I just received an encouraging letter from the Federal Trade Commission assuring me that its Division of Privacy and Identity Protection is "carefully monitoring the privacy issues associated with online tracking."
The letter, from Maneesha Mithal, the division's Associate Director, was in response to our recent complaint about companies who said they would not track consumers who opted out. According to a study by the Stanford Security Lab, eight companies only stopped serving behavioral ads to consumers. They continued to track them in violation of their published privacy policies.
The offenders were 24/7 Real Media, Adconion, AudienceScience, Netmining, Undertone, Vibrant Media, Wall Street on Demand and TARGUSinfo Advisor.
"Your letter raises important issues that relate to online data collection and use practices as well as the ability of consumers to limit or prevent such collection and use of their data," wrote Mithal. She said the FTC has "aggressively pursued enforcement in the online behavioral advertising area."
Mithal also cited the June settlement with Chitika, an advertising company which allowed consumers to opt out, but didn't say the opt-out cookies lasted only 10 days. Under the FTC order Chitika's opt-out cookie must last at least five years.
She also pointed out that FTC staff has recommended "that consumers be given a universal, one-stop control mechanism for online behavioral tracking, often referred to as Do Not Track."
Three of the four browsers — Apple's Safari, Mozilla's Firefox and Microsoft's Internet Explorer — have implemented a Do Not Track option. Google has not done so with Chrome. The problem is that there is no requirement that DNT requests be honored. We need legislation that would mandate DNT requests be honored and impose stiff sanctions if they were not. The law should give explicit enforcement authority to the FTC and state attorneys general as well as include a right of private action.
For now the FTC is essentially limited to cracking down on companies that violate their own privacy policies or act in unfair or deceptive manner. That was the case in the Stanford Security Lab case.
Here's what Mithal said specifically about my complaint:
"Please be advised that any Commission investigation is non-public unless and until the Commission decides to issue a formal complaint or close the investigation. As a result, we can neither confirm nor deny that we are conducting an investigation of the issues raised by your letter.
"Thank you for raising this issue with us."
My interpretation of the entire letter: The FTC is very much on the case.