A prior four-part series covered several issues about behavioral advertising (a/k/a behavioral targeting) and privacy, including the FTC request for input from consumers. I'd like to thank the I've Been Mugged readers that submitted input. The final rules governing how behavioral advertising is administered will directly affect consumers' abilities to maintain some privacy on the Internet, and requirements of advertisers to provide clear and adequate opt-in and opt-out mechanisms.
Only July 9th, Lydia Parnes, the Director of the Bureau of Consumer Protection at the Federal Trade Commission (FTC), issued a statement before the U.S. Senate Committee on Commerce, Science, and Transportation. Some highlights of the statement:
"I appreciate the opportunity to appear before you today to discuss the Commission’s activities regarding online behavioral advertising, the practice of collecting information about an individual’s online activities in order to serve advertisements that are tailored to that individual’s interests. Over the past year or so, the Commission has undertaken a comprehensive effort to educate itself and the public about this practice and its implications for consumer privacy. This testimony will describe the Commission’s efforts..."
Note this very industry-friendly conclusion:
"The Commission’s examination of behavioral advertising has shown that the issues surrounding this practice are complex, that the business models are diverse and constantly evolving, and that behavioral advertising may provide benefits to consumers even as it raises concerns about consumer privacy. At this time, the Commission is cautiously optimistic that the privacy concerns raised by behavioral advertising can be addressed effectively by industry selfregulation."
I added the bold italic highlighting for emphasis. Also, I found the following description of how behavioral advertising works in Parnes' statement particularly interesting:
"In many cases, the information collected is not personally identifiable in the traditional sense – that is, the information does not include the consumer’s name, physical address, or similar identifier that could be used to identify the consumer in the offline world. Many of the companies engaged in behavioral advertising are so-called “network advertisers,” companies that serve advertisements across the Internet at websites that participate in their networks. An example of how behavioral advertising might work is as follows: a consumer visits a travel website and searches for airline flights to New York City. The consumer does not purchase any tickets, but later visits the website of a local newspaper to read about the Washington Nationals baseball team. While on the newspaper’s website, the consumer receives an advertisement from an airline featuring flights to New York City. In this simple example, the travel website where the consumer conducted his research might have an arrangement with a network advertiser to provide advertising to its visitors."
This example included some relatively harmless information. Replace "travel" with "financial" or "medical" and it can be a very different discussion. Do you want companies collecting information about very personal medical conditions? Or an embarrassing financial situation? And, given the large number of continuing corporate data breaches, companies, ISPs, and advertisers haven't earned consumers' trust to adequately protect the information collected via behavioral advertising. A data thief or criminal could use stolen behavioral advertising information in very damaging ways.
"Recent high-profile incidents where tracking data has been released have magnified consumers’ concerns. In August 2006, for example, an employee of internet service provider and web services company AOL made public the search records of approximately 658,000 customers. The search records were not identified by name, and, in fact, the company had taken steps to anonymize the data. By combining the highly particularized and often personal searches, however, several newspapers, including the New York Times, and consumer groups were able to identify some individual AOL users and their queries, challenging traditional notions about what data is or is not personally identifiable."
The FTC's statement did go far enough. Parnes soft-pedaled some of the issues. She should have mentioned privacy concerns regarding the newer technologies like deep packet inspection, used by some ISPs which would render the traditional browser cookie method obsolete.
And much of Parnes' statement about the proactive role by the FTC covered either offline efforts from 2006 (e.g., the Do Not Call list, workshops held in 1999), or old issues from the 1990's. Technologies used on the Internet change every few months. What worked in the 1990's or even in 2002 is largely obsolete today.
Parnes said this about the FTC's proposed industry-friendly self-regulatory principles:
"The purpose of the proposed Principles is to encourage more meaningful and enforceable self-regulation... the staff proposal identifies four governing principles for behavioral advertising. The first is transparency and consumer control: companies that collect information for behavioral advertising should provide meaningful disclosures to consumers about the practices, as well as choice about whether their information is collected for this purpose. The second principle is reasonable security: companies should provide reasonable security for behavioral data so that it does not fall into the wrong hands, and should retain data only as long as necessary to fulfill a legitimate business or law enforcement need The third principle governs material changes to privacy policies: before a company uses behavioral data in a manner that is materially different from promises made when the data was collected, it should obtain affirmative express consent from the consumer... The fourth principle states that companies should obtain affirmative express consent before they use sensitive data – for example, data about children, health, or finances – for behavioral advertising."
Notice to consumers about behavioral advertising has to be far easier to read and more convenient. It also has to be presented where relevant, not buried in some larger booklet in small font type. It should be presented both in print and at the advertiser's Web site. And it should be presented online whenever the user is completing a transaction at that advertiser's web site (e.g., paying a bill, signing up for a service, enrolling in a loyalty program, etc.). The behavioral advertising program default for consumers should be opt-out and any opt-in or opt-out buttons should be large, conspicuous, and easy to read. The FTC is leaning towards an opt-in program default.
Otherwise, there are no self-regulatory rules for advertisers and it is effectively a free-for-all... free swim like in summer camp. I hope that you will download and read the complete FTC statement about behavioral advertising (Adobe PDF format).