Microsoft Proposes Comprehensive Framework To Protect Consumer Privacy

Microsoft has added its input to that of a host of other stakeholders in the growing debate over consumer privacy, online ad targeting, and potential US (and local) government regulation. (Here’s a related WSJ story on search engine efforts to block a proposed anti-tracking law in the New York state legislature.) In a filing today with the US Federal Trade Commission, Microsoft proposed a “comprehensive framework to protect consumer privacy.”

Microsoft lays out the following conceptual principle for its five-tiered approach:

The foundation of Microsoft’s approach is the idea that the greater the potential risk to privacy, the greater the protection. For example, the most stringent tier requires that online advertisers receive affirmative express consent from consumers before they may use sensitive personally identifiable information — such as personal health information — for advertising purposes.

Here are the five levels of protection that are being presented to the FTC (verbatim):

Collecting data about site visitors. Organizations that keep records of page views or collect other information about consumers for the purpose of delivering ads or ad-related services on their own sites should post a privacy policy on the home page, implement reasonable security procedures, and retain data only as long as necessary to fulfill a legitimate business need or as required by law.

Delivering ads on unrelated sites. Entities that engage in delivering online ads or services across unrelated third-party sites should ensure that consumers receive notice of the privacy practices of those sites.

Behavioral advertising. Entities that seek to develop a profile of consumer activity to deliver advertising across unrelated third-party sites should also offer consumers a choice about the use of their information for such purposes.

Use of personally identifiable information. Third parties that rely on personally identifiable information — such as a name, e-mail address, physical address or phone number — for delivering ads or related services across multiple sites or for behavioral advertising should, at a minimum, give consumers the ability to opt out of having personally identifiable information collected for the purpose of targeting ads.

Use of sensitive personal data. Third parties should be required to obtain affirmative express consent before using sensitive personally identifiable information — such as health or medical conditions, sexual behavior or orientation, or religious beliefs— for behavioral advertising.

More stringent protection — including explicit consumer consent in certain cases — is reserved for behavioral targeting (BT), which has lately been the darling of brand advertisers and portals. Google is experimenting with a form of BT in search results called “previous query” targeting.

A recent Harris Interactive poll found that 60 percent of more than 2,500 people surveyed were “uneasy” with being tracked and targeted by purveyors of online advertising.

A more comprehensive analysis and discussion is called for. However, it’s safe to say that as online ad targeting becomes both more aggressive and sophisticated, it becomes more of a political hot button and draws more opposition and scrutiny (especially in Europe).

Microsoft, Google, and others are wise to try and offer real privacy protection guidelines and get in front of this issue. Otherwise, if they don’t voluntarily do this, they’ll be subjected to externally imposed rules that will limit or undermine some of the targeting and tracking systems they’re developing for advertisers.