IAB: Privacy Debate Moves Beyond Cookies

Preparing for MediaPost's OMMA Behavioral on Thursday, I caught up via phone with Mike Zaneis, VP of public policy at the Interactive Advertising Bureau, to take a deeper dive into the IAB's latest project, the Self-Regulatory Principles for Online Behavioral Advertising, published a few weeks ago. 

Mike Zaneis: As more advertising goes online and on mobile phones, it becomes a central issue to increase the relevancy with behavioral targeting. In the past, there have been several attempts to regulate online advertising. Early on there were blunt instruments. People who didn't understand the way online advertising worked wanted to regulate cookies, because they thought regulating the technology would be the correct approach. We have begun to move away from that approach during the last few years by educating the public and Washington. People finally realize cookies are pervasive and important for a positive user experience. Now the debate is around privacy and the type of data you're collecting and using to deliver targeted ads.

MediaPost: How long should companies keep the data?

Zaneis: The industry must follow common business practices and regulations. For instance, the Federal Trade Commission, through several enforcement actions, has made it clear that every industry must have reasonable data security measures, which is a sliding scale. You have to look at the type of data you're collecting, the type of threat a business may face, how the company plans to use the information, and whether the company plans to share it. Then you must look at the sensitivity of the data. We see a refocus away from pure data retention, toward making sure information isn't misappropriated. There shouldn't be an arbitrary period of time for data retention because different types and quantities of information may pose a greater threat to consumer privacy. We are trying to protect consumers and meet their expectation of privacy and security.

MediaPost: How do you define sensitive data?

Zaneis: If for some reason a company collects consumers' Social Security numbers. Most online advertisers don't do that, but you could imagine [it] as part of a process for Web site registration. I would put medical and financial information in the same category. If you're a healthcare Web site, and provide information about medical treatments, that type of information is much more sensitive than most other types of information collected online.

We have a data security and data retention principle within our behavioral advertising principles. When we put out the principles a couple of weeks ago, there was a lot of discussion because the broadest group of online advertising-related companies came together to form these principles. These companies include marketers, advertising agencies, publishers, portals and search engines. In the past, we haven't drilled down into the principles, such as data security. Now we say, whatever type of data you collect, even though it may be truly anonymous information, you still must as a best practice implement data security because consumers expect that. And it's all about online trust.

The privacy debate, once defined by personally identifiable information, has moved toward data security and eliminating risk.

Recommend (3)
3 comments about "IAB: Privacy Debate Moves Beyond Cookies ".
  1. Paula Lynn from Who Else Unlimited , July 29, 2009 at 1:01 p.m.

    There is no reason your SS number must be in the same file as medical information. It can be stored elsewhere. And any website that needs mine, doesn't need me that much because they won't get it.

  2. Warren Lee from WHL Consulting , August 3, 2009 at 5:41 p.m.

    Thanks for the article Laurie. I have but one question for all of the talk of online privacy regulation that I would really love to see addressed: Why should their be different regulations for online and offline targeting? It seems to me that the DM firms have for a very long time used offline data to specifically target their offerings. If you go to some of their web sites and look at the selects that can be made you will be shocked (at least I was) as to how granular they can get, how much personal data is available to them and that they make no bones about consumer privacy as there is none. Names, addresses, handicaps, data on every facet of our lives.

    You know, I would love to see a panel at the next ad:tech or OMMA event where a professional moderator asks hard questions of the panel, which would be composed of the President of the DMA and the IAB ( or other industry group) and the head of the FCC. Let us debate privacy from a point of viewthat is slightly different: Here is what happens in the offline world, here is what happens in the online world, justify the differing regulations. I wish the debate would be about leveling the playing field not scewing it up!

  3. Vox Appeal from VoxAppeal.com , August 5, 2009 at 4:23 a.m.

    "Principles" of best practice and the definition of "personally identifiable information" are arguments in response to concerns expressed by representatives of the general public, but not only are they ultimately very superficial arguments designed primarily to make the public more amenable, they are a long way from any kind of strict guarantee of individual privacy.