A Preliminary FTC Staff Report on "Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers"
By way of background, I am a former Assistant Attorney General in Consumer Protection in Massachusetts, have been a consumer advocate for the past 33 years, and run a number of consumer education websites, including ConsumerWorld.org . I think there are some categories of individuals, organizations, and businesses that should be exempt from the proposed rules. Generally speaking, individuals with websites, bloggers, small organizations, small businesses, and anyone whose site resides on a shared server or utilizes commercial services aimed at such audiences providing hosting services or hosting software (such as wordpress, wordpress.com, blogger.com, geocities-like services, facebook, etc.) should be exempt from these rules. While the Facebooks of the world should be covered, the individuals that use their platform should not be, for example. These individuals and entities have little or no control over the software platform that operates their websites, nor over the servers on which their sites reside. For example, a blog hosted at wordpress.com may deliver advertising targeted to users based on IP address, cookies, or other criteria, and the owner of the blog has neither access to nor control over that. It also cannot control what information the underling server collects and how others might use it. In addition, the individuals and entities suggested above for exemption may have little technical expertise to implement any proposed requirements, nor have in-house staff with those capabilities. Cost would be an issue here too. The underlying software companies used for blogs, for example, and the companies providing hosting services, should be the entities responsible for conforming their products, services, and servers to meet the requirements of any "do not track" rules, including making those things aware of choices individuals may make in their browser settings. In terms of commonly accepted practices that should be exempt from regulations, let me use ConsumerWorld.org as an example. I cannot control what information is collected by the shared server on which ConsumerWorld.org resides. I may have access to it through various reporting tools, however. I have a limited number of affiliate links in Consumer World, such as ones where users can sign up for Consumer Reports. I cannot control whether those links place cookies on the consumer's computer, or what other data those links generate or use. If I used "Google Ads", I similarly cannot control what is displayed or collected data-wise. To not annoy regular readers with pop-up ads for my free newsletter, I use a cookie to limit the showing of those ads to regular users. I cannot control whether the cookie is or is not placed based on some choice the reader may make in their browser. When I run a survey, the script I use collects IP addresses so a person cannot vote twice. I cannot control whether it collects that data based on an individual choice any particular visitor to the site may make or establish in his or her browser. I collect email addresses of those who wish to subscribe to the newsletter, and follow applicable CANSPAM rules. All these actions, and the bits of data collected, I would argue should be "commonly accepted." To the extent the underlying website software (if other than hand coded), server software, and browser settings can be required to work together to automatically reflect the consumer's choices, all the better. I have neither the technical expertise myself nor the financial ability to hire someone to do this. I suspect this would be true for the majority of non-large businesses that really don't use the data collected nor employ explicit tracking systems to better market their products to individuals. I urge the FTC to differentiate individuals, small businesses and organizations from businesses that utilize tracking tools and networks to deliver targeted ads, build customer profiles, and mine personal data.