Privacy protection isn’t a tick-the-box exercise, and so policymakers need to think outside the box.
At the Federal Trade Commission’s annual PrivacyCon event in Washington, DC, on Thursday, the agency invited nearly 20 privacy researchers and academics from around the world to dig into the nitty gritty on consumer privacy, data collection, security and the economic factors driving it all.
The agenda provides a window into the thorny issues at the top of the FTC’s enforcement agenda: the deficiencies of notice and choice, lessons learned from GDPR and whether the oft-cited advertising value exchange is actually, well, valuable.
“While privacy regulation seeks to make tech companies betters stewards of the data they collect and their practices more transparent, in the end, it is a deception to think that users will have more “privacy.”” For one thing, large tech companies have grown huge privacy compliance organizations to meet their new regulatory obligations.
If/when federal privacy legislation is passed, the FTC will likely be the one to enforce it, so it’s important to know what’s on the commission’s collective mind. Here’s a taste of what the FTC is stewing over right now.
Privacy policies shouldn’t be for consumers?
Everyone knows that most consumers don’t read privacy policies because they’re too long and confusing. Right?
But maybe that’s the wrong way to think about it. Privacy policies are useless from a consumer perspective regardless of whether they’re long or short, said Justin Brookman, director of privacy and technology policy at Consumer Reports.
He proposed that privacy policies should actually be longer and even more detailed so that regulators, researchers and journalists can easily query them to see exactly what data is being collected and how it’s being used.
Researchers or tech vendors could then build automated tools to audit the policies in order to highlight deviations or pop up a privacy notification when an app or online service wants to do something unexpected with a user’s data.
That would simultaneously keep companies accountable and serve as a “more meaningful and informed way of doing things,” said Yan Shvartzshnaider, an assistant professor affiliated with New York University and Princeton University.
GDPR isn’t working yet
Europe’s General Data Protection Regulation is a little over a year old now, and although it’s far from perfect – or even fully baked, since much-needed clarifying guidelines are still coming out and the ePrivacy regulation still isn’t ready – it’s becoming a blueprint for privacy regulation around the world.
But while the need for transparency is a central tenet of GDPR, the law is “not being enforced and it hasn’t changed behavior as intended,” Brookman said, at least not yet.
Most websites made tweaks in the lead-up to GDPR enforcement last year, which primarily entailed adding more information into their privacy policies. But scant changes were made to the amount of actual data processing that takes place, said Christine Utz, a research associate at Ruhr-University Bochum in Germany.
“Somehow, the new transparency requirements are at odds with GDPR’s goal of making privacy policies easier to understand,” she said, noting that cookie consent notices are no better.
IAB’s Europe Transparency and Consent Framework isn’t helping matters much, either. Utz came across examples of the TCF that provided consumers with lists of around 400 third-party service providers to allow or disallow – and that doesn’t even include the third-party partners that don’t participate in the framework.
“This provides both too much and too little information at the same time,” Utz said.
Is consumer data valued properly?
But let’s say brands and publishers figure out the whole transparency thing and collect informed and affirmative consent to collect user data – is it even worth it, from a financial point of view?
Although conventional wisdom states that everyone in the supply chain makes bank, that’s not necessarily the case, said Alessandro Acquisti, a professor at Carnegie Mellon University and co-author of the controversial recent study that found media companies only receive 4% more revenue for cookie-targeted behavioral advertising versus impressions with no cookies enabled.
2019 will be the year of privacy
Putting side some of the problematic aspects of the study, including its limited scope, the issue it raises is one that even ardent proponents of behaviorally targeted advertising acknowledge, which is that the supply chain is a tangled web of complexity – and that it’s easy to lose sight of the consumer in the swirling debate around privacy policies and consent strings.
“We lost the consumer the moment we started calling them users,” said Kassem Fawaz, an assistant professor at the University of Wisconsin-Madison.