64
51
commenters suggested that “take-it-or-leave-it” or “walk away” choice is common in many business models,
such as retail and software licensing, and companies have a right to limit their business to those who are
willing to accept their policies.
236
Another commenter stated that preventing companies from offering take-
it-or-leave-it choice might be unconstitutional under the First Amendment.
237
Other commenters, however,
characterized walk away choice as generally inappropriate.
238
Some argued that the privacy framework
should prevent companies from denying consumers access to goods or services, including website content,
where consumers choose to limit the collection or use of their data.
239
Most of the commenters that addressed this issue took a position somewhere in between.
240
In
determining whether take-it-or-leave-it choice is appropriate, these commenters focused on three main
factors. First, they noted that there must be adequate competition, so that the consumer has alternative
sources to obtain the product or service in question.
241
Second, they stated that the transaction must not
involve an essential product or service.
242
周ird, commenters stated that the company offering take-it-or-
leave-it choice must clearly and conspicuously disclose the terms of the transaction so that the consumer
is able to understand the value exchange. For example, a company could clearly state that in exchange
for receiving a service at “no cost,” it collects certain information about your activity and sells it to third
parties.
243
Expanding upon this point, commenters stressed that to ensure consumer understanding of the
nature of the take-it-or-leave-it bargain, the disclosure must be prominent and not buried within a privacy
policy.
244
周e Commission agrees that a “take it or leave it” approach is problematic from a privacy perspective,
in markets for important services where consumers have few options.
245
For such products or services,
businesses should not offer consumers a “take it or leave it” choice when collecting consumers’ information
in a manner inconsistent with the context of the interaction between the business and the consumer. Take,
236 Comment of Performance Marketing Ass’n, cmt. #00414, at 6; Comment of Business Software Alliance, cmt. #00389, at 11-12.
237 Comment of Tech Freedom, cmt. #00451, at 17.
238 Comment of Consumer Federation of America, cmt. #00358, at 11; Comment of ePrio, Inc., cmt. #00267, at 4-5.
239 Comment of Consumer Federation of America, cmt. #00358, at 11; see also Comment of Consumers Union, cmt. #00362, at 12
(urging that consumers who choose to restrict sharing of their PII with unknown third parties should not be punished for
that choice).
240 See, e.g., Comment of Center for Democracy & Technology, cmt. #00469, at 13 (stating that it has no objection to take-it-
or-leave-it approaches, provided there is competition and the transaction does not involve essential services); Comment of
Microsoft Corp., cmt. #00395, at 10 (stating that take-it-or-leave-it choice is appropriate provided the “deal” is made clear to
the consumer); Comment of the Information Commissioner’s Office of the UK, cmt. #00249, at 4 (stating that take-it-or-leave-it
choice would be inappropriate where the consumer has no real alternative but to use the service); Comment of Reed Elsevier,
Inc., cmt. #00430, at 11 (stating that while acceptable for the websites of private industry, websites that provide a public
service and may be the single source of certain information, such as outsourced government agency websites, should not
condition their use on take-it-or-leave-it terms).
241 Comment of Center for Democracy & Technology, cmt. #00469, at 13; Comment of the Information Commissioner’s Office of the
UK, cmt. #00249, at 4.
242 Comment of Center for Democracy & Technology, cmt. #00469, at 13; Comment of Reed Elsevier, Inc., cmt. #00430, at 11.
243 Comment of Microsoft Corp., cmt. #00395, at 10; see also Comment of Center for Democracy & Technology, cmt. #00469, at 13
(stating that the terms of the bargain should be clearly and conspicuously disclosed).
244 Comment of TRUSTe, cmt. #00450, at 11; see also Comment of Center for Democracy & Technology, cmt. #00469, at 13 (stating
that terms should be “transparent and fairly presented”).
245 周is Report is not intended to reflect Commission guidance regarding Section 5’s prohibition on unfair methods of
competition.
46
52
for example, the purchase of an important product that has few substitutes, such as a patented medical
device. If a company offered a limited warranty for the device only in exchange for the consumer’s agreeing
to disclose his or her income, religion, and other highly-personal information, the consumer would not have
been offered a meaningful choice and a take-it-or-leave approach would be inappropriate.
Another example is the provision of broadband Internet access. As consumers shift more aspects of
their daily lives to the Internet – shopping, interacting through social media, accessing news, entertainment,
and information, and obtaining government services – broadband has become a critical service for many
American consumers. When consumers have few options for broadband service, the take-it-or-leave-it
approach becomes one-sided in favor of the service provider. In these situations, the service provider should
not condition the provision of broadband on the customer’s agreeing to, for example, allow the service
provider to track all of the customer’s online activity for marketing purposes. Consumers’ privacy interests
ought not to be put at risk in such one-sided transactions.
