In the midst of the maelstrom of online deals rumored to be in the works, Microsoft proposed a major plan for companies to self-regulate consumer privacy practices.
The company, responding to Federal Trade Commission (FTC) requests for comments on its own plan for self-regulating online advertising, submitted a five-tiered system to protect consumer privacy. (Quick question: Does “self-regulate” qualify as an oxymoron?)
Microsoft is calling for “distinct privacy standards in five key circumstances: when site visitors’ data is collected for online advertising, when ads are delivered on unrelated sites, when sites engage in behavioral advertising, when personally identifiable information is used, and when sensitive personal data is used,” according to a press release it issued this morning. These are the same principles Microsoft adopted last year.
Online privacy standards will only become more important as major online players combine huge repositories of data about consumers.
In general, Microsoft’s system would require more disclosure from advertisers and consent from consumers as the risk to an individual’s privacy increased. For example, the system would require advertisers to get “affirmative express consent” before using health records or other personally identifiable information for advertising purposes.
“Online advertising should put consumers in the driver’s seat, not only with the information they want to see, but also with the tools to protect their privacy,” Microsoft General Counsel Brad Smith said in a statement.
Microsoft’s comments to the FTC will be posted here, where you can currently find 22 other comments from individuals and groups, such as the Consumer Federation of America (CFA)
The CFA said the FTC’s principles are useful for advancing the discussion on consumer privacy concerns, but stated “consumers cannot be adequately protected by self-regulatory principles and general FTC enforcement powers.”
Here are summaries of Microsoft’s proposed self-regulatory policies:
Third-party sites: Companies that deliver “ads or services across unrelated third-party sites should ensure that consumers receive notice of the privacy practices of those sites.”
Behavioral ads: Companies that develop consumer profiles for delivering online ads “across unrelated third-party sites should also offer consumers a choice about the use of their information for such purposes.”
Personal information: Companies that use a name, e-mail address, physical address or other personally identifiable information for advertising “across multiple sites or for behavioral advertising should, at a minimum, give consumers the ability to opt out of having personally identifiable information collected for the purpose of targeting ads.”
Sensitive personal information: Companies should be “required to obtain affirmative express consent before using sensitive personally identifiable information — such as health or medical conditions, sexual behavior or orientation, or religious beliefs — for behavioral advertising.”
But again, if it’s self-regulation, who would require a company to adhere to these policies and what would happen if they deviated?