Yesterday the Digital Advertising Alliance (DAA) announced a supplementary set of self-regulatory principles for third parties on the web (pdf, press release). This post is a brief — and far from comprehensive — overview of improvements, continued deficiencies, and procedural issues.
1. Several sensitive uses of third-party web tracking data are now completely prohibited: adverse terms or ineligibility for employment, credit, medical treatment, and insurance. The principles do not, however, prohibit offering favorable terms or determining eligibility from third-party web tracking data.
2. Transparency and consumer control are now required for many forms of per-device content personalization, not just behaviorally targeted advertising. The principles are ambiguous about whether per-user content personalization, such as Facebook social widgets, also requires transparency and consumer control.
Continuing Substantive Deficiencies
1. Many stakeholders on online privacy, including U.S. and EU regulators, have repeatedly emphasized that effective consumer control necessitates restrictions on the collection of information, not just prohibitions on specific uses of information. The very existence of third-party web tracking data gives rise to numerous privacy risks, including data breach, employee misconduct, government access, and more. The DAA principles nevertheless remain a set of limitations on data use, not data collection. While the supplementary principles begin with broad language about collection limits, they incorporate vast exceptions that wholly swallow the rule. Consider, for example, the exceptions for "market research," "product development," and "reporting."
Market Research means the analysis of: market segmentation or trends; consumer preferences and behaviors; research about consumers, products, or services; or the effectiveness of marketing or advertising.
Product Development means the analysis of: (i) the characteristics of a market or group of consumers; or (ii) the performance of a product, service or feature, in order to improve existing products or services or to develop new products or services.
Reporting is the logging of Multi-Site Data on a Web site(s) . . . for:
• Statistical reporting in connection with the activity on a Web site(s);
. . .
In a plain reading, every third-party web tracking practice would come within these exceptions to mandatory consumer control. (A simple thought experiment: name a third-party web tracking practice that is not encompassed by the provisions above.) Per-device personalization uses of data are not excepted from consumer control only because the principles explicitly add exceptions to the exceptions. Here is the language on "market research" and "product development."
A key characteristic of market research is that the data is not re-identified to market directly back to, or otherwise re-contact a specific computer or device. Thus, the term "market research" does not include sales, promotional, or marketing activities directed at a specific computer or device.
Like Multi-Site Data used for Market Research, such data used for product development is not re-identified to market directly back to, or otherwise re-contact a specific computer or device.
2. Practices that do not include per-device personalization are not only exempted from consumer control, but are also exempted from any transparency requirement.
3. The DAA has not closed the loophole in its principles for data sharing among corporate affiliates.
4. Despite lack of adoption and widespread criticism, the DAA continues to advocate its opt-out cookie and icon mechanisms.
1. The supplementary principles were developed through an opaque process, with limited input from policymakers, researchers, and civil society organizations. Legitimate self-regulation transparently and inclusively addresses consumer concerns; it does not present a fait accomplis.
2. It is unclear why the DAA, as a consortium of organizations in the online advertising space, would have a legitimate claim to regulate third-party web tracking that is not related to advertising. The new principles may, in fact, run contrary to the current policy positions of several companies, including Facebook. It remains to be seen how many non-advertising third parties will accept the DAA's principles.
In sum: It's great to see the online advertising industry taking steps in the right direction. There are a few real improvements in the supplementary principles. But they do not address the core privacy issues consistently raised by regulators, legislators, researchers, and advocates, and it is far from clear that the online advertising industry will be able to expand the scope of its program beyond advertising practices.