One Step Forward, Five Steps Back: An Analysis of the Draft Privacy Legislation

May 5, 2010
| Reports

Draft legislation on consumer privacy offer many opportunities for improvement.


On May 4, 2010, U.S. Representatives Rick Boucher (D-VA) and Cliff Stearns (R-FL) released a discussion draft of legislation governing data privacy.[1] The legislation would create specific data usage and handling requirements for nongovernmental organizations that collect, use or disclose consumer data. Organizations not following these requirements would be subject to penalties from enforcement actions brought forth by the Federal Trade Commission (FTC) or by state attorneys general and state consumer protection agencies. The legislation does not create a private right of action.

As consumer data increasingly is collected and stored electronically, it is important for Congress to consider the effect this has on privacy. The discussion draft provides a welcome opportunity to explore the best ways of protecting individual privacy while avoiding constraints on business innovation and unintended negative impacts on consumers. However, much of the concern over data privacy is speculative and consumers have experienced few, if any, harms because of the current privacy laws. Before Congress enacts new laws, it should first demonstrate that better enforcement of existing privacy regulations are insufficient to protect consumers. Enactment of this legislation as drafted would add yet another layer of complexity to the existing patchwork of federal laws regulating consumer privacy, including the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act (FCRA), the Health Insurance Portability and Accountability Act (HIPAA) and the Fair Debt Collection Practices Act (FDCPA). Moreover, it represents yet another push for more government control over the private sector in the name of protecting consumers. Too often such legislation ends up imposing news costs on consumers and limiting innovation and the development of new online services.

This is not to say that a federal framework for consumer privacy would not be useful. However, policymakers should recognize that consumer privacy should not come at the expense of beneficial uses of individual data. For example, some organizations, such as LegiStorm, which provides salary information on Congressional staffers, and, which tracks money in politics, use personal data to provide online tools to foster transparency and public accountability. Other organizations use consumer data for other beneficial purposes, such as providing a service or delivering targeted advertising.

In its current form, the draft legislation presents many problems including 1) raising costs for consumers while creating few benefits; 2) establishing affirmative consent (“opt in”) requirements for the collection, use and disclosure of certain types of information; 3) creating certain restrictions on behavioral target advertising; 4) granting the FTC the authority to establish a security standard to protect consumer information; and 5) failing to update privacy laws regarding government use of digital data. However, one positive element of this draft legislation is that it includes a preemption clause so that the proposed federal law would supersede any state regulations. To be effective, a federal framework for consumer data privacy should establish a single, nationwide standard for consumer privacy thereby reducing regulatory complexity for the private sector.

Bad: Raises costs for consumers while creating few benefits

The draft legislation includes certain provisions that create unnecessary costs for the private sector which will be borne by consumers.

First, in an effort to apply the rules not just to the Internet, the draft legislation mandates that, in certain instances, organizations provide offline notification of their privacy policy to consumers. The legislation states, “If the covered entity collects covered information by any means that does not utilize the Internet, the privacy notice required by this section shall be made available to an individual in writing before the covered entity collects any covered information from that individual.” The potential impact of this one sentence could be substantial as it would likely require many organizations to provide paper-based copies of their privacy policy to individuals. For example, this requirement would appear to limit the ability of organizations to collect registration forms or surveys from in-person events such as conferences or sporting events without first providing copies of the organization’s privacy policy. Not only would this requirement cost a significant sum of money to implement nationwide, it would also be a waste of paper.

Second, the draft legislation mandates that all organizations covered under the legislation (i.e. virtually all online businesses) must have a privacy notice on their website conforming to specific requirements. The legislation defines 15 specific items that each privacy policy must contain including, for example, “a hyperlink to or a listing of the [FTC’s] online consumer complaint form.” While privacy policies have been an industry best practice for many years, this legislation would impose a cost on organizations large and small as they would need to undertake a review of their privacy policy to ensure it conforms to this legislation.

Bad: Establishes affirmative consent (“opt in”) requirements for the collection, use and disclosure of certain types of information

Currently, organizations operate under a notice and choice regime, whereby consumers can review the privacy policies, if any, offered by an organization, and then decide whether to use the services offered by that organization. For example, if a new mobile application or online service does not provide a privacy notice on their website, consumers can decide that this does not meet their standards and not use the application or service. While many privacy advocates would like to see a more granular system in which consumers could opt out of specific types of data collection and use, the current privacy regime is effectively an opt-out system since consumers can decide whether or not to use a service based on the data usage and handling practices of an organization.

