Washington, DC - Last week, I had the pleasure of sitting down for some Q&A with members of the Network Advertising Initiative (NAI), one of the leading self-regulatory organizations for the online, interest-based advertising industry. One of the questions they posed was what additional actions industry should be taking to address online tracking as it develops ever more complex technologies. My answer? Tell people how they’re being tracked and offer them easy-to-use tools to block all of the techniques used to track them.
Industry has moved well beyond cookie-based tracking, and the choices offered to people must keep pace with what’s happening in the marketplace.
For years, the online ad industry has collected detailed information about people’s activities as they search, shop, and interact online, and has used complex data analyses to make predictions about individuals and their likely behavior. The goal is to provide advertising that is more relevant to a particular person’s interests and more likely to lead to purchases. There’s no doubt many people benefit from these practices. They get ads that are more targeted to their preferences, and these ads help support online content and services they might otherwise have to pay for.
But – and there is a but – the privacy concerns are very real too. Companies are using the data they collect to build highly detailed profiles about individuals, and many of the companies involved in this process are behind the scenes, completely invisible to most of us. Companies also are using high-tech techniques to uniquely identify the devices people carry with them everywhere. And as we explored at a recent FTC workshop, industry has started to connect people’s digital interactions across the different devices they use in a practice known as “cross-device tracking.”
Since 2000, the NAI has worked hard to develop self-regulatory standards that provide information and choices to people about online tracking. And since 2009, the Digital Advertising Alliance (DAA) has too. Both organizations have developed codes of conduct that cover numerous companies in the online advertising ecosystem and include meaningful enforcement programs. And both provide people with tools to limit the collection and use of their data for targeted advertising. Recently, the NAI and DAA have made strides when it comes to cross-device tracking. DAA now offers an opt-out to prevent the collection of tracking data on one device from informing ads across devices, and NAI has issued guidance and is working on a tool for its members.
These are important steps forward, but more is needed to keep pace – and in fact, stay ahead of – the rapid changes taking place in the marketplace. As I told the NAI, the disclosures and choices companies offer to people must address the many forms of tracking companies are using, including proprietary techniques that combine technologies like cookies, fingerprinting, cookie syncing, and many others. They also must apply when companies track consumers not on one, but across multiple devices. People can’t be led to believe tracking is more limited than it is, or that they’ve blocked all tracking when that’s not the case. And if the choices offered to people don’t cover all the ways a company tracks them, the company must clearly and prominently say so. I also told the NAI that these choices must be easy to understand and use, and shouldn’t require multiple steps.
Why is this important? For one thing, the failure to provide truthful and complete information to consumers about tracking could be deceptive under the FTC Act. Just look at our cases against Epic Marketplace, ScanScout, and Chitika, which charged these companies with misrepresenting their tracking practices and choices. Or our recent warning letters to app developers who installed TV-monitoring software in their apps without telling people who downloaded the apps.
For another thing, gaining people’s trust is important for the continued growth of the industry. Surveys increasingly show that people care about privacy, that it affects who they do business with, and that they’re using their browsers and other tools to protect their privacy. For example, we’re seeing more and more people adopt ad blockers, which no doubt hurts industry’s bottom line. They’re also using other privacy tools to protect themselves, such as clearing their cookies, avoiding the use of their names, and using virtual networks to mask their IP addresses. One reason we may be seeing this trend is that people don’t feel they have simple, easy-to-use, and comprehensive choices when it comes to online tracking. Certainly, industry would be better off providing these choices themselves, and gaining people’s trust, rather than having people block advertisements altogether.
I also discussed with the NAI the Commission’s position on persistent identifiers and privacy. As the FTC has discussed for years now – see our the 2009 staff report on online behavioral advertising and our 2012 Privacy Report – we regard data as “personally identifiable,” and thus warranting privacy protections, when it can be reasonably linked to a particular person, computer, or device. In many cases, persistent identifiers such as device identifiers, MAC addresses, static IP addresses, or cookies meet this test. For this reason, in the Commission’s 2013 amendments to the Children’s Online Privacy Protection Rule, it modified the definition of “personal information” to include “a persistent identifier that can be used to recognize a user over time and across different Web sites or online services [including but not limited to] a customer number held in a cookie, an Internet Protocol (IP) address, a processor or device serial number, or unique device identifier.”
Even without a name, you can learn a lot about people if you use a persistent identifier to track their activities over time on a particular device. You also can communicate with them. So what does that mean for the online advertising industry? If you’re collecting persistent identifiers, be careful about making blanket statements to people assuring them that you don’t collect any personal information or that the data you collect is anonymous. And as you assess the risks to the data you collect, consider all your data, not just the data associated with a person’s name or email address. Certainly, all forms of personal information don’t need the same level of protection, but you’ll want to provide protections that are appropriate to the risks.
The online advertising industry has made significant progress in providing people with information and choices about online tracking. As technology and tracking techniques continue to advance, industry must keep pace to ensure that their disclosures and tools adequately protect people and don’t mislead them. I look forward to continuing this important, positive dialogue with the online advertising community.