In testimony before Congress last week, Federal Trade Commission Chairman Joseph Simons said, “We urge Congress to enact privacy and data security legislation, enforceable by the FTC.”
All five members of the FTC appeared at the House Energy and Commerce Subcommittee on Consumer Protection and Commerce, and they unanimously supported a tough new federal data privacy law.
We couldn’t agree more.
This may seem surprising. IAB is an organization that represents publishers, platforms, brands, and advertising and marketing technology companies. Some might argue that we are therefore not credible in arguing for a Federal Do-Not-Track standard—even though we have been at the forefront in creating and managing such universal standards, via our work with the Digital Advertising Alliance in the U.S. and with IAB Europe and member companies on the IAB Transparency & Consent Framework in Europe.
In addition, it is true that we have consistently declared our opposition to “Do-Not-Track.” That is because it sets up a false history of consumer data, a false narrative of consumer victimization, and a false sense of security about consumer control. It’s simply an incorrect, noxious notion that consumers are de facto victimized by the use of their data. It’s equally false to tell consumers that simply by pressing a button and stopping all this “tracking” they will somehow be safe. They won’t be.
The fact is, Americans need real protection from actual harm caused by illegitimate data-sharing. They also need less blanket fear-mongering about basic uses of consumer data that have powered the economy for more than a century.
We need far more than “Do-Not-Track.”
The need to provide consumers with greater privacy and security in digital environments, naturally causes brands, publishers, and consumers concern when platforms and browser manufacturers – especially giant, vertically-integrated, data-rich platforms and browser-makers – step up to do it on their own, independent of each other, divorced from broader marketplace needs, and absent a defined legal or regulatory framework.
We commend the activity of all the companies creating privacy management tools and protocols for consumers, but it’s clearly both too much, and not enough. We don’t have 1,000 different designs for seatbelts and airbags in cars – we have one. And we don’t leave it to consumers to manage the intricate details of their own food safety: We have industry and Government processes in place to make sure the food consumers buy is free from germs and poisons. Similarly, we shouldn’t have a thousand different methods for managing digital privacy, confusing consumers and sowing chaos among businesses. And we shouldn’t make consumers push endless consent buttons on web sites and apps, or burrow deep into browser tools to manage who’s doing what with their data. We should have consistent principles and tools, premised on Federal, and possibly globally recognized, rules and enforcement, that will provide consumers easy, automatic security and privacy.
The work being done by big platforms and browser makers is useful, because it will contribute to a Federal or global solution. But it won’t substitute for it. We need a new paradigm for Federal privacy regulation, to assure a baseline of real consumer protections and a level playing field in which all participants are pursuing the same goals with consistent technology solutions.
We want penalties, civil and criminal, for illicit uses of data. We want companies to be forced to adopt standardized mechanisms by which they will protect consumers, the way auto manufacturers are required to install seat belts and air bags to protect consumers. We want the Federal Trade Commission to be empowered and funded to oversee consumer privacy protection, and to be able to instantiate new protection rules as technology evolves.
This isn’t a call for “Do-Not-Track.” Think of it as a call for “Do-Not-Track-Plus.”