Three Big Privacy Changes to Plan for in 2014

Increased Enforcement Expected for Government and Industry Privacy Programs

By Published on .

One sure-fire prediction for 2014: privacy will remain a hot topic for consumers, legislators, and any business that stores or uses personal or financial data.

Just ask Target. Or Snapchat.

Yet 2014 will bring more than just talk. New laws and industry self-regulation for privacy protections are taking shape in ways that will affect marketers in the coming year. Here are three of the most important things to watch:

Mike Zaneis
Mike Zaneis

1. California's Do Not Track rule takes effect

While Congress has dabbled in privacy issues over the last few years, observers don't anticipate comprehensive privacy legislation to pass in 2014. Instead, all eyes are on California, where a state requirement that went into effect January 1 has concerned some site publishers. Websites must indicate in their privacy policies how they respond to Do Not Track signals.

"There's always smoke in a handful of state leglistures, but there's only fire in California," said Mike Zaneis, senior VP and general counsel for the Interactive Advertising Bureau.

The difficulty is websites typically have a maze of technology partners -- from ad exchanges to site analytics firms. So, while sites can be sure their own first-party tracking systems respond to a browser signal to disable tracking, they often have no control over how the partners that gather data about people's activities on their sites will respond. Data flows through countless tributaries online so even if a site says it recognizes Do Not Track signals, user data could seep out through partners unbeknownst to publishers.

"My advice in general here is you need to disclose what the law says you need to disclose. You're not legally required to disclose more," said Mason Weisz, a privacy counsel at law firm ZwillGen.

Expect California to give noncompliant publishers some leeway before enforcement escalates towards monetary penalties.

2. Europe will push tougher oversight in U.S.

Amid revelations that the National Security Administration's surveillance activities have harvested data on Europeans, European Commission leaders want stronger data privacy protections from the U.S.
The Commission in November proposed changes to its safe harbor agreement with the U.S. In place since 2000, the deal enables more than 3,000 companies from General Mills to Google and Facebook to satisfy EU privacy regulations in exchange for self-certifying that they abide by certain rules. The Commission claimed that enforcement of the program is "deficient," prompting the Federal Trade Commission to defend its enforcement methods.

The European Commission aims to require U.S. firms in the safe harbor program to publicly disclose privacy policies and link to the Department of Commerce's safe harbor website.

While changes to safe harbor requirements probably won't take the form of official rules, the FTC could establish new guidance to appease its friends across the Atlantic.

"The Europeans are upset, and I think there will be some attempt to placate them in the U.S," said Mr. Weisz.

3. Both industry and federal enforcers will crack down.

The online ad industry has managed to stave off sweeping privacy legislation thus far in part because of its self-regulatory program enabling people to opt-out from receiving behavioral ads. That program is enforced by the Better Business Bureau, which promised to beef up enforcement starting January 1.
The BBB announced recently that it could penalize companies including site publishers and ad networks that don't provide real-time notice to users when collecting data for behavioral advertising. The suggested form of notification is the Digital Advertising Alliance's small, blue Ad Choices icon.

The Federal Trade Commission might also strengthen its enforcement of the recently-updated Children's Online Privacy Protection Act which now categorizes geo-location information, photos and videos as personal information, requiring parental consent before such data are collected on children under age 13.

"I think there's going to be more COPPA-related enforcement," said Mr. Weisz. "It requires making some disclosures…so people are going to be updating their privacy notices."

With the BBB and FTC getting tough, firms will have to respond. "There's this pressure from two sides," said Mr. Weisz. "That's going to encourage companies to make more representations…and more representations means more risk."

Most Popular