Is Anyone Out There?

For e-commerce counsel, the primary issue emerging is whether our jurisprudence can balance privacy interests against the advertisers' business interests, or whether such things are better left to those most vested in the issue.

This article delves into the relationship between the quality of the online experience and the extent to which personal information should be shared with commercially interested parties.

What Is Behavioral Targeting?

Much confusion has arisen as to what behavioral targeting is in the first place, and a definition of the practice may change, depending on who is doing the defining. In short, behavioral targeting refers to the ability of advertisers to tailor online advertisements to consumers based on online behavior. Marketers will examine consumer interest based on Web pages that consumers have visited ' keywords typed into a search engine, shopping for online products and services, or a combination. This collected data is then sold to a commercial party that leverages the information to appropriately target its most commercially lucrative consumer base. For the most part, behavioral targeting tracks non-personally identifiable information among online users; in other words, no names, addresses or other personal information that permit someone to identify the users is collected.

Modes and Methods

Behavioral targeting can take many shapes. It generally can be implemented through four different means:

1. An individual publisher (a Web site);
2. An ad network (multiple sites);
3. A person's computer and downloaded software (adware); or
4. Through ad optimization (advertising based on a consumer's behavior on a particular site).

Examples of popular behavioral-targeting providers include publisher-side vendors such as Yahoo!, Revenue Science and Tacoda; network providers such as Advertising.com; and Adware providers such as Claria and WhenU.

Behavioral targeting can be categorized into two approaches: passive and active information collection.

Passive behavioral targeting is done through applications that reside on a user's computer, such as tracking tags from a visited Web site or downloaded software. In both cases, the user's Web-browsing activity is recorded anonymously and the user is unaware that he or she is observed. In general, this type of tracking does not affect the user's online experience in any noticeable way.

Active behavioral targeting is done by recording a consumer's proactive interaction with a company's marketing efforts; in other words, it will display e-mails or advertisements on a client's Web site and then implement follow-up marketing programs to deepen the relationship.

To put it simply, passive targeting tracks a consumer's Web-surfing activity, whereas active targeting tracks what a consumer does when he or she interacts with a particular brand.

Behavioral targeting has been an exceptionally successful marketing solution in the last 10 years. According to eMarketer.com, online sales ads are expected to more than double to a whopping $44 billion in 2011 from $17 billion in 2006. The bottom line: Behavioral targeting is big business and isn't going to disappear.

Behavioral Targeting Under Scrutiny

The success of behavioral targeting has not gone unnoticed by privacy advocates and the Federal Trade Commission ('FTC'). Indeed, on Nov. 1 and 2, the FTC hosted a Town Hall meeting entitled 'E-havioral Advertising: Tracking, Targeting, and Technology.' (For comments from the meeting, see, http://search.ftc.gov/query.html?qt=behavioral+marketing&col=hsr&col=news&col=full.) The FTC meeting brought together the who's who of online business, from AOL, Yahoo!, Google, eBay and Facebook, to privacy advocates such as the Center for Digital Democracy, the Consumer Federation of America and the Center for Democracy and Technology.

Much of the fervor surrounding the FTC meeting is the result of increased activity in the field of behavioral targeting, with frenzied mergers and acquisitions and private-equity investments, like the $100 million cash infusion into Specific Media. As a result, privacy advocates have called on the FTC to institute a Do Not Track List, akin to the Do Not Call List for telephone marketers. According to Advertising Age: 'Privacy advocates say current standards for collecting such data ' don't do enough to safeguard consumers against the potential pitfalls of data collection, and that most consumers don't understand how such data is being used.' Advertising Age, Oct. 30, 2007 (available online at http://commercialfreechildhood.org/news/privacygroups.htm). This proposed Do Not Track List would not block ads, but would prevent companies from tracking users' Web behavior. It would also require advertisers to submit a list to the FTC of Web sites that track consumer behavior.

As a result of this media frenzy and the FTC's meeting, some online companies have jumped the gun in announcing that they cater to consumers concerned with the privacy of their online experience. AOL recently announced that it would
let users opt out of online advertisements that are presented based
on behavioral-targeting data. This opt-out advertising program would deliver millions of public-service announcements to AOL-owned and AOL-operated ' and third-party 'networks, which apparently amounts to 91% of the U.S. online audience (see, 'AOL Sets Targeted Advertising Opt-Out', http://www.eweek.com/article2/0,1759,2210342,00.asp).

