What has not yet been effectively addressed by this FTC recommendation is that not all data in question is the same. Some of the data is the product of online tracking and online collection processes. Some of the data is public information from sources like the Census, the Department of Treasury or home purchase and refinance transactions. Some of the data is more sensitive, such as music downloads and catalogue purchases, and some of the data is undeniably sensitive, such as online banking accounts and pharmaceutical purchase activity.
It is interesting that two precedents exist on privacy protection authored by the FTC that may inform us on what they considered and how they will encourage legislation to develop. One bill underlines the potential impact of a blanket ban on data collection, and another offers a more nuanced approach on how data can be packaged and applied to benefit commerce while protecting individuals.
In 2004 the FTC called for protection against unsolicited telemarketing calls. And while few of us look forward to telemarketing calls, the National Do-Not-Call registry now has more 200 million people signed up. Except for politicians and the non-profits who are exempt, commerce by telemarketing was safely laid to rest. Do-Not-Call was an industry killer – albeit, an industry for which few tears were shed.
In a more nuanced approach in 2003 the FTC introduced the Fair Credit and Reporting Act. In this legislation the FTC made an important distinction between public information and the collection and usage of sensitive data – in this case credit scores. In the ruling sensitive data could be collected and used for permissible purpose under certain guidelines. One of these guidelines included the use of credit data in aggregated form. This benefited commercial efforts to sell financial products to a qualified public without specific households being identified. The other important guideline was that only credit bureaus would be authorized to collect sensitive credit information and they could only broker that information to qualified parties for a permitted purpose.
Privacy concerns have been conflated in many ways over the last couple of years but the bottom line is people do not want to be tracked. Even those of us in the industry recognize that "tracking" is effectively the same thing as "collecting" personal information – and doing so without permission.
If we are ever going to get in front of this issue we must change the conversation from "opt-out" to "opt-in". It is our belief that browsers and consumer accounts should default to a universal opt-out of cookies status except under two conditions:
- Consumers can have a cookie set if they have a first-party relationship with the publisher - defined as either a user login, or a purchase from an online store or merchant.
- The user exercises a formal opt-in to a publisher's site when presented with a form.
We believe that regulation of the first-party relationship also support the restriction of personal data being misused.
- Any cookie set by a first-party publisher can only be used by that publisher and cannot be resold to any third party without the express permission of the user at the point of registration. Permission must be formally executed by opting-in through an online form and any cookie resold would be for analytical purposes with the end-product being restricted to "clusters" or "segments" of aggregated cookies with a similar objective and value.