With legislators once again raising consumers' fears about their online privacy, the industry needs to prepare for possible fall out.
For several years, websites, ad servers and marketing companies have been tracking the online activity of millions of internet users. These companies compile and analyze this information, and then use it to help advertisers deliver ads to those most likely to be interested in their product or service. Most consumers may not have been aware that their online activities were being monitored and analyzed -- until now.
Consumer and privacy groups are challenging online targeted advertising, usually claiming that websites and advertisers should not be able to track online activity without providing notice to consumers and getting consumers' consent. Privacy advocates are also worried about the possibility that companies will combine anonymous online data with personally identifiable data, which seems increasingly likely as more marketing and database companies merge.
Currently and generally speaking, the use of targeted advertising online does not violate any privacy laws in the United States, except in the following circumstances: It involves the collection of personal information about children under 13 without parental consent; it violates a site's own privacy promises to its users; or it involves the use of spyware. However, the Federal Trade Commission, state lawmakers and consumer groups are closely watching this issue and are proposing changes to the regulatory landscape.
History in the making
In late 2007, the FTC hosted a town hall meeting to discuss privacy and online targeted advertising, and one of the FTC commissioners who spoke at the meeting suggested that the parties involved in targeted advertising provide better information about their practices and meaningful choices for consumers and consider using standardized privacy policies and shorter notices.
A few weeks after the town hall meeting, the FTC issued proposed privacy guidelines for online targeted advertising, and called for comments from consumer and business groups as to the appropriateness and feasibility of the principles. The FTC's guidelines propose that:
- Every website where data is collected for online targeted advertising should provide a clear, consumer-friendly and prominent statement that data is being collected to provide ads targeted to the consumer and give consumers the ability to choose whether or not to have their information collected for such purpose.
- Any company that collects or stores consumer data for online targeted advertising should provide reasonable security for that data and should retain data only as long as is necessary to fulfill a legitimate business or law enforcement need.
- Companies should obtain "affirmative express consent" to collect and use "sensitive data" for purposes of targeting advertising. "Sensitive data" is not defined in the proposed principles but would include, at a minimum, information about health conditions, sexual orientation and children's online activities.
Also in 2007, several privacy groups filed a petition with the FTC requesting, among other things, that the FTC consider establishing a "do not track" registry, similar to the federal "do not call" registry that prevents telemarketers from calling those phone numbers on the list.
Most recently, at least two states -- New York and Connecticut -- proposed bills that would establish rules and privacy policies with respect to how third party online advertisers collect and disseminate online activity data of consumers. The bills, New York Assembly Bill 9275 and Connecticut House Bill 5765, would require that consumers be given adequate notice of how third party advertisers operate as well as a clear and conspicuous mechanism on websites for consumers to opt-out of online preference marketing. The bills also would prohibit the merging of anonymous online data with personally identifiable data without prior consent.
Social networks elevate privacy concerns
Online targeted advertising has also moved to social networking sites, perhaps raising the profile of the practice. Social networking sites have the opportunity to collect vast amounts of information about their members; some of this information is supplied by members themselves in the form of their user profile, which might list their name, age, hometown, college, marital status, job, hobbies, religious or political affiliation, and other interests, while other information can be obtained by tracking a member's social connections within the site and tracking the member's online activities anywhere on the internet.
One of the most popular social networking sites, Facebook.com, announced in November, 2007 that it was launching two new targeted advertising programs called Beacon and SocialAds. Advertisers who participated in the SocialAds program could deliver ads to Facebook members that were tailored to the information contained in their profiles, while the Beacon program collected information about Facebook members' online activity on other participating websites and sent that information to the members' "friends." For example, when the program initially launched, when a Facebook member made a purchase or rated a product on one of the participating websites, a notice appeared telling the Facebook member that this information would be transmitted to his or her friends unless the member opted-out of that particular transmission. If the member did not opt-out or took no action, the information was transmitted to the other Facebook members listed as friends.
Advertisers liked the feature because it provided many of the same benefits as viral marketing: If a user bought a product or a movie ticket, this information was transmitted to the user's friends, which could be seen as a kind of endorsement of the product. In addition, advertisers could display an ad for the product that was the subject of the purchase information when that information was transmitted to the members' friends.
Complaints about the Beacon program began almost immediately. Facebook users and privacy groups complained that Facebook users were not able to opt-out of the feature completely; that it was not clear which websites were participating in the program; that the notice telling a user that the information was about to be transmitted was not clearly visible and did not stay visible for enough time, and that Facebook did not adequately explain the Beacon program to its members. Just one month after the launch of Beacon, Facebook announced changes to the plan so that information is not sent to a member's friends unless he or she opts-in each time the notice is displayed and the notice will be displayed for a longer amount of time.
Targeted advertising is appealing to advertisers because it is designed to ensure that ads will be seen by those most interested in seeing them. But targeted advertising is likely to continue to come under scrutiny unless it incorporates two important elements in U.S. privacy law: notice and choice.
Moreover, although the FTC's proposed principles do not have the force of law, they are a clear signal of the FTC's interest in online targeted marketing, and marketers and advertisers would be well-advised to consider the application of the principles to their own practices moving forward. The FTC has made it clear that it will continue to monitor this issue and may bring enforcement actions against companies engaged in online targeted advertising that are violating federal privacy or consumer protection laws. In addition, if New York and Connecticut are successful in enacting their pending laws, these laws will have an enormous impact on advertisers' current practice, if they survive likely court challenges.
Copyright 2008. iMedia Communications, Inc. (www.imediaconnection.com) is a trade publisher and event producer serving interactive media and marketing industries.