FTC Commissioner Fed Up With E-tailer “Opt-Out Cookies”

Written by Fred J. Aun
February 19th, 2009

E-tailers offering site visitors “opt-out” cookies that supposedly guard their online activity from being tracked should just give it up, said a member of the Federal Trade Commission (FTC) in a statement that argues, “It is a counterintuitive concept to put a cookie on a user’s computer to inform Web sites and servers not to place subsequent cookies on the same computer.”

FTC Commissioner Pamela Jones Harbourn’s comment was in the context of a new FTC staff report that says E-tailers need to start taking privacy much more seriously if they do not want the government to start imposing new rules. “Staff is encouraged by recent steps by certain industry members, but believes that significant work remains,” the report said.

“Staff calls upon industry to redouble its efforts in developing self-regulatory programs, and also to ensure that any such programs include meaningful enforcement mechanisms. Self-regulation can work only if concerned industry members actively monitor compliance and ensure that violations have consequences.

Harbourn said opt-out cookies are “the primary mechanism by which consumers currently can exercise choice online.” But she asserted that the technology “is fundamentally flawed” and essentially useless. “Cookies are imperfect tools that serve multiple functions, including some never originally intended,” Harbourn wrote. “It is unrealistic to rely on an assumption that the opt-out cookie will remain on a user’s computer indefinitely.”

The commissioner noted opt-out cookies are often inadvertently deleted by anti-virus and anti-spyware software being used by consumers. This “throwing out of the baby with the bathwater” is something that likely can be prevented. But Harbourn said doing so wouldn’t solve all problems with the current status of opt-out cookie use. “Even assuming that opt-out cookies could be placed permanently on a computer, it is difficult for consumers to find opt-out cookies at all,” she wrote. “They are typically buried in the depths of a privacy notice or, worse, on an unrelated third-party Web site. And when a user successfully locates an opt-out cookie, the cookie frequently does not download properly.”

Harbourn said online businesses should get serious about finding better ways to safeguard information. “Rather than continuing to embrace this confusing and unreliable tool, industry should accept the reality that opt-out cookies are inadequate to protect consumer privacy,” she said. “I encourage the technology community, including companies that develop browsers and software utilities, to focus their efforts on developing viable and transparent alternatives.”

Industry Needs To Do A Better Job

FTC Commissioner Jon Leibowitz, who also issued a statement about the staff report, said “the concomitant online tracking and data collection, coupled with inadequate notice to consumers about what information is collected and how it is used, raise critical privacy concerns.” Leibowitz warned online companies that they should not view as permanent the FTC’s resistance, so far, to imposing regulations or recommending legislation.

“I write separately to ensure that the report’s endorsement of self-regulation is viewed neither as a regulatory retreat by the Agency nor an imprimatur for current business practice,” he said. “Indeed, despite a spotlight on E-Commerce and online behavioral marketing for more than a decade, to date data security has been too lax, privacy policies too incomprehensible and consumer tools for opting out of targeted advertising too confounding. Industry needs to do a better job of meaningful, rigorous self-regulation or it will certainly invite legislation by Congress and a more regulatory approach by our Commission.”

Leibowitz praised efforts by some companies to “empower consumers.” He noted some search engines are reducing the amount of time they retain consumers’ personal data and that “Microsoft and other developers of Internet browsers are designing better tools for consumers to control the amount of information they share online.”

The commissioner pointed to parts of the staff report that say self-regulatory principles should be expanded to cover practices involving information that “could reasonably be associated with a particular consumer or computer or other device,” including IP addresses and cookie data.

“The report further clarifies that the principles should apply to information collected outside the traditional Web site context, such as through mobile devices and Internet Service Providers’ ‘deep packet inspection’ to mine data from consumers’ Internet traffic streams for targeted advertising,” he wrote.

Leibowitz said he is “troubled about some companies’ unfettered collection and use of consumers’ ‘sensitive data’–especially information about children and adolescents,” and he pointed out that “some data is so sensitive and some populations so vulnerable that extra protection may be warranted.”

The commissioner said the FTC needs to better understand “if and how companies combine online and offline data to build detailed consumer profiles,” adding that “the possibility that companies could be selling personally identifiable behavioral data, linking click-stream data to personally identifiable information from other sources, or using behavioral data to engage in price discrimination or make credit or insurance decisions are not only unanticipated by most consumers, but also potentially illegal under the FTC Act.

Leibowitz warned that “a day of reckoning may be fast approaching.” He also said the online industry’s “silence in response to FTC staff’s request for information about the secondary uses of tracking data is deafening. As a result, the Commission may have to consider using its subpoena authority under Section 6(b) of the FTC Act to compel companies to produce it.”


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.