Reading the Tea Leaves: Is Privacy Regulation on Track for Web 3.0?

ABA 2011 Consumer Protection Conference

Saira Nayak Nayak Strategies

The US Data Protection Framework

1.  Federal Laws & Regs – COPPA, HIPAA, etc. 2.  Federal Guidance – FTC, Commerce Reports 3.  State analogues to federal laws - e.g. CA’s SB1 4.  State Data Breach & Security laws 5.  Marketing Communications laws – TCPA, CAN-SPAM, Junk Fax Protection Act etc. 6.  Laws Compelling Disclosure – ECPA, FOIA 7.  Self-Regulatory frameworks - Digital Advertising Alliance (www.aboutads.com), BBB Interest Based Advertising Project, NAI

Criticisms of a Sectoral System •  Technological Relevancy •  Inefficient oversight by regulators and

overlapping regulatory obligations •  Inadequate or insufficient enforcement

mechanisms

Will the proposed frameworks identified in the FTC Report and Commerce Green Paper address these criticisms? Yes, to some extent.

Web 1.0

•  The mostly “read-only” web •  One way interaction between websites and users •  1996 - 250,000 sites, 45 million users •  Privacy concerns: ID theft, spam, spyware •  FTC approach: notice & choice, harms-based

Published Content Website

Web 2.0

Published Content

Website

Uploaded Content

Website Affiliate

Website Affiliate

•  The ”read-write” or social web •  Two-way interaction between users and websites •  2009 – over 250 million sites, nearly 2 billion users •  90 trillion emails sent, 1 billion videos viewed on YouTube •  Privacy concerns: new business models (OBA, geo-marketing) •  FTC approach: FTC Privacy Report

Web 3.0 - Characteristics •  The Semantic Web – web technologies that help computers understand the meaning or “semantics” of information.

•  The Personalized Web – web technologies that become more customized to personal preferences and are easier to use.

•  The Visual Web – web technologies that highlight the convergence of the physical and virtual world. E.g. video that is disseminated widely across platforms - TVs, laptops, tablets, mobile devices

Web 3.0

“The Semantic Web is a web of data that can be processed directly and indirectly by machines…”

- Tim Berners-Lee

Web 2.0 - Search

Algorithmic search result

Web 3.0 - Search

Algorithmic search result

Local search result

Social search result

FTC Privacy Report

“A forward-looking policy vehicle for approaching privacy in light of new

practices and business models.” -FTC Privacy Report, page 39

The Challenge: Creating a framework that protects consumer privacy and fosters innovation at the same time…

FTC Privacy Framework

Four “building-blocks” of the FTC’s proposed privacy framework:

•  Scope •  Privacy by Design •  Simplified Choice •  Transparency

Commerce Green Paper Four policy recommendations: •  Encouraging consumer trust through a

revitalized set of FIPPs •  Encouraging development of voluntary

codes of conduct; PPO •  Global privacy interoperability •  Ensure that security breach notification

rules are nationally consistent

Scope FTC – Commercial entities that collect or use consumer data that can be reasonably linked to a consumer, computer or other device.” Reading the tea leaves… •  Increased use of online and offline data in

web 3.0 personalization •  The evolution of the “reasonably linked”

concept will be particularly important •  Concern: what if there is no nexus between

the consumer and the computer/device

FTC Report – emphasize consumer privacy at “every stage” of product development Commerce –a revitalized FIPPs for Web 3.0 Reading the tea leaves… •  Rising role for Access in Privacy 3.0 •  Data portability will provide a new area

for companies to compete and innovate •  Concern: Companies will need to balance

personalization with privacy in Web 3.0

Privacy by Design/ FIPPs v. 2

FTC recommends that choice be offered in a timely and contextually relevant manner. Reading the tea leaves… •  The list of “commonly accepted practices”

will get broader with Web 3.0 •  Innovation in choice mechanisms that

promote information flow •  Concern: Will initiatives like “Do-Not-Track”

cause users to opt-out entirely from the “Semantic Web”?

Simplified Choice

Both reports see a strong relation between transparency and informed choice. Reading the tea leaves… •  Definition of “material change” will continue

to evolve based on web habits •  Expanded definition of privacy notice to

include alternate notice mechanisms (just in time, short notices for mobile), etc.

•  Larger role for machine readable policies

Transparency

On Track? Generally, yes. Suggestions to stay that way?

•  Continue close interaction with industry to address technological relevancy concerns

•  Address enforcement gaps with expanded role for voluntary, self-regulatory regimes

•  Encourage the development of privacy as a competitive differentiator for web 3.0 technologies.