A Briefing On Public Policy Issues Affecting Civil Liberties Online from The Center For Democracy and Technology
(1) Privacy Initiatives Key to Addressing Behavioral Targeting Concerns
(2) Behavioral Targeting Concerns Have Mounted With Increased Consolidation
(3) Merger Reviews Are Helpful but Insufficient to Address Broader Industry Issues
In response to mounting concerns relating to Internet privacy and "behavioral targeting" some of the world's largest Internet companies have announced competitive new privacy initiatives aimed at giving users greater control and stronger assurances that their personal data is being appropriately managed. That Internet companies are beginning to compete to provide better and more extensive privacy protections is great news for users, who will hopefully be faced with an ever-widening array of choices in how they manage and control the information they share over the Internet. Competitive, market-driven privacy solutions are a key component to a multi-pronged effort to bring privacy standards up to date with modern technology. If properly coupled with federal consumer privacy legislation and aggressive user education, these initiatives should begin to tip control over personal data back where it belongs -- in the hands of users.
Spurring recent concerns about privacy in the Internet search arena has been a renewed focus on "behavioral targeting:" the common practice among search companies of collecting information about users in order to serve them more relevant advertisements. As these companies increase their product lines to include e-mail, chat, maps, and other tools, they gain access to ever growing amounts of potentially sensitive personal data. This glut of data can be used to develop highly detailed profiles of users, which in turn can be used to serve them highly focused advertising. Some consumers find the very fact of this highly targeted advertising discomforting, while others see it as helpful and useful, but in any case users stand to benefit from clear notice and greater choice regarding the collection, storage and use of their personal data.
With no federal law governing how customer information can be used, it has fallen to companies to draft their own privacy guidelines. From a privacy perspective, industry self-regulation is only a partial solution and is unlikely to ever provide strong enough safeguards by itself. Congress must enact a federal consumer privacy law that establishes baseline legal standards across industries. Legal and regulatory efforts are important in their own right and can help to spur greater self-regulation on the part of companies. For instance, one key factor behind the recent string of privacy-oriented changes in the search market was mounting pressure applied by European regulators. Still, the recent privacy announcements by leading search companies show how marketplace competition can help to provide consumers with more robust options for protecting their own privacy.
Until recently, search providers had the same basic policy on search logs, which is to say that they kept them -- and their associated IP and cookie information -- for as long as they felt they were useful. That has changed with several recent developments:
All of these proposals are a welcome early step toward placing control of sensitive information back into the hands of users, limiting the risk that consumers' personal data will be misused, lost, stolen or otherwise compromised.
"Behavioral targeting" involves the compilation of detailed information about an Internet user's online activities. These profiles may include lists of the Web sites that consumers visit, including e-commerce, news, entertainment, and financial services sites. Data about how consumers interact with certain sites -- which advertisements they click on, the purchases they make, or the length of time they stay on a page, for example -- may also be collected. This information is obviously a treasure trove for marketers, but it is also available to government officials armed with a mere subpoena, and to civil litigants. It can be used not merely to target advertisements, but to make decisions about people that may affect access to credit, insurance, employment and other vital services.
In November 1999, DoubleClick announced that it would merge with the market research firm Abacus. With the Abacus information, DoubleClick planned to tie the offline habits of individuals with their online behavior. The announcement raised major privacy concerns. Some advocates filed a complaint with the FTC on the merger. CDT launched campaign urging Internet users to write to DoubleClick's content partners to raise concerns about these practices. The pressure from privacy advocates eventually led DoubleClick to back away from the plans to merge the data and began the creation of a self-regulatory settlement with the FTC called the Network Advertising Initiative (NAI).
For years after the NAI settlement, companies did not make public wholesale attempts to track users beyond the sites with which they partnered. Starting in 2003, adware companies began to fill this void through the use of invasive applications that needed to be installed on users' computers separately from their Web browsers. Because the software was located on the end user's machine, it could record the user's entire browsing history and use this information to create profiles for targeting ads. This information could be made available not only to the adware makers, but to its affiliates in the advertising space. Indeed, many of the advertisements delivered through adware involve a long chain of partners -- ad networks, ad serving platforms, and affiliate networks -- all of which gained access to these valuable behavioral profiles.
The larger trend, however, is towards the creation of these profiles without the use of separate software. Consumers are increasingly using technologies such as Web search and Web-based email. Often the same companies that provide search services and store emails -- which can be personally identifiable in many cases -- are also engaged in behavioral targeting. With the convergence of Internet, broadcast, cable, and telephone networks, targeting information is also being used more often across contexts -- data collected on the Web might be used to target ads on cable television or satellite radio, and databanks of information collected offline can be combined with online information, all without the knowledge of consumers.
These practices have gained new attention in recent months as the industry has begun to undergo a wave of consolidation. No less than five major mergers and acquisitions have been announced since April:
Although each of these mergers may have different implications for consumer privacy, they all have the potential to unite previously disparate sets of information into detailed profiles of individual Internet users. Advertising service providers have the ability to gather data about individual Internet users as they travel across many of the Web's most popular sites. Search engines have long been able to track users within their search pages and compile profiles based on users' search queries. The combination of these two information sources – plus data generated through email, chat, and other services that are increasingly offered by the search companies – yields an unprecedented amount of user information in the hands of Internet companies.
Several of the mergers highlighted above are undergoing some form of review by Federal Trade Commission officials. Because public information about how companies engage in behavioral targeting is currently lacking, CDT is encouraging the FTC to require merging companies to disclose, in writing, what their data integration and privacy practices will be. CDT also believes that the FTC has the authority to impose consumer protection-based conditions on the mergers as necessary.
Although these steps are important in the merger review context, they do not provide the necessary industry-wide analysis of the privacy implications of behavioral targeting. The recent mergers have thankfully brought attention to the behavioral targeting issue, but the focus should be on the industry as a whole rather than individual companies. Consumers, advertisers, and technology companies would all benefit from jointly re-visiting the issue.
After five years of experience with the NAI guidelines and a host of technical and business developments in online advertising, we believe it is high time to re-evaluate the privacy protections that are currently in place. One of the seminal requirements of the guidelines – providing the ability for users to opt out of behavioral targeting – has been largely implemented through a mechanism ("opt-out cookies") whose robustness and ease of use leaves much to be desired. Even with a more robust opt out mechanism, questions remain about its functionality in the current environment given the quantity and detail of user data that can now be collected. Technologies developed since the adoption of the guidelines allow both increased profiling and tracking capabilities and increasingly granular user control, all of which deserve fresh consideration.
Earlier this year, CDT wrote a letter to FTC Commissioner Thomas Rosch outlining the topics for a potential FTC workshop on this issue. CDT believes this would be the best way to generate industry-wide discussion about the privacy issues associated with behavioral targeting and the status of the NAI. The FTC announced earlier this month that it would host a two-day "Town Hall Meeting" in November to address online profiling and behavioral targeting.