Inside 1to1:Privacy

Privacy in the online advertising arena

May 1, 2010

If everyone in the online advertising arena hasn't been paying attention to the privacy issues associated with their business, there is reason to assume they soon will be. Recent events have commanded much attention.  

For starters, earlier this month two lawmakers released for review a bill that would regulate certain online behavioral advertising practices. The bill, drafted by Reps. Rick Boucher (D-VA) and Cliff Stearns (R-FL), has been in the works for about a year and comes on the heels of a call by four senators for Facebook to reverse policy changes they say are a detriment to users' privacy. The changes allow advertisers to store Facebook members' profile data beyond the 24-hour term previously in place. At a minimum, said Sens. Charles Schumer (D-NY), Mark Begich (D-AK), Michael Bennet (D-CO) and Al Franken (D-MN), the company should "require users to opt in to allowing third parties to store data for more than 24 hours."

The senators and the Electronic Privacy Information Center (EPIC) have also called on the U.S. Federal Trade Commission to examine the company's recent changes, saying users of the site "need to have the ability to control their private information and fully understand how it's being used."

Meanwhile, the FTC is considering changes to the Children's Online Privacy Protection Act (COPPA) and is currently seeking comments on whether the law's definition of "personal information" should be expanded to include the types of data collected from children online for the purpose of behavioral advertising.

At least one legislator says that if the FTC doesn't make changes to COPPA during its requisite five-year review of its rule, then Congress must. During a recent subcommittee hearing, Senate Commerce Chairman John (Jay) Rockefeller (D-WV) said, "I really think Congress has to take a hard look at whether COPPA should be updated..."

In addition, the Department of Commerce has joined the growing list of Washington interests paying attention to data privacy. Last week the DOC hosted the Privacy and Innovation Symposium to gather public comment on the relationship between U.S. and international privacy regulations and the "information economy."

These latest developments seem to indicate that the issues near and dear to the hearts of advertisers and privacy advocates will continue to be pressed.

Pressing privacy

So what are the issues?

Technological progress and the Web's popularity have collided to offer advertisers and Web publishers an appealing platform for delivering highly targeted advertisements to individuals. Technologies that track Web users' online activity now provide marketers with an unprecedented degree of knowledge about their consumer targets. This allows publishers to fetch unprecedented dollar amounts for ad space.

The personalization possibilities make traditional demographics-based advertising look positively primitive or, in industry parlance, so simple a caveman could do it.

The privacy issues revolve around the tracking that takes place to arm advertisers with information. After all, if someone was walking behind you in the mall, "taking notes on everywhere you went and sending it off to anyone who was interested, for a small fee," most people would be disturbed, suggested U.S. Federal Trade Commission Chairman Jon Leibowitz during a recent interview with National Public Radio's "On the Media" program. But essentially this is what happens with behavioral targeting. Because you visit The Onion daily and often watch Saturday Night Live clips on YouTube, an advertiser knows your predilection for satire and might show you an ad for This is Spinal Tap.

And because one man's privacy is another man's exposé, some will welcome the personalization while others will shudder at it.

This shuddering, the "creepy" factor, as some have described it, is the Achilles' heel of online behavioral advertising.

Industry interests dismiss claims that the practice is creepy, saying that most behavioral advertising methods involve anonymized data, meaning that consumers can be tracked back only as far as their IP address. But there is an ongoing debate about whether an IP address is personal information, and in the "On the Media" interview, Leibowitz said, "I kinda think it is."

If passed into law, the Boucher-Stearns bill would restrict the use and sharing of PII for marketing and advertising purposes.

Overall, and like a good ad, it's sticky.

What's an advertiser to do, standing at the edge of a multi-billion dollar frontier but unable to see whether the land beyond the horizon is viable?

It's new territory, to be sure. Only the boldest have ventured beyond the edge and it hasn't turned out well for some. NebuAd, Inc., whose ISP behavioral targeting methods attracted the attention of privacy advocates and Congress, was early out of the gate but closed its doors before the outcome of a class action lawsuit against it and six of its ISP partners could be determined. Two of those partners are still entangled in separate suits due to their associations with the company.

Clearing the waters

Creepiness aside, in a recent Advertising Age article, Pete Blackshaw wrote that the fuss over privacy lies in "apprehension that marketers will abuse personally identifiable data or the targeting opportunities of behavioral advertising."  

He wrote, "Trust is the currency of effective advertising, and yet it's so curiously evasive and increasingly murky."

The FTC hopes to bring clarity to some of that murkiness by creating principles to guide the data collection, use, and sharing practices of social networks and other Internet sites that collect consumers' data for the purpose of targeted advertising. Informing these guidelines will be the takeaways from the commission's three Internet privacy roundtable events, held in December, January, and March.  

At the recent IAPP Global Privacy Summit, former director of the FTC Bureau of Consumer Protection and partner at Wilson Sonsini Goodrich & Rosati, Lydia Parnes, summarized what she took away from the FTC roundtables like this: "There is a real sense that consumers don't understand what's going on with their data."

On this front there is seemingly positive news.

In recent months, and perhaps in response to FTC and lawmakers' warnings to beef up self-regulatory efforts, online advertising industry partners have stepped things up, creating, among other things, an icon that is intended to improve the way Web sites provide notice to consumers about targeted ads. The attempt is welcome by those who have suggested that some in the industry have been purposely burying privacy details in the fine print. The icon is expected to debut in the coming months.

This and other industry efforts have not gone unnoticed by regulators. During his keynote address at the Cable Show 2010 last week, Leibowitz said he has "great hopes" for industry efforts to more effectively self-regulate. Specifically, he cited proposed guidelines created by online marketers in conjunction with the Better Business Bureau.

Despite this, daily privacy headlines suggest a growing interest, if not impatience, on the part of regulators.

So what should a privacy-forward company be thinking about?

According to Parnes, a 60,000-word privacy document is not what is needed. Instead, privacy-forward companies should create a corporate privacy identity and, once established, "use it to carry out their privacy visions."

-- IAPP Staff