Posted by K.C. Halm, Ronald London, Razeeb Hossain, and Anne ShelbyIn early November the FTC held a series of roundtables and panels to discuss emerging issues in behavioral advertising. The FTC has posted transcripts, videos, the workshop agenda and a list of all participants on its website, found here.Common discussion themes throughout the two-day workshop included the contradiction between consumers' failure to protect their personal information despite their stated concern with privacy; the perceived need for greater transparency in privacy policies, especially with respect to providing more detailed descriptions of data use; the disagreement between the infor-mation industry and consumer groups as to the efficacy of private sector self-regulation; debate over the best methods to inform consumers of their privacy choices; and concern over the coming use of developing technologies for data collection, use and disclosure. A detailed discussion of the sessions follows below. Session 2: Behavioral Advertising Today: Understanding the Business and TechnologyAfter a brief introductory “Overview of Behavioral Advertising” that served as Session 1, Dave Morgan of TACODA, Inc. argued that behavioral advertising represents the onset of a period of advertising where consumers receive ads intended to be more “relevant” to their interests and needs. In other words, consumers receive fewer, but better tailored contacts, because advertisers can offer focused, well-targeted ads. He suggested that innovations in behavioral advertising protect privacy by providing more tools and greater privacy choices, and noted that because consumers have greater privacy controls they are driving the market for online service and retailers engaged in behavioral advertising must heed these consumer preferences. Michael Walrath, of Yahoo!, discussed the benefits of behavioral advertising, suggesting that behavioral advertising does nothing more than allow Yahoo to know their customers – a common objective of all marketing activity. Google’s Tim Armstrong asserted that the behavioral advertising business model revolves around the establishment of consumer trust. Retailers can not employ these advertising tools if the customers do not trust the retailer’s business practices. He argued that, because this is a very competitive business environment, there is a significant amount of consumer choice, and consumers can walk away from the advertising at any time (simply by discontinuing use of certain services).   An advertising firm operating in Europe, Net Mining, discussed its practices operating within the EU’s current privacy directives and how they differ from most US-based companies’ approaches. The impact of the EU directives on the behavioral advertising business model include limitations on cookie profiling of online visitors (must be anonymous), limits on site specific score-based advertising (again, must be anonymous), and ensuring that behavior driven interactions are appropriately scrubbed to ensure anonymity.Pam Horan, of the Online Publishers Association, argued that behavioral advertising enhances user experience by offering targeted advertising that the user values more than ads not relevant to the user’s interests. She suggested there is a “value exchange” between advertisers and consumers because these practices provide revenue sources for the online publishers, thereby making available the content and services offered through web sites provided by online publishers. Ralph Terkowitz, a General Partner at ABS Capital Partners, asserted that economic incentives for behavioral advertising are different from traditional marketing because the means of delivery of such ads (over the Internet) has dramatically reduced, if not eliminated, the costs of delivering the ads. Finally, to conclude this session, Oregon State University’s Carlos Jensen offered evidence that the use of online tracking tools, including web bugs and cookies, is increasing dramatically in the U.S., but actually decreasing in Europe. Although the implications of these findings were not clear, Jensen seemed to suggest that online commerce in Europe continues to develop at the same pace as commerce in the U.S., and that use of behavioral advertising techniques is therefore not essential to continued development of innovative and commercially valuable applications and content.Session 3: Consumer Survey DataIn this session, George Milne, an Associate Professor of Marketing at the University of Massachusetts-Amherst, reported on a survey of consumers, marketing managers and direct marketers who were asked whether they wanted to allow information gathering technologies to gather information, and if so, whether they preferred opt-in procedures, opt-out procedures, or no permission tools at all. The survey revealed that most consumers want to control the technologies used by marketers (45% did not want to allow use of the technologies and nearly 35% wanted an opt-in framework). Consumers expressed greater concerns with new technologies than those that were more familiar. Generally speaking, consumers did not want to allow information gathering technologies while marketing managers preferred the opt-in option, and direct marketers preferred the opt-out option. Larry Ponemon then reported that 8% of the population is “privacy-centric,” meaning they care deeply about privacy, 72% are “privacy-sensitive,” meaning that they care about privacy but not to the extent that it changes their behavior, and 20% (generally younger people) are “privacy complacent,” meaning they do not care about the sharing or selling of their private information. Consumers associate negative connotations with the word “cookie,” especially in a privacy policy, although the greater the consumer’s knowledge of cookies, the less negative the perception and the more likely a consumer