On Thursday during Advertising Week in New York City, I hosted an event called “Mission Impossible: Truth & Privacy – The Future is Now,” featuring Commissioner Julie Brill of the Federal Trade Commission, along with Frank Abagnale, one of the world’s foremost authorities on fraud and identity theft (you may know him best from the film Catch Me If You Can – he was portrayed by none other than Leonardo DiCaprio), and Jonathan Salem Baskin, Co-Author of Tell The Truth. Privacy is an issue everyone is talking about these days, and I wanted to share with you some of the thoughts and issues discussed during the session at Advertising Week. Click here to view a video of Ron’s conversation with FTC Commissioner Julie Brill.
Advertising is a fascinating and complex industry, reflecting the latest innovations, the newest technologies, and, of course, the height of creativity. Advertising is a reflection of the fundamental changes sweeping our society – the transformative effect of digital, the changes in all forms of media, the importance of data and the rise of wireless. Amidst this rapid change, privacy is one of the most important issues in the advertising and media business, and one which demands our attention now, not tomorrow.
The Way I See It
- I see that digital technology and media has created an unprecedented “Holy Grail” opportunity for marketers to have conversations with consumers as individuals wherever they are on a broad array of devices. The question we must answer is, how do we manage the legitimate privacy concerns?
- I see the FTC’s role and influence in steering the privacy and data security debate and action rising in importance.
- I see global marketers and agencies working in good faith either alone or in groups to navigate safely through leading edge issues and the concerns of interested parties – the government, agencies, marketers, technology providers, media and consumers.
- I see “do not track” continue to be a central issue that focuses many of the important advertising industry and societal issues about both what can be and what should be.
- I see “privacy by design” being a simple concept, but a difficult concept to execute in real time.
The Way The Industry Sees It
Commissioner Julie Brill of the FTC shared some extremely valuable insights with me and the attendees of our Advertising Week session. I then asked Commissioner Brill some follow up questions that touched upon some of the conversation that we had in our Advertising Week session.
Can you highlight what you see as the role of the FTC in regards to its relationship with the advertising industry’s need to focus on consumer privacy and data security?
The Commission has developed a set of best practices, as outlined in the agency’s March 2012 final privacy framework, for companies that collect and use consumer data. (“Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers,” An FTC Report (Mar. 26, 2012) available at http://www.ftc.gov/os/2012/03/120326privacyreport.pdf.) Because the advertising industry is among the heaviest users of such information, these best practices can be useful to the advertising industry –including ad networks, individual advertisers, and all other players in the advertising eco-system—as they develop and maintain processes and systems to operationalize privacy and data security practices within their businesses. In addition to our policymaking role, the Commission takes action against companies—including those in the advertising industry—that do not treat consumer data in accordance with the laws enforced by the agency. For example, we took action against several advertising networks that misrepresented their practices involving consumers’ ability to opt-out from online behavioral advertising. (See press releases, “FTC Puts an End to Tactics of Online Advertising Company That Deceived Consumers Who Wanted to “Opt Out” from Targeted Ads” (Mar. 14, 2011), available at http://www.ftc.gov/opa/2011/03/chitika.shtm; “Online Advertiser Settles FTC Charges ScanScout Deceptively Used Flash Cookies to Track Consumers Online” (Nov. 8, 2011), available at http://www.ftc.gov/opa/2011/11/scanscout.shtm).
In the fast paced world of marketers and agencies where they must implement “privacy by design”, what is the biggest issue confronting the industry?
Well, there are a lot of big issues. One of the biggest issues is the rapid pace of today’s technological advances. Companies are bringing products and services to market as quickly as they can—and the advertising and marketing have to keep up with that pace. As a result, companies may not be employing a methodical process to consider all the privacy and data security issues that could arise with the product or service, or with an advertising or marketing campaign. I think one of the most important elements of Privacy by Design is for companies to take the time to thoroughly examine the consumer information they are collecting, what is being done with that information, and how it is being safeguarded. In our privacy report, we stress the importance of operationalizing these processes, which will help companies conduct these analyses in an efficient and timely fashion.
With the digital transformation of our society, the gathering of data – information that can be used to help determine what a specific consumer might be interested in – can be very helpful to advertisers and agencies in achieving more effective and more efficient advertising. What are the competing interests from the FTC’s perspective?
From my perspective, more effective and efficient advertising is not what chiefly concerns me —in fact, many consumers prefer to receive advertising that matches their interests. Rather, it is the other uses of data that cause me concern. For example, lists of elderly patients who suffer from Alzheimer’s disease and similar maladies that data brokers market as “perfect prospects” for holistic remedies, financial services, subscriptions and insurance. (See Karen Blumenthal’s article in The Wall Street Journal, “How Banks, Marketers Aid Scams,” July 15, 2009.) And social network chats and online search histories that some firms “scratch and sniff” to provide information to a future potential employer, unbeknownst to consumers. I am concerned about how a consumer’s browsing history may be used in a way that can unfairly cause her harm — perhaps she has viewed articles on reducing credit card debt and this browsing history is then provided to a bank where she is seeking a loan. Information about online purchases can also be a concern when a consumer’s purchase of a deep fat fryer is transmitted to the health insurance company and it uses that information to set higher rates.
