“No foreign nation, no hacker, should be able to shut down our networks, steal our trade secrets, or invade the privacy of American families, especially our kids. … And tonight, I urge this Congress to finally pass the legislation we need to better meet the evolving threat of cyber-attacks, combat identity theft, and protect our children’s information. That should be a bipartisan effort.” ─ President Barak Obama 2015 State of the Union
If online privacy advocates began 2015 inspired by President Obama’s emphasis toward concrete legislative action to curb excessive corporate data collection, recent legislative progress on initiates that have lingered since 2011, have heartened them and online consumers both in the United States and European Union.
In the United States, Senators Blumenthal (CT) and Ed Markey (MA) introduced last week, the Do Not Track Online Act of 2015. This most recent version of do-not-track federal legislation, first introduced in 2011, seeks to direct the Federal Trade Commission (FTC) to establish new regulations regarding the collection and use of personal data obtained by tracking online behaviors. Under bill provisions, the FTC will have one year to develop a universal Do Not Track opt-out mechanism consumers can invoke to prevent companies from collecting personal information, except for limited collection subject to erasure, when that data is directly needed to provide a requested service. The bill also provides that all user data collection consent processes be clear about the purpose and uses for that data collection. Senator Markey noted, “Every online click consumers make provides a detailed and private picture of their personal lives, and American should have control over the collection and use of this personal, sensitive information.”
Across the Atlantic Ocean, the European Union (EU) Parliament and Council of EU has concluded 3-years of law writing negations, through the informal agreement to the General Data Protection Regulation (GDPR) final draft, expected to become the global gold standard for consumer privacy, upon expected final adoption and 2 year phase-in. The new legal standard requires companies to obtain consumer consent opt-in before collecting personal data, subject to fines of as much as 4% of revenues for non-compliance. Large international technology companies like Google and Facebook, could have substantially higher penalties in the millions of euros under the new law. Individual EU countries will have a flexible children’s protected-age standard they can adopt, that ranges between ages 13 to 16. Protected private information under the GDPR includes online IDs, along with any broad factors specific to the individual’s physical, genetic, mental, economic, cultural or social identify. Consumer consent standards require that consent must be freely given, specific, informed and constitute an unambiguous indication of the user’s wish to, either by statement or by a clear affirmative action, agree to the processing of his or her personal data while providing the right to request erasure without undue delay.
This definitive progress in protecting online user privacy is especially important looking toward 2016, since consumer privacy concerns have escalated due to major cyber hacks this year, ranging from US government data held by the Office of Personal Management to infidelity website Ashley Madison, to children’s toymaker VTech. Because there is no universal cross-device opt-out mechanism technically possible at this time, users who want to protect their online privacy from tracking must diligently set and maintain their preferences per individual browser and on each individual mobile, tablet and desktop device. Stronger and more broadly communicated public education of ad Industry opt-out programs like the Digital Advertising Alliance’s (DAA’s) AdChoices is vital. Launched in 2012, the campaign had only a 26% user awareness early this year. As the graphic above shows, the best mitigation factors addressing consumer concerns over data privacy deal with positive incentives like service or product discounts that would be best accepted as opt-in choices. “Rather than finding the most comprehensive or technologically persistent way to opt users out, the real question is, how can we maintain trust and keep users engaged and opted in?” notes Saira Nayak, chief privacy office at mobile attribution company TUNE.
Trusted US Consumer Protection Resources to Safeguard Online Privacy