In recent years and at an accelerating pace, technology and market forces have been fundamentally changing the advertising industry through the collection, storage and use of information. One growing industry, “behavioral advertising,” involves the compilation of detailed information about an Internet user’s online activities. Data about how consumers interact with certain sites–which articles they read, which advertisements they click on, the purchases they make, or the length of time they stay on a page, for example–may be collected. The potential breadth and depth of consumer profiles has grown as the largest companies on the Internet have acquired firms that specialize in behavioral data collection. [Editor’s Note: An earlier version of this Policy Post inaccurately stated that an update to NAI’s self-regulatory guidelines was released in 2007 instead of 2008. The current version reflects this change.]
In recent years and at an accelerating pace, technology and market forces have been fundamentally changing the advertising industry through the collection, storage and use of information. One growing industry, “behavioral advertising,” involves the compilation of detailed information about an Internet user’s online activities. Data about how consumers interact with certain sites–which articles they read, which advertisements they click on, the purchases they make, or the length of time they stay on a page, for example–may be collected. The potential breadth and depth of consumer profiles has grown as the largest companies on the Internet have acquired firms that specialize in behavioral data collection.
Web sites that supply content to consumers free of charge are often supported by online advertising. These sites–known as “publishers” in the advertising world–make available certain portions of space on their pages to display ads. That space is sold to marketers, ad agencies, or online ad networks that place advertisements into the space. These intermediaries may also make arrangements to collect information about user visits to the publisher pages. Since very few publishers supply their own advertising, when visiting a website a consumer’s computer also connects to one or more ad networks to communicate data about the consumer’s visit and receive advertising on the site.
At their most basic level, online ad networks contract with many different Web site publishers on one side and many different advertisers on the other. Armed with space to display ads on publisher sites and a pool of ads to display, ad networks are in the business of matching the two using the data they collect about consumer’s site visits.
There are many different ways for an ad network to determine how an advertisement should be placed. The two most frequently discussed are “contextual” advertising and “behavioral” advertising. Contextual advertising, which is often used to generate ads alongside search results, matches advertisements to the content of the page that a consumer is currently viewing: a consumer who visits a sports site may see advertisements for golf clubs or baseball tickets on that site.
In contrast, behavioral advertising matches advertisements to a consumer’s interests as determined over time. If a consumer visits several different travel sites before viewing a news site, the consumer might see a behaviorally-targeted travel advertisement displayed on the news page, even though the news page contains no travel content. A traditional behavioral ad network assembles profiles of individual consumers by tracking user’s activities on publisher sites within their network. When the consumer visits a site where the ad network has purchased ad space, the ad network collects data about that visit while serving an advertisement based on the consumer’s profile. While only a small portion of online ads are currently targeted this way, behavioral advertising is a growing segment of the online advertising industry.
Consumer’s behavioral advertising profiles may incorporate many different kinds of data that are not personally identifiable by themselves. Many networks avoid linking profiles to what has traditionally been considered “personally identifiable information” (“PII”): names, addresses, telephone numbers, email addresses, and other identifiers. But as the comprehensiveness of consumer advertising profiles increases, the ability to link specific individuals to profiles is growing. The risk of supposedly non-personally identifying data being used to identify individuals has spurred several ad networks to take extra steps to de-identify or remove personal information from their data storage.
In an effort to compile even more complete profiles, some new ad networks are now turning to the most comprehensive and concentrated source of information about Internet use: the individual Web data streams that flow through ISPs. In this emerging model, an ISP intercepts or allows an ad network to intercept the content of each individual’s Web data stream. An ad network then uses this traffic data for behavioral advertising, serving targeted ads to the ISP’s customers on publisher sites as the customers surf the Web.
CDT Testimony, Privacy Implications of Online Advertising (June/20/2007)
Behavioral advertising poses a growing risk to consumer privacy. Consumers are largely unaware of the practice and thus are ill equipped to make informed decisions and protect their information. They have no expectation that their browsing information may be tracked and sold. Furthermore, consumers are rarely provided sufficient information about the practices of advertisers or others in the advertising value chain to gauge the privacy risks and make meaningful decisions about whether and how their information may be used.
In most cases, data collection for behavioral advertising operates on an opt-out basis, presuming that consumers wish to participate unless otherwise indicated. Opt-out mechanisms for online advertising are often buried in fine print, difficult to understand, hard to execute, and technically inadequate. Moreover, in most cases, opt-out mechanisms offered for behavioral advertising only opt a user out of receiving targeted ads, but do not opt the user out of data collection about his or her Internet usage.
For behavioral advertising to operate in a truly privacy-protective manner, data collection needs to be limited, data retention limits should be tied to the original purposes for collecting the data, and opt-out must completely remove consumers from the service. Consumers need to be informed about what data is being collected about their Internet activities, how the information will be used, whether the information will be shared with others, and what measures are being taken to ensure that any transfer of data remains secure. They should be presented with this information in a manner that supports making an informed choice, and that choice should be honored persistently over time.
