Beware of the FTC's Soft Legislating Power
The Federal Trade Commission (FTC) recently demonstrated anew its recurring ability to shape privacy and security practices through "soft legislating." In December 2010, in a preliminary staff report, the FTC proposed that the online advertising ecosystem adopt a "Do Not Track" feature to allow individuals to opt-out from online behavioral targeting. In recent weeks, providers of major Web browsing software answered this call. Microsoft, Mozilla (the maker of Firefox) and Google will now offer "Do Not Track" functionality of various kinds:
- Microsoft announced that it will ship Tracking Protection Lists (TPLs) as a feature in the next version of its Internet Explorer Web browser. The TPL feature allows users to create and modify lists of websites that the browser will visit only if the consumer affirmatively directs the browser to visit such sites. Thus, the behind-the-scenes referrals among website URLs that drive online advertising would not be able to operate, at least with respect to sites on an individual's TPL.
- Mozilla has announced that its engineers are working on a tool for Firefox that will potentially allow users to comprehensively opt-out of online behavioral tracking.
- Google has rolled out a "Keep My Opt-Outs" extension to its popular Chrome browser. This plug-in will allow the user to permanently opt-out of behavioral tracking from companies that participate in relevant self-regulatory programs. Google indicates that more than 50 companies offer opt-outs via such programs, including the 15 largest U.S. ad networks.
It is too soon to say whether such functionality will give consumers a meaningful opt-out. Certainly, pointed threats of new privacy regulation from Congress and the FTC contributed to the rapid industry response. Yet, it should be underscored that the FTC succeeded in this policy round without any explicit statutory authorization, rulemaking or enforcement action.
The FTC has used its informal influence before to great effect. For example, when the FTC launched its telemarketing Do Not Call (DNC) rulemaking in 2002, there were substantial questions as to whether the agency had authority to establish a DNC registry at all, as authorizing statutes were silent on the subject. Confident in the popularity of its telemarketing control program, the FTC collected millions of phone numbers on the DNC registry. As the DNC rules came into effect in October 2003, Congress blinked first, acting quickly to moot legal challenges by granting the FTC specific DNC authority. Today, the DNC registry contains over 200 million phone numbers, and the program is considered a triumph for the FTC.
There are other cases where the consumer protection mission of the FTC, combined with a politically salient issue, have resulted in effective expansion of the agency's power. During a string of high-profile security breaches in 2005, the FTC managed to effectively impose a national minimum data security requirement, without an implementing statute or rule. As reported in Privacy In Focus (see Nahra, "Effective Security Practices Now a National Requirement" [June 2005], the FTC took an enforcement action against a company involved in a security breach although the company had made no representations whatsoever to its customers concerning security protections. To the FTC, in an apparently novel interpretation, the mere failure to develop and implement an effective information security program constituted an "unfair and deceptive" trade practice in violation of sections of the Federal Trade Commission Act, independent of any more specific statutory or regulatory requirements. Consequently, every company had to become familiar with the security program mandated by the FTC enforcement action, so that each company could design an effective security program for its business operations.
Implications for Businesses
More than historical curiosities, these past events are a chilling reminder to businesses today that either depend on online advertising or help provide it. When consumers become sufficiently concerned about a privacy or security issue, the FTC does not necessarily require legislation, a rulemaking or even an enforcement action to effectively strengthen consumer protections that industry must provide. Accordingly, to ward off the FTC's exercise of "soft legislating" power, businesses should ensure that industry self-regulatory mechanisms actually provide consumers meaningful choices. Moreover, industry engagement with the FTC is critical to maintain a regulatory environment-formal and informal-that will keep online advertising revenue flowing.