Groups Offer Behavioral Targeting Principles with Notice in Ads Themselves

The timing was somewhat odd, given the congressional recess last week. Companies have been promising leaders such as House Communications Subcommittee Chairman Rick Boucher, D-Va., they can get their own house in order. Boucher has said he'll introduce legislation to require opt-in consent for consumers to be tracked online by third parties, due to the unenforceability of private standards.

Reaction Thursday was mixed. The Center for Democracy and Technology said it was difficult to evaluate the principles ahead of their scheduled implementation early next year. We couldn’t reach Boucher, his Congressional Internet Caucus co-chairman Rep. Bob Goodlatte, R-Va., or Rep. Ed Markey, D-Mass., Boucher’s subcommittee predecessor. Verizon, the communications company most involved in drafting the rules, and the IAB separately said participants scored a coup in getting application makers that collect clickstream data to abide by the same requirements as ISPs.

“Many of the entities and practices to which they apply are covered by self-regulatory principles for the first time in this area,” the 48-page report said. Behavioral targeting providers will offer “enhanced notice” when data are actually collected, in the form of “common wording and a link/icon that consumers will come to recognize” in the ad itself. Clicking the icon will trigger “an expanded text scroll, disclosure window or separate Web page” that divulges the targeting and a chance to opt out or otherwise modify targeting preferences. Privacy notices linked from ads have long been discussed and occasionally implemented -- Yahoo put such notice in ads on eBay, and Google has tested a similar system. Web sites with targeted ads also will carry the wording and icon or link, either disclosing their targeting providers or linking to an industry-developed site that handles preferences across providers. The Network Advertising Initiative long has operated an all-in-one opt- out site, but critics have said Web users are largely unaware of it.

Service providers are broadly defined in the principles, including not only ISPs but browsers, toolbars and any “comparable desktop application” that collects and uses “substantially all” Web addresses to serve targeted ads. Third parties who target on non-affiliated sites and service providers must disclose what kind of data they collect, including personally identifiable information and whether it will be transferred to others. Service providers must get user consent before targeting and offer an easy way to opt out. They must “alter, anonymize or randomize” any personal information and ensure that others can’t “reconstruct” it to identify a person.

All participants are required to get user consent before enacting “material changes” to their data-collection policies, answering a longtime complaint from consumer groups. They can’t collect personal information from children they have “actual knowledge” are younger than 13, in line with the Children’s Online Privacy Protection Act. Financial account and Social Security numbers, prescriptions and medical records are off-limits for collection without user consent. Programs to be run by the DMA and CBBB will monitor for compliance and report “uncorrected violations” to government agencies, but the enforcers are instructed to coordinate with each other to avoid hassling companies.

The principles will be publicized with a massive advertising campaign, with participants having committed to run more than 500 million ad impressions through the end of 2010 touting the effort. Industry-developed sites will explain behavioral targeting and tell consumers how to control their privacy through existing browser tools.

FTC Commissioner Pamela Harbour was among the heavy hitters lined up by participants to praise the principles. “I am gratified that a group of influential associations … has responded to so many of the privacy concerns raised by my colleagues and myself,” she said in a written statement. She called the principles “an important first step.” NAI Executive Director Charles Curran said the new principles were a “broadening” of the long-awaited standards his group released just six months ago.

“In general this is definitely moving in the right direction,” Ari Schwartz, chief operating officer for the Center for Democracy and Technology, told us. But some principles aren’t clearly spelled out, and definitions may not work for future business models, he said. The biggest omission is giving Web users access to the categories for which they're targeted and a chance to opt out by category, Schwartz said, as Google has done with its “interest-based advertising”. Principles must have the ability to “evolve,” the biggest drawback of the NAI principles, which remained static for eight years, he said. Harbour’s support for the principles should be understood through the context of her ongoing support for general privacy legislation, Schwartz said: “We need to set the baseline first here.”

The “meaningful informed consent” in the principles is a milestone for the industry, a Verizon spokesman told us. It shows the industry can govern itself better than a “bureaucrat” and has made a “genuine and serious effort” at policing itself. “Intelligently presented” advertising should be the goal of such efforts, he said. Verizon pressed hard for the same rules to apply to all applications collecting full clickstream data, the spokesman confirmed, and it expects other communications companies to join as the principles are implemented.

USTelecom said it was happy to see browser and toolbar makers covered by the same “meaningful affirmative consent” requirement as ISPs. The principles “importantly call on all advertising stakeholders to work collaboratively toward a solution,” the group said, alluding to the negative spotlight that ISPs have felt for their early targeting efforts. USTelecom noted that ISP targeting is still a rarity in the market. Pablo Chavez, managing policy counsel for Google, said the company was ahead of the principles in some features, such as its Ads Preferences Manager.

IAB Counsel Stu Ingis told us he showed the principles to congressional staff Wednesday: “They're generally aware of the progress we've been making,” even though lawmakers were out of town. “Congress has been keeping us so busy” with hearings on privacy in advertising that participants couldn’t hammer out the principles earlier, he said. Boucher and other lawmakers have impressed upon participants that legislation is coming, but members understand the importance of targeted advertising to the economy and “they're not looking to interfere with that,” Ingis said.

It can’t be overstated how significant the “service provider” provisions are, Ingis said, crediting Verizon’s advocacy. There was “polarization” among participants in September on how to treat applications that collect full clickstream data, as happens when ISPs practice targeting. Such collection isn’t common among toolbar and browser makers at the moment, but they have the capability to target and have been actively considering it, Ingis said. “The scope of this at some level is unprecedented,” with participation by newspaper groups, Internet companies, Verizon, Disney, advertising giant WPP and NAI among others.

The accountability provisions aren’t measly, Ingis said. The DMA requires members to follow its policies and regularly reports on its enforcement actions to the government, which has regulatory authority over some violations. The CBBB has a successful record with its programs on children’s advertising and ad substantiation, wielding the threat of bad publicity for noncompliant companies, Ingis said. “They get right in your pants.”