The draft legislation ends the current regime by establishing affirmative consent (“opt in”) requirements for certain situations including: collecting sensitive information and location-based information; sharing information with third-parties; and modifying an organization’s privacy policy. Others have shown how “opt-in is a rhetorical straw-man that cannot really be implemented by regulatory policies without creating a number of unintended side effects, many of which are suboptimal for individual privacy.”[2] In addition, opt-in requirements create an administrative burden on organizations as they must ensure that every user take a proactive step before they can offer their customers a specific service. Policymakers should endeavor to understand the costs of opt-in before enacting this requirement.

For example, the draft legislation unnecessarily restricts the collection of certain types of information related to an individual’s location or deemed “sensitive.” In addition, the restriction on sharing information with third parties would limit the ability of organizations to integrate their services with other providers. For example, organizations would find it more difficult to partner with outside entities to create a combined service. Mash-ups—remixing data across multiple external service providers—are one of the hallmarks of the Web 2.0. Organizations using services provided by another entity that require consumer information, for example an online mapping service, would possibly not be allowed without affirmative consent. Similarly, the requirement that covered entities obtain affirmative consent from users before making any material changes in their privacy policies would restrict the ability of service providers to rapidly develop and deploy new services, such as the changes recently introduced by Facebook.[3] These types of restrictions would effectively create speed bumps to innovation.

Finally, by requiring organizations to obtain affirmative consent for every material change in their privacy policy, this legislation would create an incentive for organizations to establish unrestrictive privacy policies so that future development would not be needlessly constrained by their own policies.

Bad: Creates certain restrictions on behavioral target advertising

While there is support in Congress for behavioral targeted advertising, the draft legislation includes provisions that would restrict this beneficial type of online advertising which provides consumers more relevant ads.

First, the restriction on the collection and disclosure of certain types of information categorized as “sensitive” means there is an entire class of targeted advertising that cannot be used. The draft legislation defines sensitive information as data that relates to an individual’s medical information, race or ethnicity, religious beliefs, sexual orientation, finances, and precise physical location. Collection of this information would require organizations to first obtain affirmative consent. In particular, the restrictions on using data related to medical information, sexual orientation, race or ethnicity, and religious beliefs without affirmative consent would restrict many types of potentially beneficial forms of advertising. For example, these restrictions could potentially prevent marketers from effectively creating targeted ad campaigns for services like online Christian bookstores, Brazilian music stores, or gay dating websites.

Second, the draft legislation requires organizations to follow specific guidelines regarding the use of data in profiles used to provide services such as targeted advertising. For example, the legislation requires organizations to provide “a readily accessible opt-out mechanism whereby, the opt-out choice of the individual is preserved and protected from incidental or accidental deletion.” This requirement goes against current industry practice. The Network Advertising Initiative (NAI), the online advertising industry organization that has been developing most of the standards for third-party ad networks, currently use cookies (small data files stored on a user’s computer) to allow consumers to opt out of participating online advertising networks’ behavioral advertising programs.[4] However, cookies do not fit the technology requirement as stated in the legislation since they can be accidentally deleted by a user, and so these third-party advertising networks would not be in compliance with the new legislation.

The legislation also requires websites to place a “symbol or seal” near every targeted ad that links to information about their advertising partner and information about any data associated with that user profile. Requiring targeted ads to have a special mark identifying them as such would unfairly disadvantage targeted ads against non-targeted ads. Given that targeted ads generate more than two times the revenue of non-targeted ads, this would have a negative impact on revenues for online publishers and service providers and would harm the Internet ecosystem, particularly the so-called “long tail” of small websites supported by ad revenues.[5] In addition, policymakers concerned with the decline of print media should note that greater revenue from targeted online advertising will likely be necessary for journalism to survive in the Internet age.

The legislation also states that users should be able to “review and modify” any preference profile created by an online ad network or other service provider. This requirement would force websites to build front-end systems to allow consumers to interact with data saved in their profile. Currently if consumers want to “opt out” of targeted advertising, they avoid websites that use this form of advertising or use various technical controls, such as web browser plug-ins, that block ads. This requirement would pose an unnecessary and unneeded cost on service providers (and ultimately consumers) and would generate little to no real benefit to consumers. Users that choose to opt out of targeted advertising but still access a website’s content or services are free riders, getting all of the benefits of a free service without bearing any of the costs. It does not make sense to require service providers to build a system to make it easier for users to free ride by opting out of targeted advertising. Unfortunately, this type of requirement reflects the prevailing message of privacy fundamentalists that privacy trumps all other values. However, policymakers should recognize that privacy, as with any other value, must be balanced against other competing interests and can, as it will here, comes at a real financial cost.