For global marketers and agencies, finding a balance between the laws in the U.S. and those around the world in their business practices is a challenge. Can you speak to what the current challenges are for us as marketers, and for the FTC, in terms of global versus domestic privacy?
On a global level, the challenge that regulators around the world now face—and the challenge they are working to address—concerns the contrasting privacy requirements among jurisdictions. The FTC and many regulators around the world, particularly in the EU and the APEC region, have been considering how these different privacy frameworks can become more inter-operable. By “inter-operable,” I am referring to systems that, while they may not be the same, allow for mutual recognition and—importantly—transfers of data across borders. To foster inter-operability, we need a certain degree of commonality and shared privacy values. I think that there is sufficient common ground between the US and regulators around the world to move towards inter-operability. And the mechanisms are in place, or are being developed. The U.S./EU Safe Harbor is a mechanism that allows for inter-operability between the United States and the EU. The APEC Cross Border Privacy Rules system is designed to allow multilateral inter-operability through a set of detailed privacy requirements negotiated by the relevant stakeholders and authorities in the Asia Pacific Economic Cooperation Forum region, based on the APEC Privacy Principles.
Do you see privacy or data security as a bipartisan issue?
Absolutely. Members of both parties are very concerned with these issues. Both sides of the aisle want consumers’ data to be protected, while at the same time they want businesses to be able to continue to grow and innovate. We’ve seen bills introduced by both Democrats and Republicans that address both privacy and data security issues. U.S. Representatives Markey and Barton, a Democrat of Massachusetts, and a Republican from Texas, co-chair the Bipartisan Congressional Privacy Caucus. And at the Federal Trade Commission, our concerns about privacy, particularly in the enforcement arena, are also largely bipartisan.
What lessons can companies take from the recent release by the FTC on mobile apps? What does this say about the FTC’s approach on how it interacts with industry?
The lesson is that all developers, large and small, need to pay attention to both truth-in-advertising and privacy principles when marketing mobile apps. Our guidance encourages app developers to bake privacy into their apps from the start. Developers should limit their information collection to the information they need for the proper functioning of their app. And they should ensure the security of the information they do collect. They should collect sensitive information—financial, medical, precise geolocation—only with affirmative consent. They must comply with the provisions of the Children’s Online Privacy Protection Act in connection with children’s information. And app developers should be transparent about their practices. They should provide choices that are easy to use and understand, and the choices should, of course, be honored.
There have been a number of significant FTC enforcement actions in the areas of privacy and data security. Without going in to any specifics of any of the decisions, what are the lessons that the FTC is trying to teach the industry?
Our enforcement efforts demonstrate that companies need to address privacy and data security up front, as products are being developed, and consistently, through company processes and procedures. Privacy and data security cannot be dealt with as an afterthought. In many of our privacy and data security consent orders, the companies agreed to develop comprehensive privacy or data security programs. The goal of these requirements is to assist the companies in addressing privacy and data security in a systemic fashion, with accountable employees, proper training, and appropriate procedures for making sure that privacy and data security concerns are dealt with every step of the way.
You spent a number of years at different state Attorney Generals’ offices focusing on consumer protection. How do you find your role as Commissioner of the FTC to be different? Do you find your prior state Attorney General experience to be helpful?
As Commissioner I am working with my fellow Commissioners and agency staff to set the agency’s priorities on consumer protection, privacy, and competition enforcement matters; on developing legislative recommendations and agency-wide policy. Each of the Commissioners draws on his or her experience in our enormously expansive role. I brought an unusual depth of experience in consumer protection and competition law generally, because of my years as a state enforcer in the Vermont Attorney General’s office and then the North Carolina Attorney General’s office. I also had deep experience in privacy and data security before I became a Commissioner, because I served for many years as the chair of the Privacy Working Group for the State Attorneys General. In general, as a state Assistant Attorney General and Chief of Consumer Protection and Competition, I brought many individual state cases involving a wide variety of consumer protection matters, and led some important multi-state investigations involving privacy, data security, pharmaceutical marketing, and advertising issues. My role as a Commissioner is very different from my role in state attorneys general offices. I’m no longer a front line attorney, supervising attorney, or in charge of a single division. I’m now in a role where I set policy for the entire agency. And yet much of what I learned regarding consumer protection and competition at the state level is directly applicable to my work as a Commissioner, because the laws under which the states bring consumer protection and competition actions share many similarities with the FTC Act.
What is the coolest thing in your office right now?
Well, I’m not sure they are the coolest things in my office, but I am most fond of the black and white photos of 20th century heroes that cover my walls. They include photos of Louis Brandeis, Winston Churchill, FDR and Eleanor, JFK, and Martin Luther King, Jr.—leaders who had to make some pretty tough decisions in their day and can serve as inspiration as we grapple with the tough issues of our time.