Privacy concerns pose an increasing threat to ubiquitous online tracking practices that underpin many commercial successes on the web. As a matter of course, many online actors record website visitors' Internet Protocol (IP) addresses, which are strings of numbers identifying a device connected to the Internet. Data generated by cookies, web beacons and other tracking and identification tools also are commonly collected. Sites featuring a search engine regularly link search terms with the IP address of the search engine user. This "web usage information" is useful in managing and improving web-based services, but its greatest commercial value is in advertising. Using IP addresses, cookie identification numbers and other data, information drawn from across the web can be correlated, forming a profile of a user's online behavior that reveals interests, rough geographical location and online habits - all of which can help place ads where they are more likely to return "clicks" and ultimately, sales. Web usage information is critical to the online advertising market, worth approximately $20 billion annually.
Until recently, few have questioned the standard assertion that web usage information raises minimal privacy concerns, as such data alone do not identify an individual person. Indeed, polls suggest that the public is generally unaware of the scale of online tracking and the growing use of "behavioral targeting" in placing online ads. But tracking and targeting are now driving a variety of regulatory responses in the United States and abroad, which could expand as the public learns it is being watched.
FTC Principles For Behavioral Advertising
The staff of the Federal Trade Commission's (FTC) Bureau of Consumer Protection recently proposed a set of voluntary online behavioral advertising privacy principles (Advertising Principles). Released simultaneously with the FTC's approval of Google Inc.'s $3.1 billion acquisition of DoubleClick, Inc., the Advertising Principles were perhaps a concession to some members of Congress who requested scrutiny of the deal's privacy implications. Combining the databases of the Internet's largest search company and the Internet's largest ad placement firm purportedly could yield more detailed user profiles. Such profiles might identify unique individuals, support behavioral targeting or pose risks if disclosed under government compulsion or via a security breach. Privacy advocates emphasized that web usage information currently goes largely unregulated.
FTC staff define "behavioral advertising" broadly as "tracking a consumer's activities online, including the searches the consumer has conducted, the web pages visited, and the content viewed in order to deliver advertising targeted to the individual consumer's interests." In sum, the Advertising Principles encourage online actors to:
• Provide prominent, consumer-friendly notice that web usage information is collected for advertising purposes;
• Offer consumers an easy-to-use mechanism for "opting out" from such collection; and
• Provide reasonable security for web usage information, retaining it only as long as a legitimate need exists.
The FTC is currently accepting comments on the Advertising Principles. For the online advertising community, proactively adopting the Advertising Principles (or similar practices) may be preferable to awaiting backlash regulations in the wake of a future incident. Also, competition on privacy protection could arise - the AOL division of Time Warner Inc. has announced that it will allow people to remove themselves from its tracking databases.
On the other hand, companies should carefully consider potential commitments to limit web usage information, as such action could easily result in government oversight in an otherwise unregulated area. Committing to the Advertising Principles in a privacy policy or other public statement, while initially voluntary, triggers FTC enforcement jurisdiction, notwithstanding the agency's expressed intent that its proposal encourage "self-regulation." The agency is authorized to punish violations of a privacy promise as "unfair and deceptive trade practices." Additionally, if a privacy policy makes promises concerning web usage information, a company may need to obtain the express consent of "affected consumers" before processing such information in a manner "materially different" from that stated in the privacy policy. Obtaining such consent may be a practical impossibility. So, making ill-considered privacy promises could make it difficult to adapt to rapid changes in the online advertising market.
IP Addresses May Be "Personal Information" In The EU
Although the FTC and Congress have concerns about web usage information, the greatest threats to standard Internet practices currently come from the European Union. In nonbinding but influential statements, EU privacy regulators have long sought to impose relatively onerous European privacy standards on online actors, even those based outside the European Union. For example:
• EU data protection authorities (DPAs) claim jurisdiction over U.S. companies that place cookies on EU individuals' hard drives, arguing that these companies are using "equipment" located in the EU.
• At a January 21, 2008 European Parliament hearing, DPAs reiterated their view that IP addresses are "personal information" under EU law when persons associated with an IP address are merely reasonably "identifiable."
In either case, an online actor conforming to standard Internet practices may lack an individual's name, contact information or other data normally considered "personal information." Indeed, DPAs admit that web usage information itself may not identify unique individuals. Nonetheless, under these interpretations of EU law, the actor might have to register its databases with EU authorities, obtain individuals' express consent before collecting data, sharply limit data retention periods, cut off data transfers to the United States and more.
Like the FTC's Advertising Principles, heightened EU interest in web usage information seems linked to Google's dominance. The Google-DoubleClick deal is awaiting EU approval at the time of writing. Like their FTC counterparts, EU competition authorities have been encouraged to consider privacy as well as competitive impacts. More generally, DPAs continue to hound Google concerning storage of IP addresses and search records, use of cookies to identify users and behavioral profiling. Google agreed in 2007 to "anonymize" its search records after a period of 18-24 months, but EU regulators were not satisfied. Their public letters to Google demand "data minimization," meaning that search engines must retain no data linking a search term to a search engine user absent the explicit, informed consent of the user. Implementing such a standard generally across the Internet could hobble the online advertising community, whose comparative advantage is using web usage data to direct advertisements to the most receptive individuals (thereby underwriting all kinds of free online services).
Where Is The Harm?
Massive amounts of web usage information continue to be collected and used to place online ads. But so far, it is difficult to find a case of significant privacy harm. The FTC admits that some web usage information "may not be traceable to any individual consumer or computer, and therefore may do little harm." Indeed, the EU has not officially adopted the DPAs' interpretations. Internet users currently seem to appreciate ad-supported free services more than they dislike online tracking. Further, it may be possible to facilitate the commercial potential of profiling while inhibiting web usage data from identifying unique persons. Now may be the time for website operators and the greater online advertising community to agree on industry best practices - perhaps the FTC's Advertising Principles - in order to deflect heavier regulation later.
Published March 1, 2008.