Bad: Grants the FTC the authority to establish a security standard to protect consumer information

The draft legislation grants the FTC authority to “establish, implement, and maintain appropriate administrative, technical, and physical safeguards” that it deems necessary. Such a broad authority over every nongovernmental organization maintaining consumer information effectively gives the FTC a far reaching authority over the information security practices of the private sector. Using this authority, the FTC could effectively set the standard for the security practices of private sector systems and networks. While the federal government does have a role in fostering good information security practices, the private sector is in a better position than the federal government to manage risk for its own systems and networks.

Bad: Fails to update privacy laws regarding government use of digital data

While the draft legislation attempts to enhance privacy for consumers, no mention is made of government use of consumer data. The legislation exempts government agencies from maintaining the same privacy standards that it would require from the private sector. Improper use of consumer data by government is arguably the greater threat preventing more widespread use of technologies like cloud computing. As ITIF and others have argued previously, Congress should act to reform laws such as the Electronic Communications Privacy Act (ECPA) to ensure that citizens have a right to privacy for their electronic data whether it is stored at home on a PC or remotely in the cloud.[6]

Good: Includes a preemption clause that supersedes state requirements

While legislators should look carefully at the concerns outlined here, the discussion draft does have a one positive element: it includes a preemption clause. As the legislation states, “This Act supersedes any provision of a statute, regulation, or rule of a State or political subdivision of a State that includes requirements for the collection, use, or disclosure of covered information.” If Congress does move forward with privacy legislation, it should ensure that any new regulations preempt state laws, otherwise online service providers will find themselves facing competing, and possibly contradictory, data use and handling requirements for consumers.

[1] “Staff discussion draft,” 111th Congress, 1st Session, May 3, 2010,

[2] Nicklas Lundblad and Betsy Masiello, “Opt-in Dystopias,” SCRIPTed 7, no. 155 (2010),

[3] Daniel Castro, The Right to Privacy is Not a Right to Facebook (Washington, DC: The Information Technology & Innovation Foundation, April 30, 2010),

[4] “Opt Out of Behavioral Advertising,” Network Advertising Initiative (2010),

[5] “Study finds behaviorally-targeted ads more than twice as valuable, twice as effective as non-targeted online ads,” Network Advertising Initiative, press release, March 24, 2010,

[6] “ITIF Calls for Updates to Privacy Laws,” Information Technology and Innovation Foundation, press release, March 30, 2010,

The Right to Privacy is Not a Right to Facebook

April 30, 2010
| Reports

Don't like Facebook's privacy policy? Then don't use it. But don't ask government to run Facebook.


On April 27, four senators—Charles Schumer (D-NY), Michael Bennet (D-CO), Mark Begich (D-AK) and Al Franken (D-MN)—sent a letter to Facebook expressing concerns about Facebook’s current privacy policy. Specifically, the authors of the letter criticize Facebook’s decision to make certain data from a user’s profile public and to allow third-party partners to use and store this data. This criticism centers around two new features Facebook debuted at its F8 Developer Conference earlier this month—instant personalization and social plugins. The first feature, instant personalization, allows certain partner sites to use data from a Facebook user’s profile to customize their online experience. For example, if a Facebook user visits Pandora, an Internet radio website, instant personalization will allow Pandora to create a custom radio station for the user based on their likes and dislikes from their Facebook profile. The second new feature, social plugins, allows developers to place a Facebook widget on their website so that visitors can “Like” a page or post comments. These interests can then be shown on a Facebook user’s news feed and users can see their friend’s activity. Both of these new features users can opt not to use.

For those who have been following the debate on online privacy, this letter should come as no surprise—countless advocacy groups have criticized companies like Facebook and Google for what they see as the erosion of user privacy online. However, contrary to what critics may say, the latest offerings from companies like Facebook and Google do not herald the end of privacy as we know it on the Internet. Instead, it reflects the natural evolution of online applications as they increasingly make use of user data to offer more personalized products and services and find ways to monetize an otherwise free service. Yet unfortunately privacy fundamentalists (e.g., those individuals and organizations who place the protection of privacy above all else, refusing to see it as one value competing against others) continue to generate headlines by raising objections to the efforts of these companies by arguing that they “violate user expectations” and “diminish user privacy.”