There is also a risk that profiles for behavioral advertising may be used for purposes other than advertising. Behavioral profiles, particularly those that can be tied to an individual, may be a tempting source of information in making decisions about credit, insurance, and employment. The lack of transparency surrounding behavioral advertising makes it difficult, if not impossible, to know whether behavioral profiles are being used for other purposes, and the lack of enforceable rules governing data collection and permissible uses leaves the door wide open for a myriad of secondary uses.
Additionally, because the legal standards for government access to personal information held by third parties are extraordinarily low, these comprehensive consumer profiles are available to government officials by mere subpoena, without notice to the individual or an opportunity for the individual to object. While this has been only a minor issue to date, as advertisers have held less information than other sources, the increased collection and use of data could make advertisers more attractive for government uses.
Concerns about behavioral advertising practices are widespread, in part due to the increasingly sensitive nature of the information that consumers are providing online in order to take advantage of new services and applications. Two data types meriting particular concern are health information and location information.
Personal health data is migrating online through an ever-expanding array of health information and search sites, online support groups, and personal health record sites. Federal privacy rules under the Health Information Portability and Accountability Act (“HIPAA”) do not cover personal health information once it moves online, out of the control of HIPAA-covered entities. Once it is posted online, personal heath information may have no more legal protection than any other piece of consumer information. In addition, information provided by consumers that is not part of a “medical record”–such as search terms–may nevertheless reveal highly sensitive information.
The ability to physically locate consumers via mobile devices is spurring location-based advertising targeted to a user’s location at any given moment. Although laws exist to protect location information collected by telecommunications carriers, applications providers are increasingly offering location-based services that fall completely outside of that legal framework. Standards for government access to location information are also unclear, even as law enforcement has shown a greater interest in such information.
For the past eight years, the primary privacy framework for online behavioral advertising practices has been provided by the Network Advertising Initiative (NAI), a self-regulatory group of online ad networks. NAI members agree to provide consumers with notice and, at minimum, a method to opt out of behavioral advertising. They further pledge to use information collected only for marketing purposes. While at the time of their release CDT welcomed the NAI principles as an important first step, we also noted then that there were flaws in the approach that needed to be addressed and that self-regulation was not a complete solution. The Federal Trade Commission (FTC) agreed, concluding in its July 2000 report to Congress that “backstop legislation addressing online profiling is still required to fully ensure that consumers’ privacy is protected online.” This remains true today.
Importantly, the NAI principles only apply to companies that voluntarily join the initiative. The current membership is missing numerous behavioral advertising firms, including key industry players. In addition, measures to ensure compliance and transparency have withered on the vine. To date, the self-regulatory model has failed to provide consumers with meaningful privacy protections with respect to behavioral advertising practices.
In early 2008, the NAI released a draft update to its principles and sought comment on the proposed changes. Although we are pleased the NAI has re-opened its guidelines after eight years, even the updated guidelines remain deficient in many ways. In June 2008, we recommended that the NAI address ISP behavioral advertising, take a new approach to sensitive information, and strengthen its opt-out standard, among other suggestions.
Perhaps as a result of the weaknesses of self-regulation demonstrated during the FTC’s town hall meeting on behavioral advertising in early November 2007, FTC staff recently released its own proposed principles for behavioral advertising self-regulation. While the principles represent a solid step forward, they too have weaknesses that must be addressed. CDT has recommended that the FTC strengthen its proposed transparency and consumer choice principles, and extend those principles to cover ISP behavioral advertising. We also suggested that data retention limits be tied to the purpose for which information was collected, and that the FTC host a workshop to explore the appropriate length of time for retaining behavioral data. We recommended that the definition of sensitive data be expanded to include information about health and location information, among other kinds of data. Finally, we suggested that more information is needed to understand the secondary uses of behavioral data and how the associated privacy risks should be addressed.
Ultimately, however, we believe that protecting consumer privacy interests in this space will require a rigorous mix of self-regulation, enforcement of existing law, and a new general privacy law backed up by regulatory enforcement. Congress needs to take a comprehensive look at the current and emerging practices associated with behavioral advertising and the risks those practices pose to consumer privacy and control. CDT has recommended that Congress address online privacy risks broadly by enacting a baseline consumer privacy law that would protect consumers from inappropriate collection and misuse of their personal information, both online and offline. In principle, such legislation would codify the fundamentals of fair information practices, requiring transparency and notice of data collection practices, providing consumers with meaningful choice regarding the use and disclosure of that information, allowing consumers reasonable access to personal information they have provided, providing remedies for misuse or unauthorized access, and setting standards to limit data collection and ensure data security.
We also believe that privacy-enhancing technologies have an important role to play. The lack of effective controls and the difficulty that consumers have in exercising choice about their participation in online tracking and targeting was the motivation behind the “Do Not Track” list idea proposed by CDT and nine other consumer and privacy groups. The idea behind Do Not Track is both simple and important: provide consumers with an easy-to-use, technology-neutral, persistent way to opt out of behavioral advertising. Congress should promote this idea and other innovative ways to put consumers in control of their information.
CDT Comments to FTC (4/11/08)