Data, data, data
Any time companies collect data about individuals, it makes sense to question what the impact on privacy might be. Behavioral advertising involves the compilation of detailed information about your online activities. As the advertising industry undergoes a wave of consolidation, ad networks are getting bigger and broader, with the ability to collect data about you on all kinds of Web sites and from all sorts of services. And with Internet Service Providers (ISPs) entering the mix, ad networks could potentially have a window into all of your online activity, including visits to political, religious, and non-commercial sites (which traditionally haven’t been included in Web-based ad networks). Depending on how behavioral advertising data is collected, used, and shared, it may have an impact on your privacy.
A behavioral profile that an advertising company creates about you may incorporate many different kinds of data that are in and of themselves not personally identifiable. Many ad networks avoid linking profiles to names, addresses, telephone numbers, and email addresses. However, as consumer advertising profiles become more detailed, the ability of advertising companies to link specific individuals to profiles is also growing. There have been cases where supposedly "non-identifying" or "de-identified" data was correlated back to specific people. The risk of supposedly non-personally identifying data being used to identify individuals has spurred several ad networks to take extra steps to de-identify or remove personal information from their data storage, but not every advertising company has followed suit.
At the same time, some companies are creating profiles that intentionally tie online data to personally identifiable information. For example, data collected about you by an online store may permit an advertising profile to be tied to your email account. Offline data about people’s home values, education levels, or catalog subscriptions may also be merged with online profiles. For years, data aggregation companies have maintained profiles about consumers based on information gleaned from public databases like property and motor vehicle records, as well as records from sources like catalog sales and magazine subscriptions. These data companies are now also entering the online advertising business, potentially allowing the linking of online and offline profiles.
Uses besides advertising
There is also a risk that profiles created for behavioral advertising may be used for purposes other than advertising. For example, ad networks that focus on something called "re-targeting" may already be using profiles to help advertisers charge different Internet users different prices for the same item. Behavioral profiles, particularly those that can be tied to an identifiable individual, may also be a tempting source of information for companies making decisions about people’s credit, insurance or employment. Right now we don’t really know whether behavioral profiles are being used for these other purposes, but we do know that there aren’t strong laws or regulations around what can and cannot be done with the data collected for behavioral advertising. This leaves the door open for uses other than advertising.
The legal standards for government access to personal information held by companies are also extraordinarily low. Because of this, it isn’t too difficult for the government to obtain behavioral advertising profiles from the companies that create them. With the law the way it is now, individuals may not even be provided with notice or an opportunity to object when the government requests information about them from advertising companies. Civil litigants raising challenges in court (think divorce lawsuits) may also be able to easily gain access to the behavioral advertising data held by companies.
The potential privacy impact of behavioral advertising is also becoming more complex because of the increasingly sensitive nature of the information that Internet users are providing online in order to take advantage of new services and applications. Two data types of particular concern are health information and location information.
Increasingly, Internet users are disclosing personal health data to an expanding array of health information and search sites, online support groups, and personal health record sites. While a U.S. privacy law protects health data when it’s held by doctors, hospitals, and their associates, this law does not cover personal health information once it moves online and out of the traditional health care context. It is not clear how much personal health data is being collected for behavioral advertising,but limits on the practice – both in the law and in privacy standards agreed to by the advertising industry – are far fewer than you might expect. If this data escapes from the hands of an advertiser, it may be revealed in embarrassing ways.
Location information is another highly revealing category. As technologies converge and Internet services are provided over cellular phones and other mobile devices, the ability to physically locate consumers is spurring location-based advertising, targeted to where a person is at any given moment. Plans to incorporate location information into behavioral advertising are still in development. Although laws exist to protect location information collected by phone companies, other kinds of companies are increasingly offering location-based services that fall completely out of that legal framework. Standards for government access to location information are also unclear, even as law enforcement has shown a greater interest in such information.
Part of the privacy threat posed by behavioral advertising is the fact that it happens largely under the radar. Most Internet users don’t know that behavioral advertising is happening, and when they find out, they aren’t very pleased. In several recent studies, the majority of people surveyed said they were not comfortable with online companies using their browsing behavior to target ads and content even when they were told that the advertising supports free services. It seems unlikely that these people understood that this type of ad targeting is already taking place online all the time every day.
For more information about online privacy generally, see CDT’s Guide to Online Privacy.