There are two different questions central to this debate: first, should Facebook be able to use private information to deliver products and services to its customers; and second, should any company be able to do this?

From a policy perspective, the first question is less interesting. The answer is one that will likely be settled by legal action (or the absence of it). Privacy policies exist for a reason: they tell users of a website what an organization can and cannot do with your personal data. If an organization deviates from its policy—if it uses private data for purposes that are in direct violation of is stated policy—then it can and should be held liable. Whether Facebook violated its stated privacy policy and whether it engaged in unfair and deceptive business practices is something that the FTC and other nations’ consumer protection agencies will have to decide.

The second question—should organizations be able to use private data for new types of products and services—is the more interesting question. Privacy fundamentalist routinely argue that consumers have an expectation of privacy regardless of what the privacy policy states and that when organizations use personal data, for example to recommend music or supply targeted advertising, they have violated this expectation of privacy. They argue that privacy policies are too difficult for consumers to decipher or that consumers do not read them and so government regulation is needed. It is this misguided notion, that consumer preference (or rather the preference of privacy fundamentalists) trumps business prerogative, that is central to the arguments made by privacy fundamentalists when calling for government to intrude on the business decisions of the private sector.

Yet even if you accept the premise that consumers had an expectation of privacy, the last few years of debate over online privacy should make it clear to even the most casual user that this is no longer true. Many Internet companies clearly intend to continue to find innovative ways to use personal data to deliver products and services to their customers. While Facebook CEO Mark Zuckerberg may or may not “believe in privacy”, it is clear that Facebook thinks that companies should respond to changing social norms on privacy and that the overall trend is towards more sharing and openness of personal data. So going forward, no Facebook user (or privacy fundamentalist) can continue to use the service without admitting that the benefits of using the website outweigh any reservation the user has about sharing his or her personal data. As the saying goes, “Fool me once, shame on you. Fool me twice, shame on me.”

Certainly some users may still object to this tradeoff. But if you don’t like it, don’t use it. Facebook is neither a right nor a necessity. Moreover, it is a free tool that individuals can use in exchange for online advertising. In fact, one high-profile Facebook user, the German Consumer Protection Minister Ilse Aigner, has already threatened to close down her Facebook profile in protest of Facebook’s new privacy policies. Users that feel this way about Facebook’s changes should vote with their mouse and click their way to greener pastures. Companies respond to market forces and consumer demands, and if enough users object to the privacy policy of Facebook, these individuals should be able to find a start-up willing to provide a privacy-rich social networking experience.

Even Facebook responds to public opinion and consumer pressure. In December, Facebook modified its privacy settings so that certain information including friends list, gender, city, and profile photo, would be public information. In response to complaints from some users, Facebook modified its interface to give users more control over the privacy of different types of information. Neither was this the first time that Facebook revised its policies in response to consumer behavior. In 2006, Facebook altered its policy regarding its “news feed” feature that updates users about their friends’ activities.

This is not to say that online privacy is not a topic worthy of government oversight and legislative action. As ITIF has argued, existing protections for individuals from laws such as the Electronic Communications Privacy Act (ECPA) are woefully outdated and in need of reform. Citizens should have a right to privacy for their electronic data and safeguards should be the same regardless of whether data is stored at home on a PC or remotely in the cloud.

So the next time Facebook changes its privacy policy, let’s not act like this is a national emergency. Companies do things that the some members of the public do not like all the time. When Coca-Cola introduced New Coke, we did not need the U.S. Senate to step in to right this wrong, and neither do consumers need government to police every feature or policy tweak that websites make.

ITIF Calls for Updates to Privacy Laws

The Information Technology and Innovation Foundation today called for updates to federal laws regarding the privacy of electronic data and communications to bring our communications laws into the 21st century to reflect changes in technology over the last decade. Read more »

Video Blog: YouTube & Italy

March 5, 2010
Rob Atkinson explains how the conviction of three Google execs in Italy will have a chilling effect on the Internet.

Rob Atkinson explains how the conviction of three Google execs in Italy will have a chilling effect on the Internet.

TSA to Terrorists: I’ll show you mine if…

January 12, 2010
| Blogs & Op-eds

In a post, ITIF argues that the debate over whole-body imaging for airport screening should focus on the merits of the technogy, rather than privacy fears based on speculation and worst-case scenarios.

Syndicate content