The Association of National Advertisers (ANA) on Tuesday issued an impassioned rejection of the Federal Communication Commission’s (FCC) proposed change to online privacy and data security regulations.
Wednesday is the final day of the public comment period before the FCC deliberates on the policy, which would force marketers to ask for permission to track consumers’ data and send notifications when there’s a potential security breach.
“We think the FCC has gone way beyond what’s necessary to protect privacy and issued requirements for security updates that are simply unprecedented,” Dan Jaffe, executive VP of government relations for the ANA, told AdExchanger.
At the heart of the matter is what qualifies as sensitive or nonsensitive data. The Federal Trade Commission (FTC) holds an opt-out standard except for potentially damaging data, such as financial, medical, pharmaceutical or advertising data targeted to children.
The FCC’s proposed rules could establish those onerous standards as the baseline without defining what constitutes sensitive information, said Jaffe.
“Personally identifiable doesn’t necessarily mean significant,” he said. “If someone finds out I like non-pulp orange juice vs. pulp orange juice, I just don’t care. Someone preferring coffee-flavored ice cream could be valuable for an advertiser, but it’s not exposing consumers to harm if there’s a potential breach.”
Many see the existing self-regulatory framework as an adequate consumer safety net.
“We have demonstrated that enforceable and enforced industrywide self-regulation is an effective way to protect consumers with the flexibility to respond quickly to changing technological and business practices in a technologically neutral way,” said Genie Barton, VP and director of the Better Business Bureau’s Online Interest-Based Advertising Accountability Program, in a response to the FCC’s proposal.
The changes would shift the American online landscape to more closely resemble the EU, where sites must provide notice and seek consent before collecting data on users. Even beyond that, Jaffe worries there would be “a constant barrage and drum beat of security alerts” regarding what may have been inconsequential security lapses.
The FCC’s proposed burden may seem minimal but could carry a hefty price tag because of the sheer number of people who have to be notified and the potential lost business. Jaffe pointed to studies showing that similar European policies cost EU businesses the equivalent of $1.4 billion per year.
An FCC spokesperson responded to the ANA’s comment by saying, “Consumers should have control over how their personal information is used and shared by their internet service provider. The goal of the rulemaking is to give consumers the tools they need to make smart choices about protecting their information and enforcing the broadband provider’s responsibility to do so.”