A law pending in the New York State Assembly that would regulate the data-collection activities of online advertisers has drawn sharp attention from the largest Internet companies and concerned parties on both sides of the privacy debate.
Introduced by Richard Brodsky, a Democrat from the New York City suburb of Westchester, the Third-Party Internet Advertising Consumers’ Bill of Rights would limit the information that online advertising companies can collect about consumers, and require sites to offer opt-out mechanisms for people who don’t want their browsing histories tracked.
“This codifies the conflict between the economic model of the Internet and people with legitimate expectations of privacy,” Brodsky told InternetNews.com.
Long an advocate of privacy and safe Internet practices, Brodsky previously worked on legislation to mandate Internet education for students from kindergarten through high school, and a bill that would block minors from creating profile pages on social networks without obtaining their parents’ permission.
The catalyst for the data-collection bill was the recent consolidation of the Internet advertising market into the hands of a few large companies. Over the last two years, an acquisition spree has seen pure-play ad companies such as Right Media, aQuantive and, most recently, DoubleClick get absorbed into the leading Web companies, bringing their massive data sets with them.
The bill is patterned after the data-collection principles drafted in 2000 by the Network Advertising Initiative (NAI), a coalition of advertising companies that includes subsidiaries of Microsoft, Yahoo, Google and AOL. Yahoo itself is a member of the trade association, which is in the process of updating its principles.
If passed, the state law could have a much broader effect, given the near impossibility of companies trying to adhere to different data-collection practices for computer users in New York and those in the rest of the country.
There is no federal law governing online data collection. A bill similar to Brodsky’s has been introduced in Connecticut, but its scope is limited to ad networks. Brodsky’s bill would apply to all companies that collect information for targeting ads based on users’ Web activities, and he said that he hopes other states will follow suit.
Meantime, the Interactive Advertising Bureau (IAB), the industry trade association, has blasted the bill for trying to solve a problem that does not exist.
“We haven’t even defined the potential harm to consumers,” said Mike Zaneis, vice president of public policy at the IAB. Zaneis argued that targeted advertising, in addition to driving the Internet economy and providing free services and content to consumers, also makes for a better user experience than serving ads at random. “It’s anticonsumer to take the relevancy out of the advertising,” he told InternetNews.com.
To Brodsky, the issue is about consumer choice. “I’m not hostile to targeted information,” he said. “[But] they are collecting the information without permission.”
The bill, currently under review in the Consumer Affairs and Protection Committee, would next head to the floor for a full vote. The bill is at the top of Brodsky’s agenda, and he is optimistic that it will come to vote before the regular session of the Assembly ends on June 23.
A replicate of Brodsky’s bill is pending in the New York Senate, where it has won sponsorship from Andrew Lanza, a Republican representing Staten Island.
Consumer advocacy groups such as the Electronic Privacy Information Center (EPIC) have applauded Brodsky’s bill as a good first step toward a national policy on data collection.
“It’s a constructive response to a real problem,” said EPIC Executive Director Marc Rotenberg.
“The reality is that Washington is sitting on its hands,” he told InternetNews.com. “This is an area where the federal government hasn’t done anything.” Substantive privacy legislation has often appeared first at the state level, before clearing the federal logjam, Rotenberg explained.
A “thoughtful, fearful” industry
The reaction from the industry, though generally cautious, has been mixed.
“Microsoft has been thoughtful; the rest have been fearful,” Brodsky said of his preliminary meetings with Internet companies.
And of those discussions, there have been many. Kent Sopris, Brodsky’s legislative director, said that meetings with Microsoft (NASDAQ: MSFT) and Yahoo (NASDAQ: YHOO) had already taken place, that a preliminary meeting with nonexecutives from Google (NASDAQ: GOOG) was scheduled this week, and that the first sitdown with AOL had been postponed due to the recent political scandals in Albany.
Of those companies, Microsoft is alone in calling for a legislative policy to oversee data collection.
