• by Mark Naples , October 15, 2004

On the heels of yesterday's column by Jim Meskauskas on the great news in interactive of late, with media spending up an amazing 39.7 percent in the first six months of this year compared to last year, the sound you hear may be the other shoe dropping. Way back in early May of this year, I issued a warning of sorts in this space regarding HR 2929, The U.S. House of Representatives' bill titled "Securely Protect Yourself Against Cyber Trespass Act" or SPY ACT HR 2929 passed through the House last month, and went to the Senate on October 6th. The Senate could take it up as soon as November 16.

HR 2929 prescribes that what our industry needs is for every tracking cookie--be it a session cookie that expires with the closing of a user's browser, or a persistent cookie that is served by a third party and aggregated by publishers--to be served only with the same kind of notice usually reserved for other kinds of tracking applications. Do you want to see an opt-in screen every time you visit a site that has new third-party cookies being served? If HR 2929 passes, you will.

HR 2929 provides that all online profiling undertaken by third parties must become completely permission-based. So, every time a third-party cookie is going to hit your hard drive, disclosure of this execution and its intent will need to take place the same way it already has to when adware companies deposit their non-cookie technologies, no matter what your browser setting.

Suddenly, there will be even less difference between adware companies and behavioral companies than there is today. But, more to my point, this Bill means no more rich media, no more third-party behavioral targeting, no more ad networks like 24/7 Real Media, DoubleClick, Tribal Fusion... without a new opt-in every time the user encounters the third party serving the cookie. Although it's clearly a hot business, third-party behavioral targeting is not a right. With the passage of HR 2929, it's truly going to become a completely permission-based enterprise.

Let's say that Congress does exempt all third-party ad-serving cookies eventually. That wouldn't solve the larger problems, since it would handcuff our industry into always using first-party cookies alone for ad targeting. Do we really want this Bill to limit the development of ever more sophisticated and productive technology, especially when the technology would be functionally the same from the consumer's perspective? If consent should be identical across the board--as this Bill seems to imply--and as long as collection policies and practices are equal across the board, than nothing else besides equal disclosure makes sense. That means equal disclosure for anyone who profiles users across sites, which could mean real pain for multiple interactive companies that depend on third-party cookies.

The intent of the collection and the disclosure of this intent is what needs to be made clear and immediate. HR 2929 is saying this for any entity that tracks across the Web, which will mean some consent-gathering changes for any interactive company that uses third-party cookies to track users across the Web.

So--why the Bill's focus on third-party cookies? It's as though Congress has become far more sophisticated about privacy, by demonstrating that they realize now that it doesn't necessarily have anything to do with PII, and so they're showing off--but missing the mark by demonstrating that they know nothing about how our business works.

The juice of the Spyware problem is in disclosure, and the rules are the same now as they were back in the initial online privacy battles three years ago: Clear notice, clear policies, no data sharing, no aggregation/merging with PII and non-PII, and adherence to best practices--no matter how the data is collected. This all starts with clear and concise disclosure up front, no matter how the data is gathered.

If this Bill is signed into law, it could create a sea change around disclosure for any company that uses a third-party cookie to collect user data. Ultimately, I guess that more disclosure is always good news for consumers. But anyone at the dozens of interactive companies that depend on third-party cookies has to be concerned about this Bill.