When you wander around the Web, advertising companies like DoubleClick know a lot about you: For instance, they can tell that you surfed from a Hawaiian tourism site to an airline booking site to a swimsuit retailer. They use that to pitch you a special deal on a beachside hotel room in Maui.
Internet search companies like Google could do the same. They already analyze every query you make to serve up related advertising. As they combine your search history with other services like Web mail and instant messaging, Google, Yahoo and Microsoft are building up a profile of you and your interests to better target ads as well as new services.
And, if Google moves forward with its proposed $3.1 billion acquisition of DoubleClick, then a single company would know more about what you do on the Internet than your own family.
Pretty scary, isn’t it?
Regulators at the Federal Trade Commission should use their review of the Google-DoubleClick deal and similar transactions, such as Microsoft’s proposed $6 billion purchase of aQuantive, to step in and set long-overdue industry standards for consumer privacy on the Internet.
Regulators will focus on the deals’ impact on competition, an area where Google’s rivals and advertising clients have already raised concerns. But the FTC also has broad powers over privacy, and it should use those powers to extract privacy protections from companies seeking approval for their Internet advertising deals.
While there’s no evidence that Google abuses personal data – in fact, the company has fought government attempts to subpoena search records – Web users shouldn’t have to rely on corporate good will to protect their privacy in the future.
Consumer advocates at the Electronic Privacy Information Center, the Center for Digital Democracy and the U.S. Public Interest Research Group have offered a range of privacy suggestions in a complaint filed with the FTC.
Several key principles should guide the FTC process:
Clear disclosure about how personal information can be used: The FTC should mandate that sites explain their privacy practices in simple language before collecting any personal information. And customers should get periodic reminders of the policies.
An easy way to opt out of data collection: After the FTC’s last major investigation of DoubleClick and its privacy practices, the company agreed to let Web users opt out of tracking, but doing so is clunky and inconvenient. User permission should be required before tracking “cookies” are deposited on individual computers. Customers should be able to allow some kinds of data to be collected, such as age and location, while excluding others, such as browsing history.
Anonymity of individual data: Citing law enforcement and tax needs, Google is proposing to keep its records on individual users for 18 to 24 months, then strip the names off. While traceable data might be required for some legal purposes, the FTC should limit the marketing uses of the personalized information.
Any privacy requirements instituted as part of merger approvals should be rolled out more broadly as rules for all Web sites. If the FTC lacks sufficient authority, Congress should step in and pass formal privacy protections.
Internet technologies give companies unprecedented insight into the needs and behaviors of their customers. In many cases, that’s a benefit, because customers get more tailored ads and services.
But you should be allowed to decide whether to adopt Google as your Big Brother.
