I went to Boston a few weeks ago week to present at the International Association of Privacy Professionals Academy (IAPP Academy). I was armed with data on how 500 advertisers leverage their cookie space across First-Party, Third-Party and Flash cookies.
The recent positioning papers on Behavioral Targeting from the FTC, "Self-Regulatory Principals for Online Behavioral Advertising," and IAB, "Self Regulatory Principals for Online Behavioral Advertising," started a firestorm of additional articles from Business Week, "Is Regulation Coming" to Clickz's, "A Strong Nudge from FTC may lead to Draconian Measures."
The issue here is that Behavioral Targeting has become a major part of the online advertising industry, and data is transferred from the Advertiser to a third-party Behavioral Targeting company for analysis and profiling. At that point in time, the data is anonymous but still becomes owned by the Behavioral Targeting Company where it can be resold as targets back to the originating company and other Advertisers.
There are two issues that are fueling the controversy:
1) Data Transfer
2) User Notification
The FTC is arguing that there is limited transparency and notice that the users are being tracked by the third-party. The data transfer is usually mentioned in a passive mode in the Advertisers’ privacy policy and it's up to the user to go to either the National Advertising Initiative (NAI) site or to the BT company site to opt-out of the tracking. The FTC would like to see a more active opt-in notification where the users have to take action to be included.
The Industry response has been for increased self regulation which would enable the users to easily get to their data so they can make an informed decision as to whether they stay in a program or chose to opt-out. These options are good for users as long as there is education to help them understand how they are being tracked, and how to take action to prevent this tracking if they feel compelled to do so.
The next big firestorm surrounds something that has been flying under the radar, but used at an accelerating rate, is Flash Cookies. They are not cookies, rather Local Shared Objects which closely resemble a traditional cookie in function. The problem arises because the Flash Cookie is not controlled by the browser, it’s controlled by the flash player and is significantly more difficult to view and delete. Two articles came out the day before my presentation. One from the Behavioral Targeting Insider, "Moving Flash Cookies into Direct Response BT" and the Daily Online Examiner "Hidden Cookies Privacy Landmines". The articles are from completely different ends of the spectrum. One encourages their use because they bypass browser security features, and the second alerts privacy professionals to the fact that they bypass browser security features.
The overriding factor is that users build relationships on the web by going to their favorite sites for products and information. When the user builds that relationship, who owns the data? Does the site (Advertiser/Publisher) or a third-party, engaged by the site to help drive deeper relationships, own the data?
An article written by Ben Edelman, "Towards a Bill of Rights for Online Advertisers," highlights the heart of the issue. Advertisers are the ones spending the money to fund the web, and deserve the rights to know where their ads are shown and use their data as they see fit.
It seems logical that the Advertisers should have the right to control and use their own data. I wouldn’t be surprised to find that Advertisers push for Advertiser cookies as an option for the future. There would be no controversy as to who owns the cookie and the data and where you need to go to opt-out.
– Greg Neal
I usually never read blog posts. But this is an exception, you have some awesome topics on here and some i found on http://www.rapidpig.com. Will visit daily and tell others for sure.
Posted by: Jenna | July 21, 2010 at 09:21 AM