FTC closely watching Google, Yahoo, Facebook and the Network Advertising Initiative


target1.jpgADOTAS — Online advertising companies believe that voluntary standards are the best way to police tracking online, but the Federal Trade Commission might not be so sure.As a conclusion from speaking with to FTC Director Charles Harwood at the Tech Policy Summit last week, he believes users must be aware that they are being behaviorally targeted and know where to find such disclosure.Is it considered consumer notice when users rarely revisit online privacy policies, especially several years after they have signed up for a service? Yahoo cites its efforts to clean up and reorganize its privacy policy. But user notice should be made upfront, Harwood said, noting that the FTC recently discussed adjusted time disclosures, which are timed notifications about privacy policy changes. They would show up on a user’s page, much like pop-ups, the Director said.While Google AdSense users are by default opted in to behavioral targeting, Harwood thinks the issue with consumer privacy doesn’t revolve around opting in or opting out of behavioral targeting. It’s more so that, when users opt out of behavioral advertising, they’re still being tracked but get none of the better targeted ads that they would otherwise get, he said.When I asked Mr. Harwood if the default should be that users must manually opt in to behavioral targeting by choice, he replied, “For information that is considered to be PII (personably identifiable information), users should be required to manually opt in.” I asked him if consumers should receive more disclosure of what opting in and opting out means, and he said change is needed, but the FTC moves slowly.I mentioned to Harwood that I had asked Chris Kelly, the Chief Privacy Officer of Facebook, if the social network would use behavioral targeting in its rumored Facebook Connect ad platform. Mr. Harwood leaned in; apparently this was news to him.On Tuesday, in front of the Tech Policy Summit audience, I asked Kelly if, like Google AdSense automatically opting in all its users into behavioral targeting by virtue of being AdSense users, Facebook would automatically opt in existing Facebook Connect users into its rumored behavioral targeting network. Mr. Kelly skirted the question and said, “Facebook will continue to be transparent in its collection of any user data.”*The FTC keeps a close watch on Google, Yahoo, and now supposedly Facebook.In the past year alone, there has been a string of Congressional hearings in which the FTC has testified on behalf of consumer privacy. In February 2009, the FTC issued a report titled “Self Regulatory Principles for Online Behavioral Advertising” in which it revised the self-regulatory principles it proposed in February 2008. Harwood said, “We were attempting to create guidelines for behaviorally targeted advertising.”He went on to explain the four self-regulatory principles contained in the FTC report:1) The collection of information should be transparent.2) The level of security should be reasonable and based on the sensitivity level of the information. Data should only be retained as long as necessary in order to be useful.3) Customers should be notified of changes in the privacy policy.4) A company must require an opt-in to behavioral targeting before it can collect sensitive information like medical records.He mentioned to me that, “if companies don’t follow these principles, we have to sue them.”Harwood also said that two FTC commissioners had reservations about the self-regulatory approach.Pamela Jones Harbour had reservations about the voluntary standards. She thought the standards from the NAI (Network Advertising Initiative) were not far-reaching enough. However, she didn’t believe the FTC was ready for legislation in behavioral advertising yet, and thinks a lot of questions must still be answered. She thinks the approach has been piecemeal, and not the best way to go, he said. Also, Jon Leibowitz (now Chairman of the FTC) had concerns about the self-regulatory approach. His short statement was that “a day of reckoning may soon be approaching.” If the standards don’t work this time, there is a possibility of something else in the future.*The FTC appears to be watching the NAI closely. The NAI now represents 31 different ad networks. 80% of the NAI’s member companies are ad networks which practice behavioral ad targeting. If the NAI doesn’t do a good job of self-regulation, the FTC could take measures to have stronger regulations in place.Harwood proceeded to tell me, “The sentiment in the U.S. is that, if PII (personably identifiable information) is not collected, companies won’t have to implement an (upfront) opt-in procedure.” “The data collected is on the individual level, but is aggregated and personal identities are often removed.” But does that make it morally right, or even ideal for consumer privacy? “I’m not so sure. We’ll have to see.”Harwood agrees with Chris Hoofnagle, the Director of Information Privacy Programs at BCLT, that behaviorally targeted ads have the potential to cause users to be universally unsure about being tracked online, which could effectively poison the entire online medium. It could create a slippery slope, or a moral hazard, he said, “if the entire communication channel becomes associated with sleaze. If users lose trust, they will no longer participate.” But he added that “we used to worry about this a lot in 1998 when Yahoo was still young. Now, not as much.”*Corrected from an earlier version.


  1. “web strategy”,

    Charles Harwood will be providing additional information to me this afternoon, so that our readers can be further informed on the FTC’s perspective of behavioral advertising. I’ll ask him your questions. Stay tuned.


  2. I’m glad your article calls much needed attention to the current government regulatory temperature. There are even further ramifications of the FTC Self-Regulatory Guidelines than your shortened version points out. For instance, in #3, advertisers are not only required to advise customers of changes in the privacy policy, but “If it wants to make a ‘material’ change in how the data is used, it must obtain ‘affirmative express consent’ from the affected customers.” And since most BT takes place at a third party level, like a Network, the ability to regulate significant changes in a privacy policy (like obtaining affirmative express consent for BT) is practically non-existent for the advertiser or the network.

  3. I completely agree that consumer trust is essential for the growth and well-being of the online community, which is why all websites should be taking the necessary measures to ensure consumer privacy. Online businesses and websites need to update their privacy policy so that consumers understand where their personal information is going and how it’s going to be used. It is scary to think that over fifty percent of small business owners don’t even have a privacy policy on their website and nearly one-third simply cut and paste their privacy policies from somewhere else (TRUSTe study). Beyond being disconcerting for consumers, not having an accurate privacy policy is bad for businesses, as they can lose consumer trust and be held legally responsible for violating consumer privacy, as we saw with NebuAd. In order to help online business be compliant with privacy standards and enhance their brand trust and legitimacy, TRUSTe has developed a service that helps companies create simple and efficient privacy policies and practices. TRUSTe.org

Leave a Reply to Layne Salter Cancel reply

Please enter your comment!
Please enter your name here