Should advertisers' collection of data on Web users be regulated?

To follow is an excerpt from the CQ Researcher report "Online Privacy" by Patrick Marshall, November 6, 2009

Advertisers — working with ISPs, search engine providers and individual Web sites — are turning to ever more powerful tools to gather information about users so that they can more accurately target their ads. There are, however, very few checks on what advertisers and service providers can do with the data.

“Users have little idea how much information is gathered, who has access to it or how it is used,” Marc Rotenberg, executive director of the Electronic Privacy Information Center (EPIC) and a professor at Georgetown University Law Center, told Congress last spring. [Footnote 10] “This last point is critical because in the absence of legal rules, companies that are gathering this data will be free to use it for whatever purpose they wish — the data for a targeted ad today could become a detailed personal profile sold to a prospective employer or a government agency tomorrow.”

In fact, in most cases the only constraints on service providers in their collection and use of personal data are their own privacy policy statements. According to Peder Magee, senior staff attorney in the Federal Trade Commission's Division of Privacy and Identity Protection, if a company's practices violate its published promises, “that would be a deceptive claim and something we could take some action against.”

Privacy advocates warn, however, that some service providers don't offer promises about privacy at all. “As long as you don't actually promise anybody any privacy — and companies have gotten very good at writing privacy policies that contain all kinds of warm, ringing tones about how they care for your privacy without actually making any legal commitments — then they don't have to deliver any,” says Stanley at the American Civil Liberties Union.

As Stanley notes, even sites and service providers that do offer privacy statements generally do so in the form of rarely read, long and difficult-to-understand documents buried under an obscure link on a Web site. As a result, many if not most users are unaware of the extent of data being gathered about them and the uses to which it may be put.

With or without their knowledge, “people are giving information to a Web site in order for that site to provide them with a service,” says Stanley. “They don't expect that Web site will then turn around and share the information with six other sites, combine the information to create a profile and give it to an advertiser who will decide whether you're rich or poor and give you different opportunities as a result.”

Most users are also unaware that their Internet searches are recorded and can be used for profiling. “Internet search records are very, very intrusive records,” says Stanley. “The things that you do searches for indicate your hopes and fears, what you're thinking about, what you may be reading, diseases that you have and diseases you fear you might have, things you believe about other people.”

Advertisers justify collection of user data on two grounds. First, they argue that advertising is critical to keeping the Web vibrant. “The great majority of … Web sites and services are currently provided to consumers free of charge,” Charles Curran, executive director of the Network Advertising Initiative, an industry group, told a congressional hearing last June. [Footnote 11] “Instead of requiring visitors to register and pay a subscription fee, the operators of Web content and services subsidize their offerings with various types of advertising. These advertising revenues provide the creators of free Web content and services — site publishers, bloggers and software developers — with the income they need to pay their staffs and build and expand their online offerings.”

Second, advertisers argue the collection of user data helps advertisers better serve consumers. “Targeted advertising is extraordinarily important for everybody,” says Dan Jaffe, vice president of government relations for the Association of National Advertisers. That, he says, is because the more information advertisers have about users the fewer irrelevant ads will be delivered to those users.

Conversely, Jaffe says, restrictions on behavioral targeting won't cut down on advertising. “A lot of people seem to think that if they can stop behavioral advertising that they will somehow stop advertising,” he says. “Quite the contrary. Instead, you'll see an explosion of untargeted ads. You'll essentially increase the amount of spam because spam is, in effect, untargeted advertising.”

Rather than legislated restrictions on advertising practices, the advertising industry argues that self-regulation — including full disclosure through clear privacy statements and procedures for users to opt out of selected data-collection programs — should be sufficient to protect users' privacy interests.

Berin Szoka, director of the Center for Internet Freedom, a project of the Progress & Freedom Foundation, a “market-oriented” think tank in Washington, agrees. “I think industry can do this on its own,” says Szoka. “We should want companies to really make disclosures robust so that people really understand what they're doing.” Then, he says, leave it up to the Federal Trade Commission to deal with companies that violate their privacy agreements. “They should be going out and finding the truly bad actors in industry and bringing enforcement actions against them,” Szoka urges. “If they need more resources, we can talk about that.”

Szoka adds that user education is another important part of the solution. “What we should be doing here is trying to educate users about what is going on online and empowering them to make decisions for themselves,” he says. “If you really are very concerned about your privacy online, you have a very simple tool. You can go into your browser and use the basic cookie controls to opt out of browsing altogether, or site by site. You can create your own white lists or black lists. I would like to see those tools become much more powerful.”

Privacy advocates, however, are very skeptical of self-regulation. “While we remain hopeful that advertising models based on non-personally identifiable information can be made, there are still too many instances where companies, particularly where there is no regulation, fail to fulfill their responsibilities,” Rotenberg of the Electronic Privacy Information Center (EPIC) told lawmakers last spring.

“Second, even if these privacy techniques are shown to be reliable, it will still be necessary to enact legislation to place the burden on the advertising company to prevent the reconstruction of user identity,” he added. “Without this statutory obligation, there would be no practical consequence if a company inadvertently disclosed personal information or simply changed its business model to true user-based profiling.”

[10] Statement of Marc Rotenberg, executive director, EPIC, and adjunct professor, Georgetown University Law Center, before House Energy and Commerce Subcommittee on Communications, Technology and the Internet, April 24, 2009.

[11] Statement of Charles Curran, executive director, Network Advertising Initiative, before House Energy and Commerce Subcommittee on Commerce, Trade, and Consumer Protection and Subcommittee on Communications, Technology and the Internet, June 18, 2009.


The Issues:
* Do Americans need better protection?
* Are social networking sites doing enough to protect users' privacy?
* Do federal privacy policies regarding the Internet need to be updated?

For more information see the CQ Researcher report on "Online Privacy" [subscription required] or purchase the CQ Researcher PDF