On February 12, 2009, the Federal Trade Commission (FTC) issued: FTC Staff Report: Self-Regulatory Principles For Online Behavioral Advertising. This document contains guidelines for self-regulation, and, there are indications that if the guidelines are not followed by successful self-regulation, then the FTC will impose binding regulations. Something that most industries don’t wish to see.

Background: Last March, the Interactive Advertising Bureau (IAB) announced that revenue from advertising on the Internet in 2008 surpassed $23 billion in the U.S. It is this ad revenue that in large part allows for the almost universal offering of free content. Therefore, continued strong and increasing revenues from ads is critical to maintaining a free of charge Internet.

Accordingly, the industry is constantly seeking ways to increase ad revenue. One of the most efficient methods is simply to increase the accuracy of the matching of specific ads to people who are most likely interested in those ads. As this accuracy increases, the likelihood that a viewer will click on an ad increases. Therefore, the per impression charges would increase, and more clicks are likely to occur, thereby increasing per-click revenue.

Enter behavioral targeted advertising. The technology is simple. An ad network serves ads. When it serves ads, the network will place one of those “harmless” little cookies on a visitor’s computer. Let’s examine Google, which is the largest ad network, as an example: Google has 1,000s of websites as part of its network. So, when the visitor surfs from one site over to another, which very likely is also part of the Google publisher network, the cookie will indicate the prior site or sites that the person visited. The information that a cookie can contain includes information such as pages and content viewed, the time and duration of visits, search queries entered into search engines, and whether a computer user clicked on an advertisement. Ads will then be served to visitors based upon this tracking information.

Problem: Ok, we recognize that this is a powerful tracking mechanism that can aggregate large quantities of information that many people would not feel comfortable aggregating. However, ad agencies claim that there really is no invasion of privacy or reason to be concerned because no individual is ever identified or associated with the gathered information. The only “identifying” information is the IP address which relates to a single device, but there is no way to connect that to an individual.

In the FTC Staff Report, the FTC does not buy this argument and believes that the gathering of non-personally identifiable information poses privacy concerns. Some of these reasons are:

  • This information can possibly be combined with personally identifiable information gathered from other sources.
  • It may be possible in the near future to actually identify a person from the IP address of their computer.
  • “Common identifiers” between personally identifiable information and non-personally identifiable information might provide a link between the two.
  • Studies indicate that even if individuals cannot be identified, the public is concerned that such tracking occurs.

As far as the FTC is concerned, the issue is not the collection, per se, of such data. Rather the invisibility of the data collection process to consumers (i.e., they don’t know that it is occurring and therefore have no ability to opt-in or opt-out) and the risk that the information collected – including sensitive information regarding health, finances, or children – could fall into the wrong hands or be used for unanticipated purposes.

Some Statistics on Google’s Presence: On June 2, 2009, The New York Times reported on a study released on June 1, 2009 by graduate students at the University of California. That study found that between Google Analytics (a free product that can be installed to allow gathering of statistics on visitor activities) and DoubleClick (owned by Google), Google had cookies present on 92 of the top 100 domains. Also, out of an examination of 400,000 domains, Google’s presence remained high at 88%, the runner up tracking company, StatCounter, only appeared on 7% of the 400 domains! Talk about a 500lb gorilla! Google’s presence on these third party sites derives from Google Analytics, DoubleClick and AdSense. Therefore, as one of the students preparing the study pointed out that even if someone does not go to Google.com, Google is collecting massive data about that person. Google claims that it does not, and does not have the ability to, aggregate the data from these various sources. However, the future capability is certainly within Google’s grasp, if it sought to go there.

Current State: The FTC Staff Report agreed that certain behavioral information gathered does not raise privacy concerns to a level that needs to be covered by the FTC guidelines. These include (1) first party behavioral tracking, which is where a single website tracks behavior only at its site and does not transfer this information to another website, because this is within the expectation of users of websites, and they are aware that it is being tracked, and (2) contextual tracking, where ads are served based upon the web page content, because this is not really tracking and the information is not retained – it is only used for serving the ads at the time the page is being viewed.

Regarding other behavioral tracking, the guidelines “recommend” the following that would apply to all sites where behavioral tracking occurs – which as shown above regarding Google, will apply to almost all websites: (1) sites where behavioral tracking occurs should provide a clear statement that this tracking occurs and allow consumers to choose whether to allow this tracking to occur, (2) security of retained data should take into account the sensitivity of the data (e.g., data on health, finances or children) and data should only be retained as long as necessary to fulfill a legitimate business or law enforcement need, (3) sites should receive affirmative express consent for material changes to existing privacy policies for previously collected data, and (4) companies should collect sensitive data for behavioral advertising only after they obtain affirmative express consent from the consumer to receive such advertising.

Heads Up: FTC Commissioner Jon Leibowitz, in his comment on the FTC Report stated: “Industry needs to do a better job of meaningful, rigorous self-regulation, or it will certainly invite legislation by Congress and a more regulatory approach by our Commission. Put simply, this could be the last clear chance to show that self-regulation can – and will – effectively protect consumers’ privacy in a dynamic online marketplace.” Furthermore, privacy is on the Congressional table. Representative Rick Boucher (D-Va.) has said that he intends to introduce an online privacy bill later this year.