“For years, we have been advocating for comprehensive federal privacy legislation,” Michael Hintze, Microsoft’s associate general counsel, wrote in an e-mail to InternetNews.com, adding that the company was committed to working with consumer groups and lawmakers on state legislation that gave meaningful address to privacy concerns.
“We support legislation that enables consumers to continue to receive the benefits of online advertising while establishing baseline privacy protections that empower them to make informed choices,” Hintze said.
While that is not an endorsement of Brodsky’s bill, it signals a commitment to regulated data collection that some of the other major Internet companies are not willing to make.
Yahoo’s top executive who deals with privacy legislation was not available for comment for this story, but company spokeswoman Kelly Benander offered this:
“Yahoo believes that maintaining consumer trust is integral to fostering the most compelling, customized Internet experience. We had an introductory meeting with Assemblyman Brodsky’s staff to express our interest in working constructively together with this common goal in mind.”
AOL declined to comment on Brodsky’s legislation, given that the initial meeting with the assemblyman’s staff has not yet taken place. Commenting for a recent story by InternetNews.com regarding national legislation on behavioral targeting, AOL Chief Privacy Officer Jules Polonetsky warned against the rush to regulate a fast-developing economy such as the Internet.
A spokeswoman for the company pointed out that prior to joining AOL, Polonetsky helped draft the NAI principles on which Brodsky’s bill is based.
In a familiar refrain, a spokeswoman for Google emphasized the company’s commitment to privacy. “We support efforts to develop industry-wide privacy standards in the online advertising space that promote transparency, consumer choice and security, and look forward to engaging in a dialogue about the proposed legislation,” she told InternetNews.com.
Rotenberg said he was not surprised at the split reaction among the Web giants. He described Microsoft as the “most mature” of the group in its assessment of privacy concerns, and said that he expected the others to resist data-collection legislation in any form.
A philosophical impasse?
Brodsky’s initiative has laid bare the essential friction of the issue: Can the industry be relied on to protect consumer privacy through self-regulation, or does the government need to legislate online data collection and behavioral tracking?
“Our bill explicitly would state that you cannot track people using their personal information,” Sopris told InternetNews.com. “While companies say they don’t do that, we say, ‘Fine, let’s make it a law.'”
The bill specifically prohibits the use of sensitive information such as financial or medical records in behaviorally targeted advertising, but many of its other provisions are ambiguous. “Personal identifiable information,” for instance, is defined as “data used to identify, contact or locate a person.” Examples include names, phone numbers and e-mail addresses, but the data point crucial to behavioral tracking — the IP address — is not mentioned.
Brodsky said that he had not yet decided whether a computer’s IP address should be considered personal information, a pivotal definition of terms some European regulators have called for.
Calling Brodsky’s bill “paternalistic” for trying to protect people from a phantom harm, the IAB’s Zaneis argued that educating consumers about what data are actually being collected would alleviate most people’s privacy concerns.
“Industry self-regulation has been what has protected consumers throughout the history of the Internet,” he said. “Why don’t we hear legislators and consumer advocate talking about consumer education? If their concern is that they consumers don’t know what’s going on, why don’t they try to do something about that? My suspicion is because it’s difficult.”
“It’s easy to pass a law; it’s difficult to come e to the table with real solutions,” Zaneis said.
Though he is suspending final judgment on defining the IP address until he has met with more industry groups, Brodsky suggests that the typical argument that IP address logs are anonymous is disingenuous.
“Industry does promote somewhat of a fiction when it says we don’t know who you are, we just know who your computer is,” he said. “If they have your computer, they have you.”
Despite the unsettled definitions, Brodsky is unwavering in his commitment to giving people the chance to opt out of having their information collected, whether it is considered personally identifiable or not. The language of the bill might change before it passes to the floor for a full vote, but its substance will not.
“The principle is in its final form,” Brodsky said. “It’s a very American principle: You want my personal data, ask me.”
