"If they purport to limit tracking based on sensitive data,” Rich said, referring to industry privacy codes, “they shouldn't play games about what 'sensitive data' means, such as defining medical data to mean only official medical records.”
She called attention to the privacy codes of the self-regulatory groups Network Advertising Initiative and Digital Advertising Alliance.
Both industry organizations require that ad companies obtain consumers' consent before collecting “sensitive” health information, but define the concept differently. "The NAI code is stronger than DAA’s in this regard,” Rich said in a prepared version of her speech. The DAA requires ad companies to obtain consent before collecting, for ad targeting purposes, “pharmaceutical prescriptions or medical records related to a specific individual.”
But the NAI, which also requires opt-in consent before “sensitive” data is used for ad targeting, defines sensitive health information as “precise information about past, present, or potential future health or medical conditions or treatments, including genetic, genomic, and family medical history.”
Sensitive data wasn't the only area of concern flagged by Rich. While Rich said early in her speech that targeted advertising offers benefits, she also devoted a large portion of her remarks to privacy issues raised by some industry practices.
Among others, Rich discussed some relatively newer tracking techniques, like digital fingerprinting technology -- which involves tracking users based on the characteristics of their devices.
"Even those consumers who know about tracking and want to avoid it can’t do so effectively,” she said. “In the case of device fingerprinting, there are no simple means for users to prevent it -- which, unfortunately, may be precisely why some companies have embraced this technology,” Rich added.
She also discussed “enhanced” tracking -- by which she means tracking consumers across a variety of devices. “Companies are creating single, universal identifiers to track consumers across multiple devices and connect their offline, email, and digital interactions,” she said. “This enhanced tracking is often invisible to users.”
While Rich didn't mention the recent controversy surrounding Turn's controversial tracking technology -- which enabled it to track users who deleted their cookies -- she did discuss the FTC's enforcement action against Epic Marketplace. That company used “history sniffing” technology in order to create marketing profiles of users based on sites they had visited -- including medical and financial sites. History-sniffing technology exploits a browser feature that changes the color of links after users visit them.
The FTC didn't allege that history-sniffing itself was unfair or deceptive, but said Epic deceived users by failing to state in its privacy policy that it used history-sniffing techniques. That omission could have affected consumers' decision about whether to use Epic's opt-out tool, the FTC said in its complaint.
Rich made clear that the FTC still feels that way. While she didn't explicitly tell companies not to use potentially controversial behavioral-targeting methods, she left no doubt that the agency expects companies to fully disclose their tracking technology. "To be meaningful and non-deceptive, the information and choices you provide consumers must cover all of your tracking practices, not just a subset,” Rich said.