• by Wendy Davis , Staff Writer @wendyndavis, February 14, 2012

More than 8 million Web users visited the site operated by privacy self-regulatory group Network Advertising Initiative last year, while more than 800,000 opted out of online behavioral advertising, the organization reported today.

Those numbers are up considerably since 2010, when around 2.8 million people visited the NAI's site and around 470,000 opted out of behavioral targeting, or receiving ads targeted based on sites they visited.

The NAI also says in its annual report that most of its members comply with self-regulatory standards. Those principles generally require ad networks to notify users about behavioral targeting and allow them to opt out of receiving targeted ads. For the report the NAI examined policies and practices of 60 of its 80 members.

The group reports that 53 of its members provide notice via the Digital Advertising Alliance's ad icons. Additionally, nearly all members are honoring the prohibition against tracking users with technology other than HTTP cookies.

One notable exception was Epic Advertising, which was caught using history-sniffing techniques to discover information about users' prior Web activity. History-sniffing exploits the fact that some browsers change the color of links that users have visited. Ad networks and other Web companies can take advantage of that coding to determine which sites users have previously visited. That technique is "inconsistent with the NAI code and NAI policy," the report says.

The NAI says that it is now requiring annual audits for Epic. The Epic Advertising breach was discovered by researchers from Stanford, as opposed to industry groups; the NAI says that it hopes to beef up its own testing capabilities this year.

The self-regulatory group also says it discovered that a few instances of companies that weren't honoring users' opt-outs. The NAI says that those breaches were all inadvertent or the result of glitches. In three cases, opt-out cookies were deleted "as a result of bugs." In three other cases, companies began collecting tracking data on new domains before updating opt-out mechanisms.