the responsible, transparent use of their data in the context of informed consent.  To these ends, FTC has asked several very important questions concerning any implementation of an enforceable “Do Not Track” regime.  Among them:

• How should a universal choice mechanism be designed for consumers to control online behavioral advertising?
• How can such a mechanism be designed so that it is clear to consumers what they are choosing and what the limitations of the choice are?
• What are the potential costs and benefits of offering a standardized uniform choice mechanism to control online behavioral advertising?
• How many consumers would likely choose to avoid receiving targeted advertising?
• How many consumers, on an absolute and percentage basis, have utilized the opt-out tools currently provided?
• What is the likely impact if large numbers of consumers elect to opt out? How would it affect online publishers and advertisers, and how would it affect consumers?
• In addition to providing the option to opt out of receiving ads completely, should a universal choice mechanism for online behavioral advertising include an option that allows consumers more granular control over the types of advertising they want to receive and the type of data they are willing to have collected about them?
• Should the concept of a universal choice mechanism be extended beyond online behavioral advertising and include, for example, behavioral advertising for mobile applications?
• If the private sector does not implement an effective uniform choice mechanism voluntarily, should the FTC recommend legislation requiring such a mechanism?

Here is the regulatory proposal: The Commerce Department, in its policy framework, is affirmatively recommending that “the United States Government recognize a full set of Fair Information Practice Principles as a foundation for commercial data privacy.”

As the Commerce Department points out, the Department of Homeland Security (DHS) has adopted a set of FIPPs to govern its use of personally identifiable information (PII).  Just so you get a flavor of what FIPPs look like, here are three FIPPs taken from DHS (and cited in the Commerce Department’s framework):

• Transparency:  Organizations should be transparent and notify individuals regarding collection, use, dissemination, and maintenance of personally identifiable information (PII).
• Individual Participation:  Organizations should involve the individual in the process of using PII and, to the extent practicable, seek individual consent for the collection, use, dissemination, and maintenance of PII.  Organizations should also provide mechanisms for appropriate access, correction, and redress regarding the use of PII.
• Data Minimization:  Organizations should only collect PII that is directly relevant and necessary to accomplish the specified purpose(s) and only retain PII as long as necessary to fulfill the specified purpose(s).

These FIPPs are broad, unobjectionable principles in the “mom and apple pie” category.  They also lack the specificity to provide much guidance for compliance and enforcement.  For example, how much transparency is enough to meet the standard?  How much individual participation is practicable? 

As a result of these kinds of ambiguities, Commerce is proposing that the FIPPs sit on top of “voluntary, enforceable codes of conduct” developed through a multi-stakeholder input process.  In Commerce’s proposal, compliance with an approved voluntary code of conduct would operate as a safe harbor from enforcement action.  To be eligible for the safe harbor, a voluntary code of conduct would have to be developed through an open, multi-stakeholder process and approved by the FTC for sufficiency.  As Commerce sees it, FTC approval might be obtained as a result of a request from a party or as a result of the resolution of a specific dispute. 

In the absence of a voluntary code of conduct, Commerce is, apparently, prepared to recommend FTC rulemaking or actual legislation.  Commerce clearly prefers the use of FIPPs with codes of conduct because they appear to be more flexible than either rulemaking or legislation.  Commerce may be right about the flexibility, but, flexible or not, Commerce does not seem to consider the potentially differing effect of any of these processes on differently situated groups.

Here is the rub:  Google’s ability to develop a voluntary code of conduct through “an open, multi-stakeholder process” is completely different from that of an early stage company that just got five million dollars of venture money, let alone a start-up with few hundred thousand dollars of angel money.  The internet is still evolving at an astonishing rate.  Companies that were once tiny have become titans (look at Google or Facebook).  There remain many of these stories to come.  The Commerce Department itself points out that “Between 1998 and 2008, the number of domestic IT jobs grew by 26%, four times faster than US employment as a whole…By 2018, IT employment is expected to grow by another 22 percent.”  This growth is driven by innovation.  Innovation, in turn, is driven by small tech companies.  Burdening these companies with rules and regulations that might make sense for Microsoft, Google and Facebook is tantamount to slamming the breaks on progress in one of the US economy’s few potential bright spots.

 The FTC has this to say in its proposal:

For every business, privacy should be a basic consideration – similar to keeping track of costs and revenues, or strategic planning. To further this goal, this report proposes a normative framework for how companies should protect consumers’ privacy. This proposal is intended to inform policymakers, including Congress, as they develop solutions, policies, and potential laws governing privacy, and guide and motivate industry as it develops more robust and effective best practices and self-regulatory guidelines.

Commerce Secretary Gary Locke has this to say about the Commerce proposal:

America needs a robust privacy framework that preserves consumer trust in the evolving Internet economy while ensuring the Web remains a platform for innovation, jobs, and economic growth. Self-regulation without stronger enforcement is not enough. Consumers must trust the Internet in order for businesses to succeed online.

I believe that the “big boys” (Microsoft, Google, Facebook et. al.) are on top of the issues and have, doubtless, retained armies of lobbyists to influence whatever regulation comes out of the FTC and Commerce.  Having said that, I don’t think that smaller tech companies that could be affected by the upcoming regulations or their investors have given this topic much thought.  Perhaps, that is not really fair.  It is more probable that they have not focused on the substantive provisions that are up for consideration or how those provisions (if adopted in the forms proposed) could affect them.  Finally, I don’t think small tech companies and their investors think they can do much about any of this, so why spend time on it.

As a result, I (together with a couple of my colleagues here at Foley Hoag, Pat Connolly and Hillary Fitzpatrick) have decided to write a series of posts addressing some of the more material proposals at a pretty granular level.  These posts will appear regularly over the next few weeks.  Actually, I want to put them up before the last week of January because that is when the comment period for the FTC and Commerce proposals runs out. 

The purpose of these posts is to educate about what is actually in the proposals and to build support for outreach to the FTC and Commerce in an effort to limit the potential negative impact of these proposals on early stage and venture financed tech companies.

One theme that will emerge is that there will be some level of regulation protecting consumer privacy.  So, these posts are not really about resisting the inevitable.  To the extent that these posts are about affecting the FTC and Commerce outcomes, they will be about the art of the possible.  It is too late to go back to the relatively unregulated world that we have become used to in the internet.  The status quo is going to change.  But there is some room for influencing the actual outcome.

Another theme that will emerge is that the interests of the internet big boys are not necessarily the same as that of early stage companies.  For example, the ability of companies that are profitable or have relatively easy access to capital to comply with regulatory requirements is very different from that of a start up or a company with angel or venture financing.  For this reason, smaller companies and their investors should not just assume that the big boys will make sure things come out OK.

A final theme that will come out is that you have to speak to be heard.  As of last Monday, there were 177 comments to the FTC proposal and almost all of them supported do-not-track.  None of the ones I looked at recognized any special adverse impact that the proposals are likely to have on small companies.  If the comment period closes and there is nothing from the early stage tech community in the docket, the FTC and Commerce will be in a position to address the concerns of all the other constituents and ignore the entrepreneurial world.