is to opt-in. Mr. Ponemon summarized that (1) consumers want to have more control over their personal information, although an online ad that targets their preferences improves their online experience; (2) consumers do not want to pay for “free” Internet content or services; and (3) cookie deletion is declining, which may mean that consumers are more complacent.Session 4: Data Collection, Use and ProtectionThis session allowed company representatives to express concerns about consumer privacy and to discuss how their firms build privacy protections into their respective architectures. They described ongoing internal reviews of their systems that are performed to maximize consumer privacy protections. A representative of the U.S. Public Interest Research Group said that, nevertheless, serious problems persist for consumers when they go online, and added that consumers reveal much more information about themselves online than they realize, and much more than they would in the real world. Consumers need to realize that every bit of information gathered about them has value. They should know what information is collected and what happens to that data. A representative from the Office of Privacy Commissioner in Canada noted that unlike the U.S. in the E.U. and Canada the government supervises the collection and use of data. Panelists noted that while it is more trouble to anonymize data, it certainly can be done. The increasing ability to collect personal information in real-time makes consumer control of data even more important. In response to audience questions, the panelists emphasized the need for transparency, stating that the information collection industry needs to be clearer with people about what companies are doing with their data.Session 5: Roundtable Discussion of Data Collection, Use and ProtectionDuring the roundtable, a variety of companies and other entities defended their information practices while others pointed out weaknesses in overall practices, emphasizing a common consumer view that companies fail to provide clarity (a.k.a. “transparency”) with respect to information practices.Participants shared concerns about teens’ social networking. Observers assert that teens do not know that everything they say or do on social networking sites is available to marketers. Panelists felt that rules are needed on access to teens’ information and privacy disclosures to kids, and that teens do not understand behavioral targeting. Facebook noted that information is not being sold but this does not mean the information is not being collected. Panelists opined that people below age 25, especially those below age 18, believe anonymity is a substitute for privacy.  Many panelists believed teens do not even think of privacy when they are on Facebook. (Since then, the flap over Facebook’s privacy practices and its Beacon program shows that that many young people are in fact concerned with privacy.) Some participants believe that no one reads privacy notices, so to say that a site has a good, clear privacy policy is meaningless. Many felt that a better way to educate consumers needs to be developed.The session also revealed that, among companies and consumers, considerable difference of opinion exists as to who owns personally identifiable information (“PII”). Some stated that a major issue – if not the major issue – is data security, pointing to concerns about misuse of data when it falls into the wrong hands.Session 6: Disclosures to ConsumersThis session focused on privacy policies and similar statements of companies’ online practices concerning user data. The session also addressed the generation of targeted advertising and the efficacy of such industry efforts. Lorrie Faith Cranor, an Associate Research Professor at Carnegie Mellon, began the session with a short presentation exploring the disconnect between consumers’ statements that protecting their privacy online and in related contexts is important notwithstanding their lack of effort to avail themselves of available tools to safeguard their privacy. Ms. Cranor offered two main explanations for this contradiction: first, that some consumers do not appreciate the impact of some of their online behavior on their privacy, and second, the direct and indirect costs of taking privacy-protecting steps are too high. She also cited studies that show that privacy policies tend to be too difficult to understand, in part because they require college-level reading skill, and in part because they contain too much “legalese.” Research indicates that consumers dislike even well-written privacy policies which can have little utility due to consumers’ low comprehension.   Research indicated that consumers tend to place greater trust in longer written policies based on their often-misplaced belief that those policies are more privacy-protective.The session also included open panel and question-and-answer discussions that focused heavily on policy rather than regulatory concerns. The conversation examined practices and still-developing plans of specific major online entities represented on the panel. Panelists agreed that consumers place a premium on companies’ transparency practices and the degree of consumer data control. There appeared to be substantial support for a model wherein the more intensive the use of a consumer’s PII, the more frequently consumers should receive a concomitant opportunity to opt out, presented in an obtrusive manner. Examples included reminder pop-ups associated with the Google toolbar, and eBay’s recently launched initiative to “tag” ads, provide pop-up with its ad policy, and continuously provide links such as “why am I receiving this” with the ads.Extended discussion ensued regarding methods to get consumers to read and appreciate posted privacy policies, though there was also a recognition that there is only so much