Growing Privacy Concerns

The concern for privacy is real, but the solution or solutions that might quell people's qualms remain elusive. The current concern is, in fact, merely a new twist on a nearly 10-year-old debate. The tracking of consumer behavior dates back to the mid-1990s. In its simplest form, an online store could recognize and remember users from previous visits on its site. By recognizing the consumer, the online store could offer special bargains and a streamlined checkout procedure with a user name and password. This activity eventually expanded to include newsletters based on customer preferences and special bargains specifically tailored to a single user. The Web was increasingly narrowing the online experience to make it unique and tailored to each individual consumer.

The concerns for privacy began to emerge in the late 1990s when DoubleClick Inc., one of the largest Internet advertisers, acquired Abacus Direct Inc., an offline direct marketer. With this acquisition, DoubleClick was leveraging its online information with information relating to consumers' offline habits. Prior to the merger, DoubleClick's activity had largely gone on under the radar because most of the information collected could not be matched to a particular individual, and most consumers were unaware of being tracked online in the first place. With the merger, however, much public attention focused on online advertising because DoubleClick could now combine online with offline information, and in that way gain access to personal information on consumers. With pressure from consumer groups and the FTC, DoubleClick eventually relented on its plan to combine the two.

That same year, however, the bankruptcy of Toysmart.com helped to exacerbate rapidly increasing concerns over consumer privacy. Prior to its bankruptcy filing, Toysmart had been apparently assembling a vast database that included information about its consumers. Toysmart sold the information to one of its creditors, despite a privacy policy that barred such a sale. The FTC sued Toysmart to prevent the distribution of this sensitive information. Although the case was eventually settled, it didn't help to quiet the clamor among the public over privacy matters.

As a result of this, the FTC decided to take matters into its own hands by hosting joint workshops with the U.S. Department of Commerce and inviting the largest online marketers to address these growing concerns. The FTC published its findings in two 1998 privacy reports circulated to Congress (Federal Trade Commission, Privacy Online: A Report to Congress Part 1 (June 1998) available at www.ftc.gov/reports/privacy3/priv-23a.pdf; and Federal Trade Commission, Privacy Online: A Report to Congress Part 2 Recommendations (July 2000), available at www.ftc.gov/os/2000/07/onlineprofiling.pdf). The conclusion these reports presented was that the industry should try to self-regulate prior to Congress stepping in and imposing regulation. The report did, however, outline the 'five core principles of privacy protection' that are also termed 'fair information practices.' These five core principles are:

1. Notice/awareness;
2. Choice/consent;
3. Access/participation;
4. Integrity/security; and
5. Enforcement/redress.

On the issue of notice requirement, the report calls it 'the most fundamental principle. Consumers should be given notice of an entity's information practices before any personal information is collected from them. Without notice, a consumer cannot make [an] informed decision as to whether and to what extent to disclose personal information.'

Advertisers responded by forming a trade group called the Network Advertisers Initiative, with the mandate of monitoring the industry's privacy-reform efforts. This attempt at industry self-regulation has been largely viewed as insufficient in protecting consumer privacy.

What Is Online Privacy?

The biggest problem in regulating privacy online is that there is no standard definition of what constitutes privacy. Nobody knows, nor can a modicum of observers agree on, how to define, much less regulate, online privacy. A vast array of definitions exists, each reflecting a subjective viewpoint. At one end of the spectrum are individuals claiming that privacy is an inalienable right that should be granted to all citizens. At the other end of the spectrum is a Big Brother approach, in which the opinion is held that individuals want privacy only when they have something to hide. Definitions of privacy reflect a community standard that, in our jurisprudence, is inherently problematic. Indeed, parts of the Communications Decency Act were successfully challenged because they contained language purporting to regulate obscenity on the Web and, therefore, ran afoul of our constitutional rights to free expression. A community standard on privacy could face the same challenges.