With respect to less important products and services in markets with sufficient alternatives, take-it-or-
leave-it choice can be acceptable, provided that the terms of the exchange are transparent and fairly disclosed
– e.g., “we provide you with free content in exchange for collecting information about the websites you visit
and using it to market products to you.” Under the proper circumstances, such choice options may result in
lower prices or other consumer benefits, as companies develop new and competing ways of monetizing their
business models.
c Businesses Should Provide a Do Not Track Mechanism To Give Consumers Control Over
the Collection of 周eir Web Surfing Data
Like the preliminary staff report, this report advocates the continued implementation of a universal, one-
stop choice mechanism for online behavioral tracking, often referred to as Do Not Track. Such a mechanism
should give consumers the ability to control the tracking of their online activities.
Many commenters discussed the progress made by industry in developing such a choice mechanism in
response to the recommendations of the preliminary staff report and the 2009 OBA Report, and expressed
support for these self-regulatory initiatives.
246
周ese initiatives include the work of the online advertising
industry over the last two years to simplify disclosures and improve consumer choice mechanisms; efforts
by the major browsers to offer new choice mechanisms; and a project of a technical standards body to
246 See, e.g., Comment of American Ass’n of Advertising Agencies et. al, cmt. #00410, at 3 (describing the universal choice
mechanisms used in the coalition’s Self-Regulatory Principles for Online Behavioral Advertising Program); Comment of
BlueKai, cmt. #00397, at 3 (describing its development of the NAI Opt-Out Protector for Firefox ); Comment of Computer &
Communications Industry Ass’n, cmt. #00434, at 17 (describing both company-specific and industry-wide opt-out mechanisms
currently in use); Comment of Direct Marketing Ass’n, Inc., cmt. #00449, at 3 (stating that the Self-Regulatory Principles
for Online Behavioral Advertising Program addresses the concerns that motivate calls for a “Do-Not-Track” mechanism);
Comment of Facebook, Inc., cmt. #00413, at 13 (describing behavioral advertising opt-out mechanisms developed by both
browser makers and the advertising industry); Comment of Future of Privacy Forum, cmt. #00341, at 2-4 (describing the
development of a browser-based Do-Not-Track header and arguing that the combined efforts of browser companies, ad
networks, consumers, and government are likely to result in superior choice mechanisms); Comment of Google, Inc., cmt.
#00417, at 5 (describing its Ad Preferences Manager and Keep My Opt-Outs tools); Comment of Interactive Advertising
Bureau, cmt. #00388, at 5-7 (describing the Self-Regulatory Principles for Online Behavioral Advertising Program); Comment
of Microsoft Corp., cmt. #00395, at 11-14 (describing a variety of browser-based and ad network-based choice tools currently
available); Comment of U.S. Chamber of Commerce, cmt. #00452, at 5-6 (describing a variety of browser-based and ad
network-based choice tools currently available).
53
53
standardize opt outs for online tracking.
247
A number of commenters, however, expressed concerns
that existing mechanisms are still insufficient. Commenters raised questions about the effectiveness
and comprehensiveness of existing mechanisms for exercising choice and the legal enforceability of such
mechanisms.
248
Due to these concerns, some commenters advocated for legislation mandating a Do Not
Track mechanism.
249
周e Commission commends recent industry efforts to improve consumer control over behavioral
tracking and looks forward to final implementation. As industry explores technical options and implements
self-regulatory programs, and Congress examines Do Not Track, the Commission continues to believe that
in order to be effective, any Do Not Track system should include five key principles. First, a Do Not Track
system should be implemented universally to cover all parties that would track consumers. Second, the
choice mechanism should be easy to find, easy to understand, and easy to use. 周ird, any choices offered
should be persistent and should not be overridden if, for example, consumers clear their cookies or update
their browsers. Fourth, a Do Not Track system should be comprehensive, effective, and enforceable. It
should opt consumers out of behavioral tracking through any means and not permit technical loopholes.
250
Finally, an effective Do Not Track system should go beyond simply opting consumers out of receiving
targeted advertisements; it should opt them out of collection of behavioral data for all purposes other than
those that would be consistent with the context of the interaction (e.g., preventing click-fraud or collecting
de-identified data for analytics purposes).
251
Early on the companies that make web browsers stepped up to the challenge to give consumers choice
about how they are tracked online, sometimes known as the “browser header” approach. 周e browser
header is transmitted to all types of entities, including advertisers, analytics companies, and researchers,
that track consumers online. Just after the FTC’s call for Do Not Track, Microsoft developed a system to
let users of Internet Explorer prevent tracking by different companies and sites.
252
Mozilla introduced a Do
Not Track privacy control for its Firefox browser that an impressive number of consumers have adopted.
253
247 See supra at Section II.C.1.
248 Comment of American Civil Liberties Union, cmt. #00425, at 12; Comment of Center for Digital Democracy and U.S. PIRG,
cmt. #00338, at 28; Comment of Consumer Federation of America, cmt. #00358, at 13; Comment of Consumers Union, cmt.