companies can do to “force” consumers to take an interest and act on it. Moreover, there was debate about what the right metric should be for a privacy policy’s efficacy, i.e., whether users actually take the time to read it, or whether specific information is available when a consumer wants to find it.Some panelists suggested that some common privacy messages are not useful for consumers, including the phrase that a website “shares your information with certain trusted third parties.” This statement tells consumers nothing about who is receiving their information, what they are using it for, whether it is being combined with other information and the origin thereof, or what the third parties have done to be deemed “trusted.” As an overarching matter, however, most agreed there must be a way for consumers to identify and track their “digital identity” across multiple online (and offline) environments. The panel discussed the prospects that government regulation of privacy standards and notices might be worth examining. A number of panelists agreed that the market is leading to development of private self-regulatory initiatives.Regarding specific practices, panelists agreed that reaching a consensus on symbols and messages across websites would help increase transparency (e.g., having an icon attached to ads that stands for “ad” and associating the ad with a pop-up or pop-under with information about how the ad relates to the PII collected). Conversely, consumer advocates suggested more robust links with messages like “click here to learn more about how your personal information is used by this website” rather than, for example, simply “privacy policy” or “learn more.” Industry panelists were lukewarm to the idea. They stressed that online, “every pixel counts,” whether it is maximizing revenue, communicating information, or just presenting white space to enhance the readability and overall impact of a site. Session 8: The Regulatory and Self-Regulatory LandscapeThis session demonstrated that companies believe the industry as a whole is doing an excellent job protecting consumer privacy, and that many believe the Network Advertising Initiative (“NAI”) plays a useful, if voluntary, role in creating best practices for the industry. Consumer groups, on the other hand, believe the NAI and its opt-out cookie are not working, that technology has passed-by the NAI, and that the industry is not effectively self-regulating. Advocacy groups describe consumers as generally unsophisticated and in need of education on the ways companies track and target them.    Panelists discussed the do-not-track model as an alternative to the current practice of notice and choice, but some companies thought it might be technologically challenging to implement. Consumer groups liked the idea of having one place a consumer can visit to avoid being tracked, although as proposed, some thought it put too great a burden on the consumer. Until the very end, when one speaker said that consumers need enforceable rights, there was really no suggestion that the government needed to step in to create a more consumer-friendly environment beyond the current industry self-regulation, even if that self-regulation may be less than perfect.Session 9: Roundtable on the Future of Behavioral AdvertisingThe final session centered on the tracking and profiling of consumers: how they are tracked, who is tracking them, and what the business and legal consequences could be.Katherine Albrecht, Director of CASPIAN, spoke about the future of Radio Frequency Identification (“RFID”) tags. RFIDs are likely to increase in both number and sophistication. She posited that soon a company may be able to identify all of the items inside of a purse, when and where each item was purchased, and who owns the purse – all through RFID tags. This level of tracking may have negative implications for consumers, many of whom do not know what RFID tags are. One possible negative consequence is price discrimination against consumers whose purchasing behavior makes them less profitable than others.Jules Polonetsky, Chief Privacy Officer from AOL, spoke about the future of cookies as identifiers of consumer behavior. He said that while cookies are useful for advertising, they are not as useful for data collection or tracking. Many cookies are blocked by anti-spyware programs, and others are removed by people who are proficient with browser controls. Mobile devices, where many people think the future of behavioral advertising lies, do not yet have cookies, in part because the devices are not “granular” enough, but likely will support cookies in the near future. This means that, for now, it is not easy to pinpoint a mobile’s location within a small area beyond using the location-tracking abilities (for enhanced 911 purposes) that the devices already feature.Alissa Cooper of the Center for Democracy and Technology noted that ISPs are in a commanding position to gather, use and market data reflecting online behavior but doing so will create a complicated set of issues. Another panelist said that while consent and notice issues between consumers and websites are complex, issues between consumers and ISPs are even more complex. This is because unlike ad networks, ISPs’ documenting and analyzing of data that flows through their systems may violate wiretap laws. Panelists noted that content-based wiretapping laws may apply when ISPs monitor e-mail, but this may not be the case when the ISPs collect internet protocol (“IP”) addresses. Some presenters argued that end users are often sophisticated, and prefer to choose their level of privacy protection. For example, in social networking sites such as Facebook, users can choose to provide information about themselves to anyone on the site, or they can choose to restrict the information to only those users they permit to see it.