Monday's post discussed the benefits of behavioral advertising, and the proposed rules by the FTC. Tuesday's post listed the leading companies that collect consumer data for behavioral advertising. Wednesday's post discussed the growing role of ISPs in behavioral advertising and the new technologies being deployed.
So, what next?
For me, my first concern is data security. 2007 was a record year for corporate data breaches. The number of incidents rose 40% -- where companies either "lost" or had stolen records about their employees, former employees, retirees, contractors, and/or customers. And this includes data only from the data breach incidents we know about. It does not include incidents from companies in states that lack breach notification laws. It does not include incidents of identity fraud during a crime.
"In its December 24 report, the ITRC said that there were publicly reported 443 breaches in the U.S. in 2007. In 2006, the ITRC identified 315 publicized breaches. Some 127 million data records were exposed during 2007. In 2006, nearly 20 million records were exposed. In 2005, there were 158 breaches reported involving about 65 million records."
Given this lousy track record of data security, I fully expect companies to continue to "lose" -- and criminals to continue to steal -- confidential data via data breaches. Why? Nothing has changed to alter past history. There is a lack of government oversight. There are no substantial penalties. And many companies just don't provide good data security.
This means that many of the future data breaches will include consumers' sensitive data collected during behavioral advertising programs. Given this, it seems sensible for the FTC to craft behavioral advertising rules that acknowledge poor corporate data security:
- For behavioral advertising/targeting programs, companies (including advertisers and ISPs) should include the default as all consumers opted out. Consumers should be given the option to opt-in to a companies behavioral advertising program
- The behavioral advertising rules for companies, advertisers, and ISPs must specify an exhaustive list of consumer data that's collectible and sensitive personal data excluded
- Web sites designed for primarily for children (e.g., age 17 and under) should be excluded from any and all behavioral advertising. Children don't have the means to handle opt-in/out for behavioral advertising programs. Ideally, parental controls software should provide parents with the tools to prevent opt-in by their children at all children's web sites
- There must be clear, minimum standards for companies for data security of the personal data collected for behavioral advertising programs
- There must be specific time limits for how long companies can archive personal data collected for behavioral targeting. "Forever" is not an acceptable answer. Consumer data should be purged at three (3) year intervals
- There must be specific rules for ISPs, since ISPs have a unique position providing Internet access for consumers. ISPs must treat their members' IP Address as sensitive personal data similar to a Social Security Number or e-mail address. ISPs should never match personal-identifying data (e.g., name, address, phone #, e-mail address, cell #, fax #, SS#, birth date, driver's license #, etc.) to behavioral advertising data
- The rules must include timely disclosure to consumers when a company, advertiser, and ISP: a) starts a behavioral advertising program; b) modifies an existing behavioral advertising program; c) trades behavioral advertising data with other companies; and d) merges or acquires other companies, within the USA or globally. These rules must apply to the entire company, not just its US-based divisions. It should also apply to business units, divisions, contractors, or outsourcing firms based outside the USA
- Medical data should be excluded from all behavioral advertising programs for a couple reasons. First, many consumers consider this highly sensitive data not to be shared under any circumstances. Second, let's "walk first before we run." That is, let's see how behavioral advertising performs with other types of available consumer data first, before deciding whether to extend it to medical information
- The FTC must publish a clear, detailed plan about how it will implement oversight to monitor compliance and penalize violators
- The behavioral advertising rules must include clear, strong penalties for companies, ISPs, advertisers, and their senior executives for violators. I'd like to see fines starting at $10,000 per consumer record and jail time for fines exceeding $250k
- Violators (e.g., companies, ISPs, and advertisers) must provide consumers with ten (10) years of free credit monitoring and credit restoration after a data breach
Why these rule amendments? If you have read the I've Been Mugged blog, then you know about the issues related to data breaches, data security, and corporate responsibility. Unfortunately, the American business is heavily tilted towards companies making money with consumers' personal data, and tilted away from strong protections for consumers when companies suffer a data breach. I'm concerned that behavioral advertising will make this worse.
All of the above rule amendments address the corporate data breach problems I've experienced. The rule amendments allow companies to profit from behavioral advertising and hold these companies accountable when they don't provide the data security programs they should.
For me personally, the assumed benefits of behavioral advertising (e.g., free content, relevant ads, personalized ads, and a promised reduction in the number of ads) do not outweigh the privacy I would give up. Maybe the benefits are enough for you, but they aren't enough for me. Where I surf on the Internet is my business unless I decide explicitly to tell somebody else.
If you feel the same or different, share your comments below. I'd love to hear why you feel the way you do. If you have sent feedback to the FTC, share that too.
As I mentioned before, the FTC seeks comments from the public (that's us consumers!) about its proposed behavioral advertising rules. The FTC has extended the deadline for submissions to April 11, 2008. Comments can include any concerns you have, changes you fell are necessary to the FTC's proposed rules, the types of consumers' personal data you believe should be considered sensitive, and anything else you feel is relevant. See Monday's post for the specific types of feedback the FTC seeks.
You should send comments and feedback to the FTC at:
Federal Trade Commission
Room H-135 (Annex N)
600 Pennsylvania Avenue, NW
Washington, DC 20580
Or, you can also submit comments and feedback to the FTC online via BehavioralMarketingPrinciples@ftc.gov. Some public comments are already available for viewing online at the FTC web site.