The Government’s Role in Online Advertising Privacy|
On June 14, 1999, the first big internet privacy storm began. DoubleClick announced to the world its plan to combine consumer information collected online with personally identifiable information (PII) through its acquisition of Abacus Direct.
The government responded swiftly: by February of the next year, the Federal Trade Commission (FTC) had opened an investigation into DoubleClick’s privacy practices. Although the ad network quickly reversed its position, the investigation ignited a firestorm of scrutiny from consumer advocates, media, and legislators regarding data collection practices on the Web.
In the decade and a half since, the FTC and other organizations have introduced initiatives and legislation in defense of consumer privacy. While some of these laws have translated to change, the government’s role in the consumer privacy debate remains in question.
What’s the Problem?
Advertising is more laser-focused than it’s ever been, thanks to the advent of online behavioral advertising (OBA). Companies using OBA track how consumers interact with sites, then act on that data to provide customers with more targeted appeals.
With OBA, consumers receive a “cookie” from every site they visit so that the site can remember their preferences when they come back. However, cookies can also be exchanged with advertising networks to deliver more targeted ads based on non-personally identifiable information (non-PII). Advertisers don’t know who someone is specifically (i.e. James Smith at 1234 Main Street), but they know enough to serve an ad that matches a consumer’s interests.
Although cookies don’t identify customers by name, assigning them a “hash” of numbers and letters, each disparate data point collected can be used to construct a consumer’s online identity. As former Atlantic contributor Alexis Madrigal explains:
“While that information [tracked by cookies] may not be stored by both companies, i.e. it’s not added to a user’s persistent file, it means that the walls between online data selves are falling away quickly. Everyone can know who you are, even if they call you by a different number.”
Companies can home in on who customers are based on zip codes, income, job title, education, and more. In fact, The Wall Street Journal found that a person can be identified by just 33 pieces of information.
This degree of insight into consumers’ lives has brought with it a growing interest in online privacy. Consumers, customer advocates, and even some companies have fought for consumers’ right to privacy online, with varying degrees of success. But change hasn’t happened overnight.
Making the Rules
- Conduct a public information campaign consisting of 300 million banner ads
- Refrain from merging online data with Abacus data until industry standards were decided on
- Purge customer data after three years
- Be subjected to an annual compliance review
In the years that followed, regulatory bodies drafted rules and regulations outlining how to use OBA, as DoubleClick had, ethically and responsibly. In February 2009, the FTC proposed the “Self-Regulatory Principles for Online Behavioral Advertising,” calling for transparency, security, and consent. In 2010, the Digital Advertising Alliance (a group of the nation’s largest media and marketing associations, with support from the council of Better Business Bureaus) created seven guiding principles that corresponded with that proposal by the FTC. They included education, transparency, and data security.
But the FTC was just getting started. In 2010, they continued their efforts to protect consumer privacy and called for a “Do Not Track” feature in a preliminary report. The report outlined how to approach OBA, saying, “[t]he most practical method of providing uniform choice for online behavioral advertising would likely involve placing a setting similar to a persistent cookie on a consumer’s browser and conveying that setting to sites that the browser visits, to signal whether or not the consumer wants to be tracked or receive targeted advertisements.”
As of 2016, no Do Not Track feature has been implemented, but consumers do have the ability to choose which ads they want to see with AdChoices (or by using increasingly popular ad blocking software, discussed below). AdChoices was created in 2010 by multiple advertising organizations but is enforced by the DAA. Ads served by participating organizations display an icon in the top right corner, that, when clicked, takes consumers to a page where they can stop seeing ads from those organizations.
But has any of this legislation made an impact? In 2012 the White House, Secretary of Commerce, and Chairman of the FTC recognized the DAA for leadership in providing consumers with online advertising privacy, transparency, and choice. But, on February 23, 2012, President Obama made the following statement regarding the newly drafted Consumer Privacy Bill of Rights (CPBR):
“Never has privacy been more important than today, in the age of the Internet, the World Wide Web and smart phones. In just the last decade, the Internet has enabled a renewal of direct political engagement by citizens around the globe and an explosion of commerce and innovation creating jobs of the future. Much of this innovation is enabled by novel uses of personal information. So, it is incumbent on us to do what we have done throughout history: apply our timeless privacy values to the new technologies and circumstances of our times.”
