Microsoft Proposes Tiered Privacy in Online Advertising

Microsoft has proposed a tiered approach to protecting the privacy of people targeted by online advertising, saying advertisers should get permission before using sensitive, personally identifiable information to deliver ads.

Microsoft filed comments on Friday in response to the U.S. Federal Trade Commission’s request for comments on its proposed privacy principles that would be self-administered by the online advertising industry. Microsoft’s proposal operates under the idea that the greater the risk to privacy, the greater the protection data should receive, Microsoft officials said.

Microsoft agrees with the FTC’s decision to focus on an industry self-regulatory approach, but the company has also called for Congress to pass comprehensive consumer privacy legislation, noted Frank Torres, Microsoft’s director of consumer affairs.

“We’re supporting what the FTC is proposing, but we also believe that privacy is important for consumers,” Torres said. “We’re not opposed to going even further” than the FTC self-regulatory proposal.

Microsoft’s proposals would give consumers control over how their personal data is used, Torres said. “When it comes to online advertising, consumers should be in the driver’s seat,” he said.

Among the Microsoft proposals:

— Companies that keep records of page views or collect other information about consumers for the purpose of delivering ads should post a privacy policy on the home page, implement reasonable security procedures, and retain data only as long as necessary to fulfill a legitimate business need.

— Companies that deliver ads or services to unrelated third-party sites should ensure that consumers receive notice of the privacy practices of those sites.

— Companies that develop profiles of consumer activity to deliver advertising across unrelated third-party sites should also offer consumers a choice about the use of that information.

— Third parties should be required to obtain consent from consumers before using sensitive, personally identifiable information, such as health conditions, sexual behavior or religious belief, for behavioral advertising.

Several other companies and groups, including Google, the American Advertising Federation and the Consumer Federation of America, have filed comments on the FTC’s proposed rules. Google’s filing last week appears to look for a narrower scope to regulations, although it said it has in the past called for a federal privacy law that would penalize offenders. Google suggests that the agency narrow its definition of behavioral advertising and distinguish between personally identifiable information and information that’s not personally identifying.

The Consumer Federation of America’s filing on Thursday called for stronger rules than the set of self-regulatory principles proposed by the FTC.

“Simply put, there is a fundamental mismatch between the technologies of tracking and targeting and consumers’ ability to exercise informed judgment and control over their personal data,” the consumer group said in its filing. “It is clear that after seven years of industry self regulation, neither the voluntary organizations nor the individual companies’ approaches to privacy protection are working. Only if consumers are strongly interested, extremely literate, well-informed and highly skilled can they negotiate the opaque, inconsistent morass of opt-out procedures.”

Charles Cooper, a Web user from Illinois, wrote that the FTC’s proposals don’t go far enough. “I think that most people would rather pay to access certain sites than have to deal with constant ads that remind us that what we do on the Internet is far from private,” he wrote in a filing with the FTC. “The collection of any personal data should be something initiated by the consumer so, at the very least, consumers should have an opt-in option rather than the proposed opt-out.”

But Torres said self-regulation, combined with a watchful FTC, should keep advertising companies focused on good privacy practices. If a company promises privacy protections and fails to deliver, it could face FTC sanctions, he said.

“We hope that just by being transparent about what we do, that folks will see we’re serious about this,” he added. “Even in this evolving marketplace, we do believe there are perimeters around privacy and principles and practices that should be put in place.”

However, the threat of real enforcement could make consumers more comfortable with behavioral targeting, according to a researcher involved with a recent study. Nearly 60 percent of survey respondents said they are not comfortable when Web sites like Google, Yahoo and Microsoft use information about their online activity to tailor advertisements to them, said Harris Interactive, which released results of the survey on Thursday.

That number improves to about 45 percent when consumers hear that the sites follow certain privacy and security policies. More people weren’t assured by the policies perhaps because they don’t trust that the companies will follow voluntary guidelines and because there aren’t any regulatory or enforcement mechanisms, said Alan Westin, a professor at Columbia University who helped design the survey.