1. California's Do Not Track rule takes
While Congress has dabbled in privacy issues over the last few
years, observers don't anticipate comprehensive privacy legislation
to pass in 2014. Instead, all eyes are on California, where a state
requirement that went into effect January 1 has concerned some site
publishers. Websites must indicate in their privacy policies how
they respond to Do Not Track signals.
"There's always smoke in a handful of state leglistures, but
there's only fire in California," said Mike Zaneis, senior VP and
general counsel for the Interactive Advertising Bureau.
The difficulty is websites typically have a maze of technology
partners -- from ad exchanges to site analytics firms. So, while
sites can be sure their own first-party tracking systems respond to
a browser signal to disable tracking, they often have no control
over how the partners that gather data about people's activities on
their sites will respond. Data flows through countless tributaries
online so even if a site says it recognizes Do Not Track signals,
user data could seep out through partners unbeknownst to
"My advice in general here is you need to disclose what the law
says you need to disclose. You're not legally required to disclose
more," said Mason Weisz, a privacy counsel at law firm
Expect California to give noncompliant publishers some leeway
before enforcement escalates towards monetary penalties.
2. Europe will push tougher oversight in
Amid revelations that the National Security Administration's
surveillance activities have harvested data on Europeans, European
Commission leaders want stronger data privacy protections from the
The Commission in November proposed changes to its safe harbor
agreement with the U.S. In place since 2000, the deal enables more
than 3,000 companies from General Mills to
Google and Facebook to satisfy EU privacy regulations in exchange
for self-certifying that they abide by certain rules. The
Commission claimed that enforcement of the program is "deficient,"
prompting the Federal Trade Commission to
defend its enforcement methods.
The European Commission aims to require U.S. firms in the safe
harbor program to publicly disclose privacy policies and link to
the Department of Commerce's safe harbor website.
While changes to safe harbor requirements probably won't take
the form of official rules, the FTC could establish new guidance to
appease its friends across the Atlantic.
"The Europeans are upset, and I think there will be some attempt
to placate them in the U.S," said Mr. Weisz.
3. Both industry and federal enforcers will crack
The online ad industry has managed to stave off sweeping privacy
legislation thus far in part because of its self-regulatory program
enabling people to opt-out from receiving behavioral ads. That
program is enforced by the Better Business Bureau, which
promised to beef up enforcement starting January 1.
The BBB announced recently that it could penalize companies
including site publishers and ad networks that don't provide
real-time notice to users when collecting data for behavioral
advertising. The suggested form of notification is the Digital
Advertising Alliance's small, blue Ad Choices icon.
The Federal Trade Commission might also strengthen its
enforcement of the recently-updated Children's Online Privacy
Act which now categorizes geo-location information, photos and
videos as personal information, requiring parental consent before
such data are collected on children under age 13.
"I think there's going to be more COPPA-related enforcement,"
said Mr. Weisz. "It requires making some disclosures…so
people are going to be updating their privacy notices."
With the BBB and FTC getting tough, firms will have to respond.
"There's this pressure from two sides," said Mr. Weisz. "That's
going to encourage companies to make more
representations…and more representations means more