The Consumer Privacy Bill of Rights also noted that members of the Digital Advertising Alliance have agreed to comply when consumers choose to opt out of tracking. The bill proposed that this commitment would be legally binding and could be enforced by the FTC. At that time, the White House intended to work with Congress to codify the CPBR, which never transpired. (However, in May 2014, the White House expressed its belief that the arrival of big data, along with IoT, challenges certain concepts underlying the CPBR, such as notice and consent. As a result, the Big Data Report recommended that any renewed legislative effort to implement the CPBR consider the impact of “big data developments” and the practical limits of existing privacy principles in the big data context).
Breaking the Rules
Creating the laws and guidelines was one thing; enforcing them was quite another. Responsibility to enforce the principles was assigned to the Online Interest-Based Advertising Accountability Program and the Direct Marketing Association. But in 2013, as the Accountability Program was monitoring compliance activities, it found that a significant minority of website operators were not in compliance with the Transparency Principle by omitting notice of data collection.
In November of 2013, the Accountability Group opened a formal inquiry into BMW and Scottrade, Inc. They found that both BMW and Scottrade allowed third-party data collection for OBA, but did not meet the notice and choice obligations of the Transparency and Consumer Control Principles. The two companies quickly made their websites compliant with DAA standards.
The Accountability Program has since issued a global compliance warning to first parties to provide website enhanced notice on every page third parties are permitted to collect information or from which collected data is transferred to unrelated third parties. They warned that it would begin enforcing against first parties that fail to provide notice under the OBA Principles beginning January 1, 2014.
Online advertisers weren’t the only ones under scrutiny—by September 26, 2014 the FTC had sent warning letters to more than 60 national advertisers regarding the inadequacy of disclosures in their television and print ads. So what does that have to do with online advertising? Reed Freeman, one of the leading lawyers in the privacy debate and a key player in getting the DoubleClick FTC investigation dismissed, believes that disregard of disclosures could be a “warning shot across the bow” that could signal law enforcement actions to come.
Freeman expects the FTC may well follow this group of warning letters with a series of enforcement actions, as it did in 1996 against a number of auto manufacturers for the mouse print in their leasing ads. (The FTC followed up with Mazda in 1999, alleging that it failed to abide by the FTC’s stipulated order on proper disclosures, settling for $5.25 million).
Freeman also speculates that the FTC’s focus on television and print ads does not mean that other forms of advertising get a pass; the FTC is equally concerned about disclosures that appear in other media, such as online and on mobile devices. Still, some web users are circumventing disclosures and advertising altogether with ad blockers.
Ad blockers surged to the front of the consumer privacy debate in 2014, allowing consumers to stop ads from ever displaying by targeting the technology they run on. In the U.S., ad blocking usage increased by 48% between 2014 and 2015, with more than 45 million users by mid-2015.
Consumers argue that ad blockers allow their pages to load faster and protect their privacy, but advertisers argue that consumers are cutting them off at the knees, keeping them from providing information for free. The New York Times even stopped showing users content if they were using ad blockers, and a German newspaper sued AdBlock Plus, claiming they were interfering with their right to advertise to readers. The IAB may even sue AdBlock Plus in the near future, according to AdExchanger.
Having consumers break the implied social contract of receiving free content in exchange for data has shifted the balance of power in consumers’ favor, at least for now. And some companies are doing their part to strengthen customer data protection: Apple’s forthcoming iOS10 will stop ad networks from collecting data on Apple device users (but only if they enable the right settings), and the Safari browser also stops ad networks from tracking customers’ cookies.
Still, the more things change, the more they stay the same: Verizon’s acquisition of Yahoo and, by extension, its digital advertising data, has recently caught the attention of the Federal Communications Commission. Comcast also wants the FCC to reject proposed regulations that keep internet service providers from charging customers more who don’t want to be subjected to OBA.
It’s not unlike a certain legal scuffle in 1999.
Advertising helps support a free internet and shows consumers targeted ads about products they’d most likely be interested in. Still, companies have a history of obfuscating just how consumer data gets used, and the law has not taken kindly to those that hide their methodologies from consumers.