The IAB’s incoherent position on “Do-Not-Track”

Image: EFF

The Interactive Advertising Bureau (IAB), an industry group for advertisers and publishers, understands that data privacy regulation may actually happen. Rather than oppose it, they’re fine with it . . . so long as the government does things their way.

Today, I deconstruct a statement by IAB executives Randall Rothenberg and Dave Grimaldi on regulation. This is good practice on poking holes in self-serving statements by lobbying organization.

What does the IAB really want?

Here’s the statement, with commentary by me.

IAB to Government: Create “Do-Not-Track Plus”

By Randall Rothenberg and Dave Grimaldi

Commentary: Please don’t put a period after May.

In testimony before Congress last week, Federal Trade Commission Chairman Joseph Simons said, “We urge Congress to enact privacy and data security legislation, enforceable by the FTC.”

All five members of the FTC appeared at the House Energy and Commerce Subcommittee on Consumer Protection and Commerce, and they unanimously supported a tough new federal data privacy law.

We couldn’t agree more.

Commentary: Regulation is good for the members of the IAB, and the IAB knows it. Lawlessness enables those who exploit data with no compunction to outmaneuver brands and publishers who obey some principles. Regulation enables legitimate brands to compete better with pirates, which is why those brands want rules . . . so long as they’re not too onerous.

This may seem surprising. IAB is an organization that represents publishers, platforms, brands, and advertising and marketing technology companies. Some might argue that we are therefore not credible in arguing for a Federal Do-Not-Track standard—even though we have been at the forefront in creating and managing such universal standards, via our work with the Digital Advertising Alliance in the U.S. and with IAB Europe and member companies on the IAB Transparency & Consent Framework in Europe.

Commentary: This basically boils down to “Trust us, we know what’s best.”

In addition, it is true that we have consistently declared our opposition to “Do-Not-Track.” That is because it sets up a false history of consumer data, a false narrative of consumer victimization, and a false sense of security about consumer control. It’s simply an incorrect, noxious notion that consumers are de facto victimized by the use of their data. It’s equally false to tell consumers that simply by pressing a button and stopping all this “tracking” they will somehow be safe. They won’t be.

Commentary: This is twisted logic in the extreme. In this paragraph, directly after stating that the IAB is credible in arguing for a Do-Not-Track standard, IAB declares that it has consistently opposed Do-Not-Track. (“Don’t do this, but if you do, do it the way we tell you to”?) Contrary to the IAB statement, the narrative of consumer victimization is real, as we are constantly reminded by every data breach and sneaky Facebook data-sharing arrangement.

True, the fact that companies use data to the detriment of consumers does not imply that all data collection is “noxious” — but neither does it imply that all data collection is innocuous. Consumers who are paying attention are not going to be believe that “Do-Not-Track” will save them, but even if they do, that’s not a very good argument for failing to implement it. It’s equivalent to “Most consumer think airbags will keep them safe in any vehicle accident, so let’s not implement airbags.”

The fact is, Americans need real protection from actual harm caused by illegitimate data-sharing. They also need less blanket fear-mongering about basic uses of consumer data that have powered the economy for more than a century.

We need far more than “Do-Not-Track.”

Commentary: Going beyond “Do-Not-Track” does not require rejecting “Do-Not-Track”

The need to provide consumers with greater privacy and security in digital environments, naturally causes brands, publishers, and consumers concern when platforms and browser manufacturers  – especially giant, vertically-integrated, data-rich platforms and browser-makers – step up to do it on their own, independent of each other, divorced from broader marketplace needs, and absent a defined legal or regulatory framework.

We commend the activity of all the companies creating privacy management tools and protocols for consumers, but it’s clearly both too much, and not enough.  We don’t have 1,000 different designs for seatbelts and airbags in cars – we have one. And we don’t leave it to consumers to manage the intricate details of their own food safety: We have industry and Government processes in place to make sure the food consumers buy is free from germs and poisons. Similarly, we shouldn’t have a thousand different methods for managing digital privacy, confusing consumers and sowing chaos among businesses. And we shouldn’t make consumers push endless consent buttons on web sites and apps, or burrow deep into browser tools to manage who’s doing what with their data. We should have consistent principles and tools, premised on Federal, and possibly globally recognized, rules and enforcement, that will provide consumers easy, automatic security and privacy.

Commentary: No one trusts anyone now, regardless of what privacy methods they obey. Isn’t this where IAB is supposed to step in and create a “self-enforcement” standard? If the industry hasn’t adopted that consistently, isn’t that a failure in IAB leadership? The natural outcome of that failure would be government regulation. This may be one of the only issues where Democrats and Republicans could agree.

The work being done by big platforms and browser makers is useful, because it will contribute to a Federal or global solution. But it won’t substitute for it. We need a new paradigm for Federal privacy regulation, to assure a baseline of real consumer protections and a level playing field in which all participants are pursuing the same goals with consistent technology solutions.

We want penalties, civil and criminal, for illicit uses of data. We want companies to be forced to adopt standardized mechanisms by which they will protect consumers, the way auto manufacturers are required to install seat belts and air bags to protect consumers. We want the Federal Trade Commission to be empowered and funded to oversee consumer privacy protection, and to be able to instantiate new protection rules as technology evolves.

This isn’t a call for “Do-Not-Track.” Think of it as a call for “Do-Not-Track-Plus.”

Commentary: I’ll look forward to seeing how the IAB reacts to such regulations, should they ever come into being. In the meantime, couldn’t an organization representing brands and advertisers come up with anything catchier than “Do-Not-Track-Plus”?

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.