The Internet has long grappled with the issue of consumer privacy. In the second article of an eight-part series, Digiday examines the issue of “Redefining Privacy.” The series is made possible through the sponsorship of Truste, a provider of online privacy services.
Last week the FTC announced it charged MySpace with violating federal law after the social network shared users’ personal information with advertisers. Facebook and Google have also felt the wrath of the Commission in recent months, as it continues to ramp up its scrutiny of the online media industry’s user-data practices. In light of that fact, Digiday caught up with Daren Orzechowski, a partner at international law firm White & Case who specializes in technology and data privacy. He spoke to Digiday about the FTC’s continued interest in the area and how privacy legislation could affect online business models.
Why is the FTC stepping up its scrutiny of online data and privacy practices?
Privacy law in the U.S. has historically been pretty loose, so the entire industry grew up without a whole lot of regulation. Now we have a situation where, culturally, people are taking a hard look at these issues, comparing them with what’s going on in other parts of the world, such as the E.U., and asking why we don’t have the same. Some companies have been telling people in privacy policies that they are only going to collect and use information in a certain way, but that isn’t always necessarily the case. Now the FTC is utilizing its broad powers under the FTC Act and going after people for deceptive business practices.
How big of a threat are privacy issues to current online business models?
Companies and industries have been allowed to very rapidly develop in an era without a lot of regulation. Now the trick is balancing their expectations with the privacy concerns that could change or threaten their businesses. On a personal note, I would like to have a little more insight into what’s happening with my information. I think companies can do more, and a lot of them are in the process of doing so. An interesting point is the cultural differences around this. In Europe, the consumer position is generally “don’t use my information without permission.” In the U.S., the cultural thinking from the industry has been, “If you didn’t tell me I couldn’t, I can do it.” That’s at the heart of discussion. In years past when we’ve worked with clients around this, it’s been more of a PR-type issue than a legal one. Most businesses look at it in terms of risk and what they should be doing to manage it. The real impact to businesses comes when people stop trusting you.
What about the implications for online advertising specifically?
The questions are around targeting and tracking. Again, advertisers have been allowed to do this previously, and that’s how the industry has grown up, but now people want to understand things a little better. Most people would say it’s creepy to have their behavior tracked online for advertising purposes, but at the same time they recognize having a site remember them and perhaps tailor an experience to them is a good thing. That’s part of the tension at the heart of this debate right now, it’s a question of what uses are and aren’t allowed.
How can the FTC influence this debate?
The FTC has powers that have been given to it right now. Until something new is given to them, they can’t really change the landscape. They can decide where to enforce and where not to enforce. The privacy framework they issued calls for legislation and regulation, and the legislation that’s been proposed hasn’t been passed. From what we’re seeing right now, it doesn’t look like anything has a good prospect of getting passed any time soon, so the FTC is using its broad powers to go after people that aren’t being transparent. The FTC is shaping policy by enforcement, while others are working on legislation.
Will we see formal legislation in this area in the next couple of years?
I think there will be a couple of things that do get through which could help consumers and businesses. Maybe after the election it’ll be a little easier. One thing is the ability for businesses to put out very simple, straight-forward privacy policies that consumers can really understand. At the moment, businesses are concerned they’re exposing themselves to liability and putting out 20-page policies as a result. There needs to be a balance around that, with short, understandable policies. One other area is harmonization. It would be nice if there was a federal law in place that harmonized some of the different state laws that exist around issues such as minimum security around data. The differences can be overwhelming for businesses.