Behavioral Advertising Under Attack?

This post at Proskauer's privacy blog notes some increased attention at the state level following a December 2007 announcement by the FTC to "take a look" at behavioral advertising on the internet.  The post provides a good summary on the status of regulation on targeted advertising on the internet, and how pending legislation may affect such activities. 

The basic set up - (in my experience, this seems fairly prevalent) - is for websites, ISPs and others who come into contact with browsers to use cookies (beacons, etc.) to track user behavior.  Initially, tracking occurred at the site level, but now tracking generally extends to other sites visited by the user.  The information obtained is typically not tied to any of the user's personal information, but is used to build a "profile".  So, for example, imagine that you visit  A cookie is placed in your machine and it tracks not only your visits to yahoo, but your visits to other sites as well.  (Note: it's unclear the extent to which tracking occurs across other sites, as the Proskauer blog post indicates.)  The tweak that was initially surprising to me is that many times the website operator is not the one doing any of the tracking - this function is outsourced to a third party.  If a tracking company has relationships with yahoo and the other sites you visit, the depth of information gleaned increases significantly.  Through multiple website relationships, tracking companies build their "networks," which are actually tied to particular browsers/users more than anything.  The tracker is able to tell potential advertisers all of the sites visited by the user and in many cases details of the visits (including maybe even products purchased?).  This type of detailed information and targeting is obviously of value to the advertiser.  I'm not sure when this practice started and how it evolved, but it's now so prevalent that to regulate it would - in my estimation - fundamentally alter the nature of the internet and typical advertising agreements entered into by many well established websites.  (I'd be curious to know the practices of the high traffic sites across categories, such as Amazon, NYT, etc.)  If done on a truly anonymous basis I don't really see a problem with it either.

States have launched an effort to regulate aspects of this practice, both NY and CT have introduced statutes that may cause the typical commercial website operator some concern.  Here's a page with links to both statutes. 

The CT bill - which you can access here - is somewhat narrower than the NY bill.  It only applies to "personal information," and requires a website operator to disclose (upon request of a state resident) third parties to whom the website operator disclosed personal information.  The bill could be cleaned up a bit, but its goal is to allow consumers to determine whether their personal information has been shared to third parties, and "whether or not the operator knows or reasonably should know that the third parties used the personal information for the direct marketing purposes of a third party."  The problem with this bill is its description of "personal information":

any information that, when it was disclosed, identified, described or was able to be associated with an individual, including, but not limited to: (A) An individual's name and address, (B) an electronic mail address, (C) a date of birth or age, (D) names or numbers of children, (E) real property purchased, leased or rented, (F) a Social Security number, bank account or credit or debit card number, and (G) payment history

"was able to be associated with an individual"??  That's painful to read, and more importantly totally vague.  I'm not even sure what that means.

The NY bill
- which you can access here - is far more sweeping.  As described by the Proskauer blog:

The bill would create an extensive regime of consumer notice and choice for third party tracking of different types of consumer online activity. Absent obtaining a consumer’s prior affirmative consent or opt-in, third parties would be prohibited from collecting personally identifiable information online. Consumers would have the right to opt-out of any online tracking involving non-personally identifiable information. The bill would require clear notice by third party advertising companies on their own sites of their profiling activities, the types of data they collect, how they use the data, the opt-out process, and the length of time the data is retained. And, it would require third party advertising companies to contractually require the sites to whom they provide services to include notice and opt-out options. 

None of this is particularly earthshattering, except for maybe the last part (requiring third party advertising companies to include opt-out options).  It should not be, since industry-generated standards shaped some part of the legislation.  The bill also contains some more troubling provisions:

Notably, the bill would prohibit a third party from tracking information from websites when it does not have a contractual relationship with the website owner. This provision could have major implications for the companies described above that contract with Internet Service Providers to monitor surfing activity across all websites a consumer visits.       

This may raise some eyebrows in the online advertising community.  I don't really see the clear rationale for this provision - which restricts tracking to website owners or third parties who have contractual relationships with the website owner.  As the post notes, this doesn't really account for a situation where the relationship exists between the tracking company and the ISP or a "relationship" between the tracking company and the end user.  On second thought, maybe there's some value to ferreting out the third party relationships involved in the chain.  It probably will not affect user-behavior one bit, but it seems like the information would be helpful to know.  I'm guessing people may be surprised by it.  In fact, my overall impression is that the actual tracking practices of typical mainstream internet sites are unknown.  It's always difficult to nail down specifics, and it may help to know those specifics.  As to whether this type of regulation can occur at the state level, the answer is likely no.

NB:  NYT story here.
  • No trackbacks exist for this post.
  • No comments exist for this post.
Leave a comment

Submitted comments are subject to moderation before being displayed.

 Name (required)

 Email (will not be published) (required)


Your comment is 0 characters limited to 3000 characters.