As concern over Internet
advertising and data collection grows, privacy advocates and the
Internet advertising industry have been sharpening their legal knives
for more than a year. Now two Congressmen have finally given them a
piece of legislation they’re all too happy to slice apart. 

Rick Boucher, D-Va., and Cliff Stearns, R-Fla., released a draft
Tuesday of a privacy bill aimed at defining broad new regulations for
the data collection practices of online advertising. The bill would
require sites to offer easier methods of letting users prevent their
behavior from being tracked online, warn users about data collection
with a symbol on Web pages and require sites to render anonymous any
data they collect after 18 months.

But while those new safeguards are enough to raise hackles in the
advertising industry, irate privacy groups say they fall short of their
demands, and even represent a deterioration of current privacy
protections. "This is very flawed legislation," Jeffrey Chester,
president of the Center for Digital Democracy, told reporters on a
conference call. "The bill is going to have to be radically revised, or
it will face significant opposition from consumer and privacy groups and
their supporters."

One of the key battles in online privacy has been over the question
of "opt-out" vs. "opt-in": Should users have to agree to have their
online behavior data collected, or should sites legally be allowed to
track their behavior by default, with an option to stop that collection
upon request?

Boucher’s and Stearns’ bill offers just enough of each approach to
please neither advertisers nor privacy advocates. For sensitive data
such as telephone numbers, postal and e-mail addresses, social security
numbers or financial data, a site would have to explicitly request a
user’s permission to track and store the information. For tracking of
users’ paths around the Web for what the bill calls "transactional" or
"operational" purposes, sites would be allowed to collect data on users’
behaviors without their permission, though they would be required to
overtly state on their site with a "seal or symbol" that the page
engages in behavioral tracking, and would have to allow the user to
prevent that tracking upon request.

The bill also puts strict regulations on tracking users’ behavior on
mobile devices, an increasing concern as Web-friendly devices like
Android phones and iPhones make handsets a new destination for ads.
Location-based tracking on cellphones or other portable gadgets would
fall under the more sensitive category of data that requires users to
opt in before it can be collected.

To Mike Zanneis, vice president of public policy at the Internet
Advertising Bureau, the new safeguards sound ill-defined and potentially
dangerous to the $23 billion online ad industry. "Opt-in is really the
most burdensome privacy restriction that we implement in the U.S.,"
Zanneis says.

He argues that the data requiring opt-in measures defined by the bill
in its current form could include not just names and addresses but also
IP addresses and "cookie" files that sites download to a user’s browser
to note his or her path on the Web. "We know that greater than 70% of
all online advertising depends on targeting techniques," he says. "If we
have an opt-in standard for cookies, that would impact the vast
majority of online advertising, and that’s what we want to avoid."

Meanwhile, privacy advocates argue that the bill’s exemption for
"operational" collection of data–allowing those practices to take place
under an "opt-out" rule–gives advertisers far too much leeway. "This
bill really adopts an archaic and bankrupt ‘notice and consent’ regime
that we all know doesn’t’ work," says John Simpson, head of the Google
Privacy and Accountability project at Consumer Watchdog.

Consumers, it’s been shown repeatedly, don’t take advantage of
opt-out functions. In a Congressional hearing last June, Representative
Stearns asked Google and Yahoo’s
privacy executives how many users chose to not take part in their ad
tracking systems. Yahoo’s rep said the number was "less than 1%," and
Google’s rep replied that she didn’t know. (See: "Congress
Mulls Online Privacy Law")

In a study last month, NYU law professor Florencia Marotta Wurgler
found that less than one in 1,000 users even reads the fine print on
websites’ terms of service. (See: "Who
Reads The Fine Print?") "We need better rules for the road on the
Web, so that users don’t have to worry about reading the fine print or
clicking ‘I agree’," says Peter Eckersley, an attorney with the
Electronic Frontier Foundation.

Worse yet, privacy groups also point out that the bill would preclude
any state-level legislation and would restrict privacy class-action
lawsuits. Instead, the Federal Trade Commission would enforce the law.
That’s not a strategy that’s worked in the past, says Ginger McCall of
the Electronic Privacy Information Center (EPIC). Despite three
complaints that EPIC has issued against perceived privacy violations by
Google Buzz and Facebook’s recent data-sharing moves–one released
Tuesday–the FTC hasn’t taken any action against the companies. "The
lack of enforcement on the FTC’s part has been very troubling," McCall
says.

In last June’s hearing, Rep. Boucher responded to advertisers’
concerns by promising that he had "no intention of doing anything that
would disrupt a very important and essential business model for
Internet-based companies."

But the Center for Digital Democracy’s Chester calls advertisers’
arguments that regulation would cripple the Web economy "disingenuous"
and "fallacious." "I think this is an attempt to straitjacket the FTC,"
says Chester. "The online ad industry has dodged a regulatory bullet."

To read more of Andy Greenberg’s stories, click here. Contact the
writer at [email protected].