• by Wendy Davis  @wendyndavis, October 9, 2008

Online ad industry executives are taking issue with a new Carnegie Mellon University report concluding that regulation might be necessary to "provide basic privacy protections."

The report, by Aleecia McDonald and Lorrie Faith Cranor, found that online privacy policies take users an average of 10 minutes to read. If every U.S. Web user read the privacy policy at every site visited, the time spent reading privacy policies would total an estimated 44.3 billion hours per year, according to the report.

Many companies that deploy behavioral targeting platforms, which track people across a network of sites and then serve targeted ads, notify people of the practice in privacy policies. Those policies also often let people opt out of the tracking.

Cranor--a board member of the Electronic Frontier Foundation--and McDonald argue in their paper that it is not reasonable to expect people to learn about behavioral targeting practices by plodding through lengthy privacy policies. They also conclude that Federal Trade Commission regulation may be necessary if companies don't improve the readability of their policies.

But some ad industry representatives disputed the study's premises and findings. Trevor Hughes, executive director of the self-regulatory group Network Advertising Initiative, said Thursday that privacy policies are not designed to be read by every visitor to the site. Instead, he said, the expectation is that consumers who are especially concerned about particular sites' practices will read them.

He added that privacy policies confer legal obligations on sites even if consumers don't read the documents.

"To suggest that notice fails simply because it would take a long time for consumers to read every privacy policy fails to recognize the value that privacy policies provide," Hughes said. "They become a binding statement by that organization, and if that organization does something different from what they say in their privacy policy, the FTC will come down on them."

Hughes also said that people who don't want to be tracked online for ad-serving purposes have alternatives other than opting out via privacy policies. For instance, users can set their browsers to block third-party cookies, which effectively prevents many behavioral targeting companies from tracking people across a variety of sites. Consumers can download software that removes or blocks certain cookies. (Those techniques, however, would not stop Internet service providers from providing ad companies with data about users' Web histories.)

Jeff Hirsch, CEO of behavioral targeting company Revenue Science, adds that consumers don't always need to read privacy policies through to the end to get the critical details. Hirsch said that as long as policies provide a short summary of the most important points, consumers can glean the crucial information quickly. People who want more details could then spend more time reading the entire policy.

But some consumer and privacy advocates say the study confirms what they have long held--that current privacy policies are not a good way to inform people about behavioral targeting.

"It's not only that they're long, but they're also complicated," says Alissa Cooper, chief computer scientist at the Center for Democracy & Technology. "They're not really written for your average Internet user to understand them."

She added that the Center for Democracy & Technology has been considering ways to make privacy policies smaller and more manageable. One possibility is to include links in ads that explain ad targeting and include an opt-out mechanism.