• by Wendy Davis  @wendyndavis, July 2, 2009

Faced with the prospect of new regulation, a coalition of the major ad industry trade groups have issued new privacy principles for online behavioral advertising, or tracking people as they surf the Web and serving ads based on sites visited. But consumer advocates say the self-regulatory principles are not likely to adequately protect Web users' privacy.

Like the old voluntary behavioral targeting standards, the new guidelines require companies to notify consumers about targeting, and in many cases allow them to opt out.

But the new guidelines also differ in some key aspects from the previous self-regulatory principles. Among other changes, the new guidelines impose higher standards on Internet service providers and entities that track people via toolbars or other downloaded applications. Those companies would be barred from collecting data or serving targeted ads unless users have taken an "action in response to a clear, meaningful and prominent notice."

The new principles grew out of a task force of the American Association of Advertising Agencies, the Association of National Advertisers, the Direct Marketing Association, the Interactive Advertising Bureau and the Council of Better Business Bureaus. Together, the task force members represent more than 5,000 companies, making the guidelines potentially more far-reaching than standards developed by narrower groups like the Network Advertising Initiative.

Federal Trade Commission Chair Jon Leibowitz praised the initiative, but also said the agency was still evaluating the guidelines. "Behavioral advertising raises a number of serious privacy concerns, and these guidelines are a direct response to the call by the FTC and consumer groups for improved practices, including increased transparency and consumer control over the collection and use of data," he said in a statement. "The Commission's goal is to promote meaningful consumer protection and choice in this area as well as to ensure that consumer protections are accessible and understandable to all consumers."

The new principles provide that cookie-based behavioral targeting -- or tracking people via cookies at publishers' Web sites and then serving them ads -- require clear and prominent notice in at least two places: the publishers' sites and within or around targeted ads themselves or another place on the page where the data is collected. The principles mention the possibility of a uniform link or icon, but details remain unclear.

The guidelines also require companies to obtain users' consent before collecting sensitive data, defined as financial account numbers, social security numbers, pharmaceutical prescriptions, or medical records about a specific individual. Also, for the first time, the guidelines would be enforced via the Better Business Bureau.

The new principles come at a time of increased scrutiny of online ad practices in Congress and at the FTC. Influential lawmaker Rep. Rick Boucher (D-Va.) has said he intends to introduce legislation later this year.

In addition, although the FTC recently said it continued to support voluntary self-regulation, Leibowitz as well as commission member Pamela Jones Harbour expressed reservations about whether the industry could protect users' privacy without new regulations.

Some consumer advocates said they were unimpressed with the new principles. Lee Tien, an attorney at the digital rights group Electronic Frontier Foundation, argues that self-regulatory programs will not adequately protect privacy because consumers currently have no way of knowing their privacy has been compromised, much less complaining about it to an enforcement body.

"There's no good reason to expect self-regulation to work," Tien says, adding that companies currently compile dossiers used to target people based on behind-the-scenes data-crunching without explaining how specific information is being used.

"It's very difficult to have a meaningful dialogue when companies are hiding the ball," he says. "If what the companies are doing is really of benefit, they should be able to make that case by telling us what they know about us and what they're doing with that information."

Jeff Chester, founder and executive director of the privacy group Center for Digital Democracy, says he intends to continue pressing for new laws. "You cannot trust the industry to oversee itself," he said.

Susan Grant, director of consumer protection at the Consumer Federation of America, also expressed a preference for new legislation. "There needs to be a law that consumers can enforce regardless of any self-regulatory principles."

In addition, some industry observers say they are disappointed in how the guidelines define and treat "sensitive" data. Jules Polonetsky, co-chair and director of the think tank Future of Privacy Forum, suggested expanding the definition of sensitive data to "clickstream profiles based on searches for sexual terms or for sensitive diseases."

He also said that the agreement to provide clear and prominent notice to consumers marks a "significant advance," but that the rules are "a starting point and not a finish line."

"The credibility of this effort will be determined by whether this notice is only a barely visible disclaimer or whether it is really a good faith effort to educate users about a key feature," he said in an email to Online Media Daily.

For around 10 years, the online behavioral targeting industry has followed voluntary self-regulatory principles calling for Web companies to notify consumers about targeting and allowing them to opt out. But policymakers and consumer advocates have criticized those standards, arguing that the notifications provided in privacy policies are hard to understand.

Critics also say that the principles had not kept up with new forms of targeting, including ISP-based targeting. Last year, news that the now-defunct NebuAd had tested ISP-based targeting sparked congressional hearings and fueled new calls to regulate online advertising. Such targeting is seen as especially likely to threaten privacy because ISPs can track every site users visit, including search engines and non-commercial sites. Older, cookie-based forms of targeting only track users when they visit a limited number of sites within a network.

Critics also say that the principles had not kept up with new forms of targeting, including ISP-based targeting. Last year, news that the now-defunct NebuAd had tested ISP-based targeting sparked congressional hearings and fueled new calls to regulate online advertising. Such targeting is considered especially likely to threaten privacy because ISPs can track every site users visit, including search engines and non-commercial sites. Older, cookie-based forms of targeting only track users when they visit a limited number of sites within a network.