Microsoft proposes new ad privacy structure

OUT-LAW News, 14/04/2008

Microsoft has proposed a five-tiered privacy plan that it believes should underpin online advertising.

The software giant hopes to influence US consumer regulator the Federal Trade Commission in its consideration of whether or not online advertisers should be governed by self-regulatory principles.

Microsoft has proposed some controls on advertisers' use of data, including mandating the need to receive explicit consent for the use of sensitive information and opt-outs for advertising based on surfing habits on other people's sites.

"Microsoft recognizes the need for self-regulatory principles governing online advertising that provide consumers with greater transparency and control," said Microsoft associate general counsel Michael Hintze in a letter to the Federal Trade Commission (FTC).

"Online advertising enables advertisers to target their ads to specific consumers and allows consumers to receive ads that they are more likely to find useful. Consumers value these benefits, but, as the Commission notes, they may not fully appreciate the role that data collection plays in providing them," he wrote . "They also may not appreciate other elements of online advertising that may impact their privacy – most notably that third parties may be involved in delivering online ads and collecting information about them."

Microsoft has proposed tailoring the level of privacy protection to the type of information gathering undertaken by setting stricter limits to the use of data and offering greater user control as the amount and sensitivity of collected information increases.

The proposed principles ask that sites that collect data on which to base advertising tell users that they do so; that those which do so across a number of connected sites try to ensure that consumers know this; and that companies which profile a user based on their activity to help deliver adverts in unrelated sites allow users to choose whether or not that happens.

Microsoft's suggestions also propose that companies seeking to merge personally identifiable information with surfing data should have more privacy obligations than other companies, and that a company which wants to use sensitive personally identifiable information to deliver behavioural advertising receives express consent before being allowed to do so.

Privacy rights are increasingly becoming the ground on which publishing and search giants are fighting battles for users. US suppliers of technology and services such as Microsoft and Google are facing stricter regimes in the EU than in the US and Google in particular has faced stern criticism from European privacy regulators.

Google wants the world's service providers to subscribe to a set of privacy rules which Asia Pacific countries already abide by. It wants every country to sign up to the sia-Pacific Economic Co-operation (APEC) privacy framework, which it says is rightly focused on preventing harmful uses of data rather than sticking to principles.

"Privacy standards should focus on actual harms to consumer privacy," said Peter Fleischer, global privacy counsel at Google, last year. "Other countries have an ideological bent. APEC has a pragmatic focus on privacy harms."

APEC has principles in nine areas, which are: preventing harm; notice; collection limitations; uses of personal information; choice; integrity of personal information; security safeguards; access and correction; and accountability.

Microsoft already has some privacy principles. It said that its privacy principles for Live search and online ad targetting cover: user notice; user control; search data anonymisation after 18 months; minimising privacy impact and protecting data, and legal requirements and best practices.

Microsoft's proposed self regulatory principles:

1. Any entity that logs page views or collects other information about consumers for the purpose of delivering ads or providing advertising-related services (“online advertising”) within its own site should inform consumers of its advertising practices in a privacy notice that is available through a clear and conspicuous link on its site’s homepage, implement reasonable security procedures, and retain data only as long as necessary to fulfill a legitimate business need or as required by law.
2. Third parties that collect information about consumers for online advertising across multiple, unrelated third-party sites (“multi-site advertising”) should take reasonable steps to ensure consumers receive notice of their activities.
3. Third parties that seek to develop a profile of consumer activity to deliver advertising across multiple, unrelated third-party sites (“behavioral advertising”) should additionally offer consumers a choice about the use of their information for such purposes.
4. Third parties seeking to merge personally identifiable information with information collected through multi-site or behavioral advertising should be subject to additional obligations.
5. Third parties should be required to obtain affirmative express consent before using sensitive personally identifiable information for behavioral advertising.

See: Microsoft's submission to the FTC (31 page / 907KB PDF)

See also:

• Our data retention is not data protection watchdogs' business, says Google privacy boss, OUT-LAW News, 06/07/2007
• Data protection watchdogs’ letter to Google goes public, OUT-LAW News, 30/05/2007
• Google will delete search identifiers after two years, OUT-LAW News, 20/03/2007

Feedback | Printer-friendly page | Latest news | | All news feeds | Ask a lawyer