Last week, the bipartisan Kerry-McCain bill proposed legislation on a Commercial Privacy Bill of Rights that would put the Federal Trade Commission in charge of policing the online collection, sharing and use of personal information. Because the legislation is watered down relative to prior proposals, the Kerry-McCain bill will face the least industry resistance and is more likely to be passed this year. Passage would shift some power in online media, and force changes in the way online ad networks and other targeters work with content sites.
The proposed bill is relatively business-friendly, so much so that it’s drawing criticism from privacy rights activists. The bill:
- Focuses explicitly on the use of personal information for behavioral ad targeting — and particularly on data sharing between companies — rather than information collection in general.
- Mandates opt-out policies for personal information use, but only requires tighter opt-in permission for sharing “sensitive” personally identifiable information related to religion, health and finances.
- Enables what some are calling a Facebook loophole that imposes lighter restrictions on web-wide information collection and use by companies where the user has an account. This would favor Facebook Connect over ad networks.
- Is strict about data-sharing for behavioral targeting via third parties (data collectors and ad networks), but much looser on ad targeting done by a publisher that collects the data on its own site.
- Does not address “Do Not Track,” the concept of a universal opt-out mechanism that users broadcast to sites popularized by the FTC last December. In February, Congresswoman Jackie Speier, D-Calif., proposed that the FTC create and manage a Do Not Track framework.
Although advertising industry groups are predictably resistant to any kind of regulation, their initial reactions to Kerry-McCain seem more muted than concerns they had prior to the bill’s introduction. Big tech companies like Facebook, Microsoft, eBay, Hewlett-Packard and Intel expressed support for the bill. The trade groups are probably relieved about the absence of Do Not Track, which they fear encourages users to block all cookies and customization indiscriminately, and requires potentially costly support from ad servers, ad networks and sites. Apple is the latest browser maker to experiment with Do Not Track support, after Mozilla and Microsoft; Google favors an alternative approach that maintains user opt-outs.
Privacy Legislation Impact Scenarios
The promise of online advertising has been the potential combination of television-like reach with precision targeting. Passage of the Kerry-McCain bill or something similar will have the following effects on the online media landscape:
- Online content sites: Don’t call me a conspiracy theorist, but some traditional publishers like the Wall Street Journal might be perfectly happy without web-wide behavioral targeting. They could tout the value of their online/offline audience and promote contextual targeting and sponsorships. As noted, publishers would able to follow and target a user within their own site, which would benefit portals like Yahoo and AOL, which have huge audiences and broad variety of content.
- Online advertising ecosystem: The bill’s restrictive approach to behavioral targeting favors search advertising over display ad formats. It also weakens industry efforts to deliver attribution, i.e., understanding and valuing the longer-term effects of seeing brand advertising. The data sharing guidelines could force data miners (Experian, Audience Science, BlueKai) and ad networks (DoubleClick, ValueClick, 24/7 Real Media) to secure more formal contractual relationships with content sites that have registered users. And the legislation seems to leave room for third parties to take user info and create anonymized groups of targetable customer “types” based on demographics and behavior.
- Social targeting: Today, most third-party social targeters (Lotame, 33Across, Media6Degrees, Rapleaf) base their analysis on tracking user behavior with their own cookies, rather than getting access to API data from Facebook or Twitter. Legislation may make them pay for access, and even then, Facebook to-date has been stingy about data sharing. Likely it’s saving that targeting opportunity for itself.