Web users should be able to sign up for a do-not-track feature in browsers that would prohibit websites and advertising networks from following their movements online, says the US Federal Trade Commission.
The do-not-track idea, which is modelled on a US do-not-call scheme targeting telemarketers, would help consumers better protect their privacy because a uniform mechanism for opting out of online tracking does not yet exist, the FTC said in an online privacy report. The do-not-track list could be implemented by the internet industry or by the US Congress, the FTC said.
"Companies engaged in behavioural advertising may be invisible to most consumers," the report said. "The FTC repeatedly has called on stakeholders to create better tools to allow consumers to control the collection and use of their online browsing data."
The report shows a failure of private industry to adequately address customer privacy concerns online, FTC Chairman Jon Leibowitz said. "Despite some good actors, self-regulation of privacy has not worked adequately and is not working adequately for American consumers," he said. "We deserve far better from the companies we entrust our data to, and industry as a whole needs to do a far better job."
Earlier this year, Leibowitz said the FTC was considering a do-not-track list, and several privacy groups proposed such a list back in 2007. Opponents of a do-not-track mechanism say it could dramatically decrease the effectiveness of online targeted, or behavioral, advertising. The FTC report suggests that an easy way implement a do-not-track feature is through web browser settings.
The FTC report suggested a do-not -track (DNT) feature should not interfere with the benefits of online advertising, said Thomas Lenard, president of the Technology Policy Institute, an anti-regulation think tank.
"But, of course, that's the issue," Lenard said. "It is highly likely the DNT mechanism would interfere with those benefits. Furthermore, the DNT mechanism cannot be compared to the popular do-not-call list, which reduces unwanted marketing messages. A DNT mechanism wouldn't necessarily reduce advertising messages, it just would likely make them less useful."
The FTC should compare the benefits and costs of do-not-track before making such a "major proposal", Lenard added.
The FTC is not yet calling for do-not-track legislation in Congress, but web browser makers and other internet companies should act quickly to implement a universal do-not-track list, Leibowitz said.
New privacy protections, either from industry or government, are needed, because internet users are often confused about how companies are collecting and using their personal data, Leibowitz said. "Many companies are not disclosing their practices," he said. "Even among the companies that do disclose them, those disclosures are often done in long, incomprehensible privacy policies and user agreements that consumers don't read, let alone understand."
The FTC doesn't have the power to implement a do-not-track mechanism, but web companies should expect the agency to bring new privacy enforcement actions in coming weeks, Leibowitz said.
A hearing on a possible do-not-track mechanism is scheduled to take place by the consumer protection subcommittee of the US House Energy and Commerce Committee. There isn't active legislation to create a do-not-track mechanism, however.
Several privacy groups praised the FTC report and its endorsement of a do-not-track list. The report shows that "industry has not done enough quick enough to protect consumers" said Pam Dixon, executive director of the World Privacy Forum.
The FTC has shown that it understands the new ways that web-based businesses can track and profile customers, added Jeffrey Chester, executive director of the Center for Digital Democracy, a digital rights and privacy group.
"I think the FTC clearly gets it," Chester said. "The FTC has shown for the first time that it understands the dramatic changes that have occurred because of online data collection and online advertising."
But Ginger McCall, staff counsel at the Electronic Privacy Information Center (EPIC), questioned whether the report goes far enough. The US needs a dedicated federal privacy agency, a new comprehensive privacy law and an FTC that more aggressively enforces privacy rules, she said.
The FTC report also calls on companies to adopt a so-called 'privacy by design' approach by building in privacy protections to their everyday business practices. US businesses should ensure reasonable security for consumer data, limit their collection and retention of personal data, and make reasonable efforts to ensure the data is accurate, the report said.
Companies should also provide customers with choices about how their data is collected and shared, the report said. Those choices should come at the time and in the context of decisions consumers are making - "not after having to read long, complicated disclosures that they often cannot find," the FTC said.
Companies should not, however, have to seek consumer permission to collect data for some commonly accepted practices, such as product shipping, internal operations and fraud prevention, the FTC report said.
In addition, online companies should look to create shorter and standardised privacy policies that are easy to understand, the FTC report recommends.