Microsoft Proposes Comprehensive Self-Regulatory Approach for Online Privacy

WASHINGTON — April 11, 2008 —Today, Microsoft Corp. proposed a new structure for self-regulation of online advertising, submitting to the Federal Trade Commission a proposal for a five-tiered system to protect consumers’ privacy. Microsoft’s recommendations call for distinct privacy standards in five key circumstances: when site visitors’ data is collected for online advertising, when ads are delivered on unrelated sites, when sites engage in behavioral advertising, when personally identifiable information is used, and when sensitive personal data is used.

The foundation of Microsoft’s approach is the idea that the greater the potential risk to privacy, the greater the protection. For example, the most stringent tier requires that online advertisers receive affirmative express consent from consumers before they may use sensitive personally identifiable information — such as personal health information — for advertising purposes.

Today’s filing was submitted in response to the FTC’s request for comments on its own proposed self-regulatory principles to govern online advertising. In its comments, Microsoft commended the FTC for its ongoing efforts to protect consumer privacy and recommended that the agency broaden its focus to tackle the full array of online behavioral advertising practices, many of which are unfamiliar to consumers.

“We welcome the opportunity to work with the FTC to ensure that online consumers benefit from meaningful privacy protections,” said Brad Smith, senior vice president, general counsel and corporate secretary, Legal & Corporate Affairs, Microsoft. “Online advertising should put consumers in the driver’s seat, not only with the information they want to see, but also with the tools to protect their privacy.”

The filing’s recommendations reflect Microsoft’s Privacy Principles for Live Search and Online Ad Targeting, industry-leading standards the company adopted in 2007 to promote greater transparency and give consumers increased control over their privacy. Microsoft’s commitment helps protect consumers in the areas of user notice, user control, anonymization, security and best practices.

“Even as consumers value the benefits of online advertising, they may not fully appreciate the role data collection plays in the delivery of online advertising,” Smith said. “Microsoft’s proposed guidelines will help consumers receive relevant and helpful information while helping ensure their privacy is respected.”

In its comments to the agency, Microsoft called for a five-tiered framework that imposes increasing obligations depending on the type of advertising involved:

  • Collecting data about site visitors. Organizations that keep records of page views or collect other information about consumers for the purpose of delivering ads or ad-related services on their own sites should post a privacy policy on the home page, implement reasonable security procedures, and retain data only as long as necessary to fulfill a legitimate business need or as required by law.

  • Delivering ads on unrelated sites. Entities that engage in delivering online ads or services across unrelated third-party sites should ensure that consumers receive notice of the privacy practices of those sites.

  • Behavioral advertising. Entities that seek to develop a profile of consumer activity to deliver advertising across unrelated third-party sites should also offer consumers a choice about the use of their information for such purposes.

  • Use of personally identifiable information. Third parties that rely on personally identifiable information — such as a name, e-mail address, physical address or phone number — for delivering ads or related services across multiple sites or for behavioral advertising should, at a minimum, give consumers the ability to opt out of having personally identifiable information collected for the purpose of targeting ads.

  • Use of sensitive personal data. Third parties should be required to obtain affirmative express consent before using sensitive personally identifiable information — such as health or medical conditions, sexual behavior or orientation, or religious beliefs— for behavioral advertising.

Additional information about Microsoft’s approach to protecting consumers’ privacy is available at http://www.microsoft.com/privacy. The company’s FTC filing can be found at http://www.ftc.gov/os/comments/behavioraladprinciples/index.shtm.

Founded in 1975, Microsoft (Nasdaq “MSFT”) is the worldwide leader in software, services and solutions that help people and businesses realize their full potential.

Note to editors: If you are interested in viewing additional information on Microsoft, please visit the Microsoft Web page at http://www.microsoft.com/presspass on Microsoft’s corporate information pages. Web links, telephone numbers and titles were correct at time of publication, but may since have changed. For additional assistance, journalists and analysts may contact Microsoft’s Rapid Response Team or other appropriate contacts listed at http://www.microsoft.com/presspass/contactpr.mspx.