• by Wendy Davis  @wendyndavis, December 16, 2008

In the first major overhaul of its guidelines in eight years, the self-regulatory group Network Advertising Initiative today will issue new privacy principles for online behavioral advertising, or serving ads to people based on their Web history.

As with the old standards, the new code of conduct in many circumstances requires ad companies that target Web users anonymously--that is, without collecting names, addresses or other personal information--to notify users of the practice and allow them to opt out.

But the new guidelines differ in some respects from the older ones. For instance, Network Advertising Initiative members that serve ads based on so-called "sensitive" information--including social security numbers, financial account numbers, real-time geographic location and some types of medical data--must now first obtain users' explicit consent, even when the targeting is anonymous. Previously, there was a restriction on using sensitive information to target people when the data was considered "personally identifiable."

In addition, member companies that use behavioral targeting techniques on children under age 13 must first obtain the verifiable consent of a parent.

The blueprint also says that companies should not retain data longer than necessary. Members of the Network Advertising Initiative include Google, Yahoo, the Fox Audience Network, Revenue Science, and AOL's Advertising.com and Tacoda.

The revisions come almost one year after the Federal Trade Commission issued its own new proposed self-regulatory principles for behavioral targeting. The agency has yet to finalize those guidelines.

J. Trevor Hughes, executive director of the Network Advertising Initiative, said the organization intends to supplement its general principles with more specific implementation guidelines in the future. "It's a flexible structure, so we can respond to changes in the marketplace," he said. "We recognize that business models and technologies will continue to change over time."

In the eight years since the group drafted its original principles, several new techniques emerged that posed challenges. For instance, controversial companies like Phorm, which serve targeted ads based on information gleaned from Internet service providers, only recently appeared in the landscape.

In addition, re-targeting--or serving ads to people who visited specific e-commerce sites--is another relatively new technique. The Network Advertising Initiative does not specifically address re-targeting in its new principles, but intends to develop more specific guidelines for that practice.

Mike Zaneis, vice president for public policy of the Interactive Advertising Bureau, praised the Network Advertising Initiative's "effort to show leadership in the privacy arena on behalf of ad networks." He added: "We see the NAI process as complementary to our broader efforts and can learn some valuable lessons from their efforts."

But Jeff Chester, executive director of the privacy group Center for Digital Democracy, criticized the proposed principles. Chester, who is advocating for laws requiring opt-in consent for behavioral targeting, said the Network Advertising Initiative relied too heavily on "failed approaches," such as notifying users about targeting via privacy policies.

The new code requires companies to give "clear and conspicuous" notice of behavioral targeting. The Network Advertising Initiative said via written comments that it believes that privacy policies are "the most effective and scalable approach," and that a clear and conspicuous link to a privacy policy on a Web site's home page will meet the group's standards.

Chester added that he will continue to push for new legislation in this area. "As long as it's the fox guarding the data collection henhouse, these groups can't rise up to the data collection challenge."