Last week I had a chance to ask Megan Brister and Jordan Prokopy, the analysts from Anzen Consulting who cowrote this guest opinion on targeted advertising not long ago, a few questions via e-mail. At the same time, they were busy participating in the Federal Trade Commission's roundtable discussion on Internet privacy. Friday when I received their responses, I was delighted to see that they were able to incorporate several things from that roundtable into what they shared with me.
For instance, the FTC guidelines recommend "reasonable data security" and "limited" data retention. Brister and Prokopy indicate that though the FTC and industry self-regulators agree that "limited" data retention means keeping data only as long as there are legitimate business reasons to do so, as well as only keeping data that has been de-identified, the reasonableness standard is much more vague. They told me:
The vagueness of the "reasonableness" standard for data security, on the other hand, is an issue that was discussed at the FTC's 2007 Town Hall meeting and continues to be discussed today... For the FTC, "reasonable" data security depends on: 1) the sensitivity of the information, 2) the nature of the business' operations, 3) the type of risks the company might be faced with, and 4) the security available to the business.
Determining what information should be classified as "sensitive" is also a bit tricky, Brister and Prokopy said.
Commentators at both the FTC Town Hall and the Roundtable argued that information considered as "sensitive" depends on the context and the individual consumer. Using an example from the FTC Roundtable, while a 70-year-old male might not consider information collected about him that indicates he is balding as sensitive, a 25-year-old female might.
Given all the different considerations that go into deciding on a regulatory framework, then, it's easy to understand why doing so might take awhile. I asked how companies that use targeted advertising can really prepare for or anticipate the regulation that is undoubtedly coming down the pike. Brister and Prokopy recommend the following:
[Keep] up to date on the discussion and views of potential regulators, such as the FTC, and of industry... For example, businesses should be aware of previous FTC complaints and investigations that relate to online behavioural advertising, such as the FTC settlement with Sears Data Holdings Management Corp. In this case, the FTC imposed punitive measures on the company for not sufficiently notifying consumers of its online tracking practices irrespective of any evidence of consumer harm.