While the Network Advertising Initiative (NAI), a cooperative of online marketing and analytics companies committed to building consumer awareness and establishing responsible business and data management practices and standards, has existed since 1999, its policies and lack of ubiquitous participation and enforcement ability have not been enough to curtail the FTC’s scrutiny on our industry’s data practices.
The proliferation of data usage for targeting and providing relevant consumer experiences has been a vital component to the progression and growth of the online advertising industry since the emergence of ad servers and data collection in the mid-to-late ’90’s. The argument has always been that no personally identifiable information (PII) is being collected or used and therefore the anonymous data is harmless and in no violation of any privacy guidelines or ethics. However, data collection and applications used to be limited to far fewer players. Today every ad network, marketing technology firm, and now all the major media agencies have developed or are in the process of developing the capabilities of collecting and applying consumer data in the quest to better identify and target specific consumer audiences.
Of course this benefits the entire ecosystem – including consumers. Publishers are utilizing their inventory more efficiently, marketers are able to reach the audiences we want and consumers online experiences are more relevant.
The Privacy Man
Behavioral targeting has been in the FTC’s cross hairs for the last few years (not to mention the unrelenting cries of consumer advocacy groups). It was only this past February when the FTC issued a last warning that the industry self regulate or the man will do it for us. In fact they issued a report on recommended self regulation principles for the industry. Here are the highlights:
Transparency and Consumer Control: Simply put, clear & concise disclosure of targeting practices and a method for consumers to opt-out. Fair enough.
Reasonable Security, and Limited Data Retention, for Consumer Data: Data should be stored in a reasonably secure manner based on the sensitivity of the data, and only retained for the duration required to fulfill a business or legal need. I can see the data storage duration becoming an issue on both sides.
Affirmative Express Consent for Material Changes to Existing Privacy Promises: Express consumer consent must be provided in order to use previously collected data in any manner that materially deviates from the policy in place and disclosed at the time of collection. This includes instances when a company merges with or is acquired by another company with different data collection and usage practices.
Affirmative Express Consent to (or Prohibition Against) Using Sensitive Data for Behavioral Advertising: Any “sensitive” data collected for the purpose of BT must be done so on an opt-in basis. BT data is rarely “sensitive”, however, several otherwise seemingly anonymous data points can be combined and used to create PII, which by definition is sensitive. I can see some conflict arising out of this guideline.
The FTC also (accurately) states that self regulation only works when there is a process in place to “monitor compliance and ensure that violations have consequences.” Commissioner Jon Leibowitz, in a separate statement also warned “A day of reckoning may be fast approaching.” “The jury is still out about whether self-regulation alone will effectively balance companies’ marketing and data collection practices with consumers’ privacy interests.”
Congressional meetings on the subject have been escalated as recently as last month.
The Ad Industry Finally Responds
The biggest hurdle to self regulation was that no industry trade group was prepared to bear the responsibility nor the cost of enforcement. Over the last year the IAB went from not having the desire nor the ability to monitor and enforce any BT guidelines, to seriously contemplating the proposition, to finally collaborating with the Direct Marketing Association, the American Association of Advertising Agencies, the Association of National Advertisers and the Better Business Bureau to establish and issue formal guidelines and enforcement mechanisms.
Advertisers, agencies, publishers, search engines, ad networks, ISP’s, and marketing technology firms will all be held responsible to disclose data collection and usage practices in a “clear, prominent, and conveniently located” manner on their own sites and at the time of data collection.
It is the disclosure at time of data collection that is the interesting development. This disclosure will include an icon or text link that consumers can click on to go to a (soon to be developed) 3rd party site that provides education on industry-wide data collection and usage options. This may be an easy addition at the ad server level. Effectively this moves some of the disclosure that may already exist buried in websites’ privacy policies, and brings it front and center. It does beg the question of how long we’ll need to do this? Two years? Five years? At some point are consumers just educated and BT practices become as normal to them as they are to us? An icon on every other ad served online? Well, according to critics and advocacy groups even that is not enough. Cries for do-not-track lists and more stringent opt-in practices abound, so it is vital that the industry start by appeasing the FTC and enforce violations.
Enforcement – The Scarlet Letter Approach
Enforcement includes reporting of violations to government agencies and the general public. There is certainly motivation for the industry to police violators and ensure that the few proverbial bad apples do not spoil it for the rest of us. Will this be enough to ward of the privacy-man and ensure self-regulation survives? We sure hope so. The strong arm of the law may be less than favorable or practical for the industry.