I’ve been saying it for well over a year and Facebook may have been the final straw. The concern over privacy and user control raised in the wake of the Facebook “Open Graph” and Social Plugins initiative, as well as ongoing questions over behavioral targeting and online data mining, have created a kind of perfect storm that are all but certain to bring new regulation to data collection online.
New draft privacy legislation in Congress has already been proposed and circulated:
No consent is required to collect and use operational or transactional data – the routine web logs or session cookies that are necessary for the functioning of the website – or to use aggregate data or data that has been rendered anonymous.
Companies need an individual’s express opt-in consent to knowingly collect sensitive information about an individual, including information that relates to an individual’s medical records, financial accounts, Social Security number, sexual orientation, government-issued identifiers and precise geographic location information.
Some version of this Boucher bill (.pdf) will pass in Congress. On the surface and at the highest level it may not be that different from IAB “self-regulation” schemes or best practices employed today. What may be different is that the legislation empowers the FTC to make more rules and enforce the law. The state attorneys general are also empowered to enforce these rules and punish offenders through civil litigation. They can accordingly seek injunctions and civil damages against the offending companies.
This would also open the door to a wave of private and class action lawsuits against companies perceived to have deep pockets that violated the law. It effectively puts the burden on publishers, ad networks and others to very strictly comply with the rules and disclosure requirements or face punishment in the form of damages.
By playing “fast and loose” with privacy, being arrogant, naive, manipulative and aggressive about data collection and ad targeting online firms have brought this on themselves.
Google and then Yahoo have developed relatively clear pages that enable consumers to exercise some control over data collection and privacy (JumpTap has done a version of this in mobile). But this model has not been widely followed by others. Regulation might have been avoided if there were a more sincere and pervasive effort to do something similar across the Internet.
Any “self regulation” efforts now put forth are too little too late. Federal privacy regulation is coming. Indeed it’s almost here.
The IAB doesn’t like the bill of course, while consumer groups think it’s too lenient.