April 9th, 2009
Targeted Ads on FTC Radar
By David Bender
New York Law Journal
Targeted advertising (also called behavioral advertising) uses a consumer’s history of Internet surfing and search queries to determine the consumer’s interests, and then sends ads based on the determination. This is accomplished by depositing a cookie[FOOTNOTE 1] on the consumer’s Internet browser to store surfing and search data that is used to assign the consumer to appropriate interest categories.
Targeted advertising assures a more select group of ad recipients. This renders the efforts of the company sending the ad (often a third party) more efficient, and frees the consumer from the distraction of uninteresting ads.
Last year, this column described a New York bill that would have governed targeted advertising.[FOOTNOTE 2] That bill was not enacted. Nevertheless, in the ensuing year targeted advertising has become the focus of a variety of interest groups in the United States and elsewhere. Given New York City’s prominence as an advertising center, these developments should interest many local lawyers.
In March, Google began using surfing data for targeted advertising.[FOOTNOTE 3] Google announced it would permit users to review and correct information that Google had about them, and to opt out of targeted advertising.[FOOTNOTE 4] Google plans to use targeted advertising initially with a few dozen advertisers. Google uses some 600 interest subcategories within 20 broader categories, but stated that the categories did not include sensitive areas such as race, religion, sexual orientation and certain types of health and financial information. The company stated it would not associate this data with data acquired through other Google services (e.g., search queries would not be used for targeted ads). Some privacy advocates applauded the fact that users would be able to review their preference data, while others criticized the opt-out, claiming that opt-in would be appropriate.[FOOTNOTE 5]
That same month Google announced a browser extension, which it made publicly available, that blocks cookies delivered by the DoubleClick ad network (Google owns DoubleClick).[FOOTNOTE 6] This extension prevents DoubleClick from tracking the user’s Web activities.[FOOTNOTE 7] This feature is helpful because, although many ad networks permit users to set their browsers to opt out of cookies, the opt-out must be renewed each time the user clears cookies from the browser (some browsers can automatically clear cookies when the browser is closed). With this extension, continual opt-out renewals are no longer necessary.
Christopher Soghoian[FOOTNOTE 8] has expanded this feature by modifying the Google extension to permit opt out from some 26 other advertising networks as well. And last month, Microsoft released IE8, the latest version of its Internet Explorer browser, said to contain an option that precludes the retention of surfing and searching history, and automatically clears the browser on conclusion of each session.
In a related development Cablevision, which serves a portion of the New York City metropolitan area, announced in 2009 that it would use targeted advertising for TV ads sent to 500,000 homes.[FOOTNOTE 9] Cablevision will send these ads based on demographic data obtained from a large national credit reporting agency. Many homes will receive ads different from those their neighbors receive. Cablevision apparently will maintain the data such that households will remain anonymous.
Some privacy advocates have voiced concerns, but the head of the Electronic Privacy Information Center stated: “We don’t have an objection to advertising that is targeted to demographics [if it is shown] that they can’t be reverse-engineered to find the names of individuals that were watching particular shows."[FOOTNOTE 10]
Are consumers really concerned about behavioral advertising? According to a survey commissioned by TRUSTe[FOOTNOTE 11] and conducted in February 2009, two out of three respondents were aware their browsing information might be collected for use in advertising.[FOOTNOTE 12] Half were uncomfortable with targeted advertising, and many took steps to remain anonymous. Yet a clear majority professed annoyance when advertised products or services were not pertinent. Almost half stated they deleted cookies at least weekly. While three quarters said they knew how to protect personal information online, 39 percent reported they did not consistently do so.
No less a personage than Sir Tim Berners-Lee, regarded as the founder of the World Wide Web, suggested that the improper collection of user access histories threatened online integrity: “People use the Internet to search for information when they’re concerned about their sexuality, when they’re looking for information about diseases or when they’re thinking about politics—it’s vital that they are not being snooped on."[FOOTNOTE 13]
Speaking at a U.K. House of Lords roundtable event, he analogized improperly collecting user access information to “opening our private mail or putting cameras in our living rooms.”
Search engine providers argue that retaining information provided by users is necessary to protect them from abusers and to implement effective searches.[FOOTNOTE 14] In December 2008, Yahoo! announced it would reduce, from 13 months to three months, its retention period for much of its data. This announcement followed by three months Google’s announcement that it would reduce its retention period from 18 months to nine months. Microsoft held at 18 months, but indicated that if its two larger rivals reduced to six months, Microsoft would follow.
LITIGATION AND REGULATION
Although targeted advertising is still in its infancy, litigation contesting its legitimacy has already begun.
In November 2008, a purported class action was filed.[FOOTNOTE 15] The suit alleged violations of the Electronic Communications Privacy Act (18 U.S.C. § 2510), Computer Fraud and Abuse Act (18 U.S.C. § 1030), Invasion of Privacy Act (Calif. Penal Code § 631), Computer Crime Law (Calif. Penal code § 502), and alleged common law causes for aiding and abetting, civil conspiracy and unjust enrichment. This litigation is pending.