#00362, at 14; see also Comment of World Privacy Forum, cmt. #00369, at 3 (noting prior failures of self-regulation in the
online advertising industry).
249 E.g., Comment of Consumers Union, cmt. #00362, at 14; Comment of World Privacy Forum, cmt. #00369, at 3.
250 For example, consumers may believe they have opted out of tracking if they block third-party cookies on their browsers; yet
they may still be tracked through Flash cookies or other mechanisms. 周e FTC recently brought an action against a company
that told consumers they could opt out of tracking by exercising choices through their browsers; however, the company used
Flash cookies for such tracking, which consumers could not opt out of through their browsers. In the Matter of ScanScout,
Inc., FTC Docket No. C-4344 (Dec. 21, 2011) (consent order), available at http://www.ftc.gov/os/caselist/1023185/111221s
canscoutdo.pdf.
251 Such a mechanism should be different from the Do Not Call program in that it should not require the creation of a “Registry”
of unique identifiers, which could itself cause privacy concerns.
252 Comment of Microsoft Corp., cmt. #00395, at 12.
253 Comment of Mozilla, cmt. #00480, at 2; Alex Fowler, Do Not Track Adoption in Firefox Mobile is 3x Higher than Desktop,
Mozilla Privacy Blog, (Nov. 2, 2011), http://blog.mozilla.com/privacy/2011/11/02/do-not-track-adoption-in-firefox-
mobile-is-3x-higher-than-desktop/.
49
54
Apple subsequently included a similar Do Not Track control in Safari.
254
Google has taken a slightly
different approach – providing consumers with a tool that persistently opts them out of most behavioral
advertising.
255
In another important effort, the online advertising industry, led by the DAA, has implemented a
behavioral advertising opt-out program. 周e DAA’s accomplishments are notable: it has developed a notice
and choice mechanism through a standard icon in ads and on publisher sites; deployed the icon broadly,
with over 900 billion impressions served each month; obtained commitments to follow the self-regulatory
principles from advertisers, ad networks, and publishers that represent close to 90 percent of the online
behavioral advertising market; and established an enforcement mechanism designed to ensure compliance
with the principles.
256
More recently, the DAA addressed one of the long-standing criticisms of its approach
– how to limit secondary use of collected data so that the consumer opt out extends beyond simply blocking
targeted ads to the collection of information for other purposes. 周e DAA has released new principles that
include limitations on the collection of tracking data and prohibitions on the use or transfer of the data for
employment, credit, insurance, or health care eligibility purposes.
257
Just as important, the DAA recently
moved to address some persistence and usability criticisms of its icon-based opt out by committing to honor
the tracking choices consumers make through their browser settings.
258
At the same time, the W3C Internet standards-setting body has gathered a broad range of stakeholders
to create an international, industry-wide standard for Do Not Track. 周e group includes a wide variety of
stakeholders, including DAA members; other U.S. companies; international companies; industry groups;
and public-interest groups. 周e W3C group has done admirable work to flesh out the details required
to make a Do Not Track system practical in both desktop and mobile settings. 周e group has issued two
public working drafts of its standards. Some important details remain to be filled in, and the Commission
encourages all of the stakeholders to work within the W3C group to resolve these issues.
While more work remains to be done on Do Not Track, the Commission believes that the developments
to date are significant and provide an effective path forward. 周e advertising industry, through the DAA,
has committed to deploy browser-based technologies for consumer control over online tracking, alongside its
ubiquitous icon program. 周e W3C process, thanks in part to the ongoing participation of DAA member
companies, has made substantial progress toward specifying a consensus consumer choice system for tracking
254 Nick Wingfield, Apple Adds Do-Not-Track Tool to New Browser, Wall St. J. Apr. 13, 2011, available at http://online.wsj.com/
article/SB10001424052748703551304576261272308358858.html.
255 Comment of Google Inc., cmt. #00417, at 5.
256 Peter Kosmala, Yes, Johnny Can Benefit From Transparency & Control, Self-Regulatory Program for Online Behavioral
Advertising, http://www.aboutads.info/blog/yes-johnny-can-benefit-transparency-and-control (Nov. 3, 2011); see also Press
Release, Digital Advertising Alliance, White House, DOC and FTC Commend DAA’s Self-Regulatory Program to Protect
Consumers Online Privacy, (Feb. 23, 2012), available at http://www.aboutads.info/resource/download/DAA%20White%20
House%20Event.pdf.
257 Digital Advertising Alliance, About Self-Regulatory Principles for Multi-Site Data (Nov. 2011), available at http://www.
aboutads.info/resource/download/Multi-Site-Data-Principles.pdf.
258 Press Release, Digital Advertising Alliance, DAA Position on Browser Based Choice Mechanism (Feb. 22, 2012), available at
http://www.aboutads.info/resource/download/DAA.Commitment.pdf.
Documents you may be interested
Documents you may be interested