Two new pieces of privacy legislation and a hearing are keeping Congress busy this week, while the United Kingdom’s Information Commissioner’s Office just released a new set of rules for the use of cookies by websites.
Center ring at the privacy circus this week was the first hearing called by the Senate Judiciary’s new Technology, Privacy and the Law subcommittee. Sen. Franken’s hearing focused on privacy of mobile information, and featured panelists from Apple and Google. Both companies’ mobile platforms use location information to provide some features, and Senators were keen to dig into how that information is protected, gathered, transmitted back to the parent company, and eventually used. They were also interested in how well the platforms themselves controlled the gathering of data (both mobile and otherwise) by apps. Both representatives listened carefully and promised to take the Senator’s concerns back to their companies to be discussed.
In addition to the hearing this week, Congress jumped with both feet into the Do-Not-Track issue, with two different bills generating news. Senator Rockefeller unveiled a Do-Not-Track bill on Monday that would require online providers to look for and follow a user’s stated preference not to have their online activities tracked. The bill leaves much of the details of the provision up to rulemaking by the Federal Trade Commission. Enforcement of the law is assigned to the FTC, or the individual States’ Attorneys General.
CCIA is wary of Do-Not-Track provisions for a number of reasons. First is the overarching question of what, exactly, tracking is. There are many questions about what precisely the term includes and whether actions such as first party advertising or analytics for website improvement qualify. Sen. Rockefeller’s bill doesn’t attempt to answer those questions, leaving most of the decision making to a regulatory proceeding at the FTC. The bill does include exceptions for a few narrow purposes, showing that the drafters understand that some forms of tracking are ultimately necessary for the operation of the Internet. CCIA believes that there may be other appropriate exceptions that could be incorporated, such as for fraud prevention in online commerce, and we will be arguing in favor of those in any Do-Not-Track regime that is introduced.
The second bill, which has been released but not yet formally introduced, is from Representative Markey and Representative Barton and is aimed solely at childrens’ information. The bill would take a number of steps, including prohibiting “tracking” children without express consent by the parents of the child and requiring providers to allow parents to erase any personal information they have about kids that is already online. While we believe strongly in protecting children while they use the Internet, this proposal has a number of issues with it that need to be addressed.
The first and overriding problem is a simple question of practicability. As the famous New Yorker cartoon pointed out, “On the Internet, nobody knows you’re a dog.” Similarly, nobody knows your age when you visit a website. Providers are left hoping that a child accurately self reports their age, and doesn’t simply try again with a higher number when they discover they’ve been shut out. Other concerns are raised by the proposal, such as the free expression rights of children, and they will also have to be addressed before we would be comfortable with the result.