Today’s column is written by Marc Groman, CEO of Network Advertising Initiative.
Context – how consumers engage with business – has emerged as a central theme in today’s policy debates about consumer privacy.
The Federal Trade Commission’s privacy framework, outlined in a March 2012 report, posits that privacy is contextual, based on factors such as a consumer’s existing relationship with a company, the expectations of that relationship and the nature of a specific transaction.
More recently, speakers discussing the privacy implications of the “Internet of Things” at last month’s FTC workshop emphasized the need to consider context when thinking about notice and choice in an increasingly interconnected world. FTC Chairwoman Edith Ramirez mentioned context in her opening remarks, talking about “unexpected uses of data,” and referencing examples such as connected cars, smart TVs and heart monitors.
The FTC workshop highlighted the nuances and complexity of context and privacy. Context is too often narrowly and mistakenly interpreted to focus exclusively on the “who” in a transaction, not the “what” – “who,” in this case, referring to either a first party or a third party. In this analysis, there is frequently a rush to judgment about consumer expectations and privacy based solely on this one factor.
The question we should ask ourselves, however, is whether this first-party/third-party distinction in isolation is the appropriate focus in designing a sound privacy framework today. Or is it more important to consumers that the “who” mean “responsible parties?”
Consider this example. When Consumer Smith visits his favorite online retailer’s website, i.e., the first party, he recognizes the brand and knows what information needs to be provided for purchases. In fact, Smith may have already shared certain information with the site on a previous visit to sign up for a service or take a survey, and that information might include details about income, demographics, product preferences and the like.
He may “expect” the first party to collect and use his data. He may even expect advertising or product suggestions to be made based on that data. In this way, many first parties have a direct relationship with consumers that is relevant and valuable. This relationship can be important, but is only one of several factors that should be considered in the privacy framework debate.
Now, let’s say the online retailer partnered with a third-party ad network to serve interest-based ads. Smith did not stop at that network’s site, nor, to the best of his knowledge, did he provide that ad network with any information. Therefore, Smith may not expect his information to be gathered by another party.
Although the first party brought in the third party to provide a service that it believed to be beneficial (a more relevant ad experience), according to the old “context” argument, the third-party data collection in this scenario is assumed to present a potentially greater privacy risk to consumers. This may be driven by the third party’s presence often not being known to the user and the collection of data across multiple, different first-party experiences.
In both examples, we’re missing key information to help drive a meaningful privacy debate: the specific circumstances under which the consumer’s information is collected and used, the scope of the data collection, the type of data, the collection method or the potential for unexpected uses. A discussion of risk of harm also is absent.
At the FTC workshop, speakers emphasized that context is about a wide range of variables and “type of entity” is but one. Simplifying the analysis of data collection down to a black/white, first/third-party issue is limiting and may lead to absurd results. The personal identification and sensitivity of the data collected, the use of the data and the transfer and sharing of the data may be far more significant than who collected it – and these concepts should apply across all parties involved. Each of these principles is part of the NAI’s self-regulatory code of conduct, which is honored by some of the most responsible actors online.
Even before last week’s workshop, the FTC’s director of the Bureau of Consumer Protection, Jessica Rich, affirmed this point at the Privacy Law Scholars Conference in Washington, DC, by emphasizing that choice is not purely about a company’s status as first or third party, but about the context of a transaction and the expectation of a consumer.
Lydia Parnes, former director of the Bureau of Consumer Protection, also recently stated at the IAPP Privacy Academy in Seattle that, “It isn’t clear to me whether the ‘first party’ vs. ‘third party’ distinction ever made sense, but it certainly doesn’t make sense today. Who is a ‘first party’ and who is a ‘third party’ is increasingly difficult to determine in any given transaction.”
We’re living in the era of “big data,” and the digital world is rapidly evolving. When the FTC examined third-party, interest-based advertising, it was 2007. Today, we have the “Internet of things,” with mobile apps, sensor-rich systems, smart products and cross-device recognition resulting in a media world that is increasingly complex and less structured than ever before.
In some interactions, as Parnes observed, it may not be clear who is collecting data and in what capacity. Perhaps there are three or four first parties. In addition, the reach of a first party may not be obvious if there are dozens of affiliates branded as separate entities with multiple collection points and cross-exchanges.
Beyond how the data is transferred, the nature of the data collection should be considered. Think about how much information you feed into a smartphone – say, a personal assistant app. That app collects and uses identifying information, location, time of day, calendar, travel plans, search, email, contacts and address book, digital surfing history and more. From a privacy perspective, many consider the collection of this data to be far more sensitive than inferred interest segments tied to a third-party cookie.
Add to this the AdChoices icon in advertisements served by third parties and you have an increasingly robust transparency, notice and choice regime. The actual practices of an entity – whether a first or third party – and the disclosure of those practices are essential to any discussion about privacy. We’ve all read privacy policies that are unintelligible, leave open the possibility of any use of data and ask for overbroad consent to use data. That may raise greater concerns than who collected the data.
The reality is that third parties – from networks and exchanges to data platforms and other digital media firms that partner with online properties (“first parties”) for the purposes of marketing and advertising in both online and mobile media – are necessary. They keep costs down and are the backbone of the diverse, ad-supported, free-content model that consumers know and expect today. When discussing privacy concerns related to third parties, the primary issue tends to be that third parties can collect data across many websites. However, when we examine all privacy considerations, the type of data they collect may be far less sensitive to consumers than it is portrayed in the media and in privacy debates. And it may be far less sensitive than data collected in other contexts.
As this analysis suggests, the Internet of Things requires us to rethink old privacy assumptions and paradigms and focus on what’s really important to consumers and competitors today. A sound privacy framework that instills consumer confidence and a fair commercial playing field should center on responsible data collection and use practices by all parties and good data hygiene, not labels.
We should come together to discuss safeguarding sensitive data and applying the Fair Information Practice Principles where it counts most – health care, financial data, information about our children and the use of precise location data. It isn’t simply who is collecting the data, but what data is collected, how it is used, how long it is retained, and what choices consumers have. I would like to see a policy framework that incentivizes best practices and responsible data management by all parties. That strikes me as a win for consumer privacy, competition and the free, advertising-supported Internet users have come to expect and love.
Email This Post