With the Federal Trade Commission showing significant interest in targeted ads, on Jan. 15, 2009, four advertising trade associations[FOOTNOTE 16] announced they were working with the Council of Better Business Bureaus to develop guidelines for self-regulation of targeted advertising.[FOOTNOTE 17]
One of these organizations, the Interactive Advertising Bureau, had worked with some 10 companies (including AOL, Google, Microsoft and Yahoo!) to promulgate Good Practice Guidelines that were approved last month by the U.K. data protection authority.[FOOTNOTE 18]
The guidelines focused on three principles: notice that personal information is being collected for an identified purpose; choice (opt-out) permitting the user to avoid collection; and education to inform how the data will be used and how to avoid collection.
In February, the Federal Trade Commission released its Staff Report “Self-Regulatory Principles for Online Behavioral Advertising."[FOOTNOTE 19] These principles are suggestions only, and not mandatory. Nevertheless, FTC Commissioner Jon Leibowitz remarked: “Industry needs to do a better job of meaningful, rigorous self-regulation or it will certainly invite legislation by Congress and a more regulatory approach by our commission. Put simply, this is the last clear chance to show that self-regulation can—and will—effectively protect consumers’ privacy in a dynamic online marketplace."[FOOTNOTE 20]
In this report, the FTC defined behavioral advertising as:
The tracking of a consumer’s online activities over time—including the searches the consumer has conducted, the web pages visited, and the content viewed—in order to deliver advertising targeted to the individual consumer’s interests. This definition is not intended to include ‘first party’ advertising, where no data is shared with third parties, or contextual advertising, where an ad is based on a single visit to a web page or single search query.
The report concludes with four principles:
• Transparency focuses on providing a clear and easily accessible statement that personal data is being collected for tailored advertising, and that consumers can avoid collection.
• Security is concerned with assuring that the data is protected by reasonable security, with “reasonable” being defined by the circumstances, and with limiting retention periods.
• Consent requires express consent to any material retroactive change of the site’s representations about data handling or use.
• And the final principle requires affirmative express consent before sensitive data may be used.
Targeted advertising has now become so prominent that it is no longer able to fly below government radar. The admonition of the FTC’s commissioner seems accurate: either the industry will impose reasonable self-regulation, or the government will impose law. The industry gets first crack.
But if the industry fails to self-regulate - and soon - Congress may enact legislation, and the FTC will probably embed its principles in a regulation. Accordingly, this could indeed be the industry’s “last clear chance.”
Companies contemplating targeted advertising would do well to build their models around the FTC’s principles.
David Bender is a solo practitioner in Dobbs Ferry, who specializes in privacy, information technology and intellectual property law.
::: FOOTNOTES :::
FN 1. A cookie is a small amount of data deposited by a site onto a browser. It permits the tracking of sites visited and search query content.
FN 2. A 09275 (2008); S 6441-A (2008).
FN 3. Miguel Helft, “Google to Offer Ads Based on Interests,” New York Times Online (March 11, 2009).
FN 4. Users are not notified that targeted advertising is being used. If they click on a link denominated “Ads by Google,” they are taken to a site permitting them to modify the categories to which they have been assigned. Joseph Turow, a marketing professor at the University of Pennyslvania, suggests that this insufficiently empowers users. Saul Hansell, “An Icon That Says They’re Watching You,” (March 19, 2009). Turow advocates use of an icon on each targeted ad; clicking would reveal more detail than Google discloses, such as data triggering the ad, and its source.
FN 5. Grant Gross, “Privacy Groups Rip Google’s Targeted Advertising Plan,” IDG News Service (March 11, 2009).
FN 6. Jeremy Kirk, “Browser Add-on Locks Out Targeted Advertising,” IDG News Serv. (March, 17 2009).
FN 7. Id.
FN 8. Mr. Soghoian is a Ph.D. candidate at Indiana University and a Fellow at the Berkman Center for Internet and Society at Harvard University. A download of his Mozilla Firefox modified extension can be obtained from his Web site at http://www.dubfire.net/opt-out/. Kirk, supra.
FN 9. Stephanie Clifford, “Cablevision Begins Efforts to Aim Commercials at Specific Viewers,” New York Times Online (March 4, 2009).
FN 10. Id.
FN 11. TRUSTe is the grantor of a privacy seal whose purpose is to designate sites that conform to good privacy practices.
FN 12. TRUSTe Press Release, “Behavioral Targeting: Not That Bad?” Wall Street Journal Digital Network (March 4, 2009).
FN 13. Matt Warman, “Online Privacy Demanded by Web Founders,” Telegraph.co.uk, March 13, 2009.
FN 14. eWeek.com, Dec. 18, 2008.
FN 15. Valentine v. NebuAd, No. CV 08 5113 (N.D. Cal. S.J. Div).
FN 16. The Direct Marketing Ass’n, the Amer. Ass’n of Advertising Agencies, the Ass’n of Nat’l Advertisers, and the Interactive Advertising Bur.
FN 17. Nick Brown, “PEOTUS Behavioral Targeted Advertising Adventure,” Jan. 16. 2009.
FN 18. Sarah Crowley-Boevey and Noelle McElhatton, “IAB Produced Guidelines on Behavioural Targeting,” March 4, 2009.
FN 19. Available at http://www.ftc.gov/os/2009/02/P085400behavadreport.pdf.
FN 20. Concurring Statement of Commissioner Jon Leibowitz, p.2, FTC Staff Report: Self-Regulatory Principles for Online Behavioral Advertising (February 2009). Mr. Leibowitz has been chosen by President Barack Obama to be the FTC’s chairman.