Thursday, March 20, 2008

NY Online Privacy Push

Albany’s an interesting place, and not just because residents of the New York Governor’s mansion seem to spend as much time bed-hopping as signing budgets. On a more important – although less salacious – note, downstate Assemblyman Richard Brodsky has introduced legislation that would shore up Internet users’ rapidly deteriorating privacy, reports the New York Times today.

The bill, as the Times explains, would apply to targeted advertising companies – companies that monitor the websites you visit, typically using cookies for that purpose. It would prohibit those companies from using information about you for advertising without your consent.

Because this would be a state statute – Brodsky’s a state legislator – the bill could not directly establish national standards. However, the seamless nature of the Internet and the relative expense and difficulty of geotargeting mean that the statute might become a de facto standard nationwide, or perhaps worldwide.

I took a look at the language of the bill, and found that it’s complex and has a number of apparent gaps and gaffes. For instance, the language may not cover websites that sell their own advertising (rather than rely on third parties like Doubleclick, now a subsidiary of Google).

Another example: the consent requirements seem to apply, ironically, to non-personally identifiable information, but not to personally identifiable information (often called “PII”). In addition, although the bill is intended to require opt-in consent, it doesn’t actually use the legal term of art “opt-in.” The legislation also requires that the advertising company’s website provide “robust notice” to the user, but doesn’t define that rather novel term.

In light of all this, I spoke to the Assemblyman’s Legislative Director, Kent Sopris. He took note of these issues, and explained that the bill was a work in progress. The Assemblyman’s office is getting lots of feedback – I suggested a few organizations for them to talk to – and revisions to the draft are expected.

To get a broader perspective, I spoke directly to the Assemblyman. He told me the bill is “part of [my] long-term focus on privacy.” He’s also introduced, for instance, a constitutional amendment that would create a right to privacy in New York.

That’s significant, because there’s no explicit right to privacy in the U.S. Constitution, nor in most state constitutions. The exceptions are Alaska, Arizona, California, Florida, Hawaii, Illinois, Louisiana, Montana, South Carolina, and Washington – ten states – according to the National Conference of State Legislatures.

The thrust of the new legislation is straightforward, Brodsky says: “you can’t have my stuff” – my data – “without my permission.” In his view, that principle’s as American as “apple pie, motherhood, and the American flag.” Big Brother is not the government, in his view, it’s big companies, and “Big Brother is watching, and creating dossiers.”

It’s not so simple though. As the Assemblyman acknowledged, “the economic model of the Internet is free [i.e., free content], because of advertising.” Opt-in schemes, where the consumer has to expressly agree to allow data collection, typically produce much smaller levels of consent than opt-out approaches, where the consumer has to expressly refuse to accept ads.

Thus, the bill’s opt-in requirement would reduce revenues, making ad-supported websites less feasible. Brodsky agreed that the effect on business models was a legitimate concern, but didn’t offer any roadmap for reconciling privacy and economics.

Perhaps the answer is opt-out, although that’s certainly a weaker form of protection. A compromise might require opt-in for PII – which is what the European Union (EU) Data Protection Directive requires, incidentally – but allow opt-out for non-PII.

Keeping up with technological change is another difficulty. Business models evolve – already, for instance, the Times reports that a company called Phorm wants to collect targeting information directly from ISP, by monitoring traffic, rather than using cookies. Would the legislation apply to this? The Assemblyman says yes, because the bill “asserts a broad legal principle.” I’m not so sure – many courts are wary of broad legal principle, and stick closely to legislative language.

Will the bill pass? As the Assemblyman said, “you never know.” Company lobbyists are sure to get involved, and there are many ways to kill a bill. Indeed, just getting the legislature to focus on anything other than passing a budget and adjusting to the new Governor won’t be easy.

Brodsky says he’ll “proceed on the merits” of the bill – “I’ve gotten a lot done on that basis and expect the same way here,” he assured me. That sounds more like a high school civics class than an actual legislature, but we’ll have to wait and see.