Stanford CIS

Self-Regulatory Principles For Online Behavioral Advertising: "Or" vs. "And"

By Ryan Calo on

I’ve blogged before about the Network Advertising Initiative’s opt out for behavioral targeting, noting that there is no guarantee that participants will stop tracking users (only that they will stop serving targeted ads with the data they gather). Now a distinct coalition of online advertisers has proposed its own self-regulatory program, modeled on principles released (PDF) by Federal Trade Commission staff earlier this year. I took a closer look at what the new industry program says about opting out of the collection of user browsing habits. Hint: pay close attention to the use of conjunctions.

The proposed self-regulatory program for online behavioral advertising is, to begin with, relatively narrow in scope. It covers data collection across multiple, disparate websites by one or more ad network. This practice has long been cast as especially problematic due to the general lack of relationship between the ad delivery network that is collecting data (say, DoubleClick) and the data subject that is browsing the various websites within the network (say, Washington Post and ESPN.com). But such a focus leaves out the behavior-based advertising that an Internet company can perform across its own web properties and web-based services, no matter how extensive. The program has no effect were Google to combine your Search history with your Calendar or if Microsoft were to create a profile using your Bing searches and your viewing habits on MSN.com.

The industry coalition’s remedy—like that of the NAI and the FTC—consists largely of “enhancing” user notice and control. “Notice” here means disclosure about the advertiser’s data practices; a privacy policy is a form of notice. “Control” refers to what users can do about those practices.

The industry coalition’s proposed principle around notice (pages 12-14) gives participants a lot of options. The text has more “or’s” than the Argonauts (JPG). Notice can consist of a link in or around the advertisement, or somewhere else on the website where data is being collected. Or, the company can get itself listed on an “industry developed Web site” and link to that. Or, in what is already standard practice, the company can link from the privacy policy of the website operator. Etc.

When it comes to user control, however, suddenly we start seeing some “and’s.” Third party advertisers should provide choice around the “collection and use of data” (page 14, my emphasis). Toolbars and other add-on software “should not collect and use data for Online Behavioral Advertising purposes without Consent” (same). The principles could expressly provide control of the collection “or” use of data, but they don’t. Like the NAI opt out discussion, the proposed self-regulatory principles leave ambiguous whether users will be able to opt out of collection at all. This follows because if a company stops using data to target ads, then it is no longer technically "collecting and using" that data.

There are some encouraging elements within the industry’s proposed self-regulatory program. It requires opt-in where a service provider tracks all URLs. It speaks of providing adequate security and retaining data “only as long as necessary to fulfill a legitimate business need” (or, of course, “as required by law”). It encourages consumer education efforts. But one thing this program does not clear up, at least by the text of its principles, is arguably the most important: will users be able to stop online advertisers from tracking what websites they visit. Isn’t that what we’re all so worried about?