FTC Commissioner Fed Up With E-tailer "Opt-Out Cookies"

E-tailers offering site visitors "opt-out" cookies that supposedly guard their online activity from being tracked should just give it up, said a member of the Federal Trade Commission (FTC) in a statement that argues, "It is a counterintuitive concept to put a cookie on a user's computer to inform Web sites and servers not to place subsequent cookies on the same computer."

FTC Commissioner Pamela Jones Harbourn's comment was in the context of a new FTC staff report that says E-tailers need to start taking privacy much more seriously if they do not want the government to start imposing new rules. "Staff is encouraged by recent steps by certain industry members, but believes that significant work remains," the report said.

"Staff calls upon industry to redouble its efforts in developing self-regulatory programs, and also to ensure that any such programs include meaningful enforcement mechanisms. Self-regulation can work only if concerned industry members actively monitor compliance and ensure that violations have consequences.

Harbourn said opt-out cookies are "the primary mechanism by which consumers currently can exercise choice online." But she asserted that the technology "is fundamentally flawed" and essentially useless. "Cookies are imperfect tools that serve multiple functions, including some never originally intended," Harbourn wrote. "It is unrealistic to rely on an assumption that the opt-out cookie will remain on a user's computer indefinitely."

The commissioner noted opt-out cookies are often inadvertently deleted by anti-virus and anti-spyware software being used by consumers. This "throwing out of the baby with the bathwater" is something that likely can be prevented. But Harbourn said doing so wouldn't solve all problems with the current status of opt-out cookie use. "Even assuming that opt-out cookies could be placed permanently on a computer, it is difficult for consumers to find opt-out cookies at all," she wrote. "They are typically buried in the depths of a privacy notice or, worse, on an unrelated third-party Web site. And when a user successfully locates an opt-out cookie, the cookie frequently does not download properly."

Harbourn said online businesses should get serious about finding better ways to safeguard information. "Rather than continuing to embrace this confusing and unreliable tool, industry should accept the reality that opt-out cookies are inadequate to protect consumer privacy," she said. "I encourage the technology community, including companies that develop browsers and software utilities, to focus their efforts on developing viable and transparent alternatives."

Industry Needs To Do A Better Job

FTC Commissioner Jon Leibowitz, who also issued a statement about the staff report, said "the concomitant online tracking and data collection, coupled with inadequate notice to consumers about what information is collected and how it is used, raise critical privacy concerns." Leibowitz warned online companies that they should not view as permanent the FTC's resistance, so far, to imposing regulations or recommending legislation.

"I write separately to ensure that the report's endorsement of self-regulation is viewed neither as a regulatory retreat by the Agency nor an imprimatur for current business practice," he said. "Indeed, despite a spotlight on E-Commerce and online behavioral marketing for more than a decade, to date data security has been too lax, privacy policies too incomprehensible and consumer tools for opting out of targeted advertising too confounding. Industry needs to do a better job of meaningful, rigorous self-regulation or it will certainly invite legislation by Congress and a more regulatory approach by our Commission."

Leibowitz praised efforts by some companies to "empower consumers." He noted some search engines are reducing the amount of time they retain consumers' personal data and that "Microsoft and other developers of Internet browsers are designing better tools for consumers to control the amount of information they share online."

The commissioner pointed to parts of the staff report that say self-regulatory principles should be expanded to cover practices involving information that "could reasonably be associated with a particular consumer or computer or other device," including IP addresses and cookie data.

"The report further clarifies that the principles should apply to information collected outside the traditional Web site context, such as through mobile devices and Internet Service Providers' 'deep packet inspection' to mine data from consumers' Internet traffic streams for targeted advertising," he wrote.

Leibowitz said he is "troubled about some companies' unfettered collection and use of consumers' 'sensitive data'--especially information about children and adolescents," and he pointed out that "some data is so sensitive and some populations so vulnerable that extra protection may be warranted."

The commissioner said the FTC needs to better understand "if and how companies combine online and offline data to build detailed consumer profiles," adding that "the possibility that companies could be selling personally identifiable behavioral data, linking click-stream data to personally identifiable information from other sources, or using behavioral data to engage in price discrimination or make credit or insurance decisions are not only unanticipated by most consumers, but also potentially illegal under the FTC Act.

Leibowitz warned that "a day of reckoning may be fast approaching." He also said the online industry's "silence in response to FTC staff's request for information about the secondary uses of tracking data is deafening. As a result, the Commission may have to consider using its subpoena authority under Section 6(b) of the FTC Act to compel companies to produce it."