Some attempts at resolving the privacy conundrum are worth noting. Professor Lawrence Lessig of Stanford Law School, for example, has suggested that privacy should be a property right and that each individual should have the option of using technology to personally calibrate the extent of private information given away. Because it is a property right, the right to control the release of such information resides within each user. University of Michigan Law School Professor Jessica Litman, on the other hand, has proposed a tort-based approach that would permit redress in instances where a consumer's expectations with regards to his or her private information are violated by a particular brand. This approach is similar to legislation that creates a cause of action in the case of sensitive medical or financial information.

Perhaps most notable is how the European Union ('EU') has handled privacy issues. In the mid-1990s, the EU enacted the Directive on the Privacy of Personal Data (Directive 95/46/EC). The Directive establishes privacy as a fundamental human right and provides that each EU citizen is to have 'information self-determination.' It limits collection of personal information to the purposes for which it was gathered and imposes a rigorous notice requirement for information collection. The Directive also provides that each EU citizen is to have access to the information so that he or she can correct any errors. It also requires appropriate security to prevent inappropriate dissemination of information.

Although the Directive is a great standard for the EU, it would likely face multiple constitutional challenges in the United States. Indeed, the Directive's limitations on the dissemination of personal information would likely run afoul of our First Amendment right to freedom of information. The Directive could similarly be challenged under the takings clause of the Fifth Amendment ' a regulation preventing profilers from using their data might be considered a government taking without due compensation.

The Lessons Of Spyware

Although behavioral targeting is largely unregulated, it is worth mentioning that spyware has received much greater legislative attention. Proponents of behavioral targeting will adamantly distinguish spyware from their services, but the distinction is not always so evident to outsiders. In fact, spyware and adware are often interchangeably mentioned as dreaded interruptions in a user's enjoyment of the Web. Both involve computer programs that are installed (or install themselves) on a computer to perform or track a user's activities, but only one (i.e., spyware) is malevolent in nature.

There is no federal legislation on the issue, but several states have enacted laws addressing spyware. In 2004, Utah enacted the Spyware Control Act, and in 2005, California followed suit with the Consumer Protection Against Computer Spyware Act. The important point to note is that the definition of spyware could potentially be read to include adware practices that lack the consent of the user; in other words, spyware legislation could criminalize some behavioral-targeting practices involving adware programs that lack user consent. A similar federal Antispyware Bill was introduced to Congress this year, and referred to a judiciary committee. If the bill is passed by Congress, it will bring a new meaning to notice requirements for adware programs.

Conclusion

Privacy advocates are often dismissed as advocates merely looking for a cause. They are, however, crucial to the development of the online ecosystem and individual privacy rights. The online-advertisement community is a billion-dollar business that is expected to triple within the next five years. Against this massive industry, users must balance a desire to protect the dissemination of personal information online with the ability to enjoy many sites free of charge. Somewhere in the middle lies the future of the online experience.

For e-commerce counsel, the primary issue emerging is whether our jurisprudence can balance privacy interests against the advertisers' business interests, or whether such things are better left to those most vested in the issue.

This article delves into the relationship between the quality of the online experience and the extent to which personal information should be shared with commercially interested parties.

What Is Behavioral Targeting?

Much confusion has arisen as to what behavioral targeting is in the first place, and a definition of the practice may change, depending on who is doing the defining. In short, behavioral targeting refers to the ability of advertisers to tailor online advertisements to consumers based on online behavior. Marketers will examine consumer interest based on Web pages that consumers have visited ' keywords typed into a search engine, shopping for online products and services, or a combination. This collected data is then sold to a commercial party that leverages the information to appropriately target its most commercially lucrative consumer base. For the most part, behavioral targeting tracks non-personally identifiable information among online users; in other words, no names, addresses or other personal information that permit someone to identify the users is collected.

Modes and Methods

Behavioral targeting can take many shapes. It generally can be implemented through four different means:

1. An individual publisher (a Web site);
2. An ad network (multiple sites);
3. A person's computer and downloaded software (adware); or
4. Through ad optimization (advertising based on a consumer's behavior on a particular site).

Examples of popular behavioral-targeting providers include publisher-side vendors such as Yahoo!, Revenue Science and Tacoda; network providers such as Advertising.com; and Adware providers such as Claria and WhenU.

Behavioral targeting can be categorized into two approaches: passive and active information collection.

Passive behavioral targeting is done through applications that reside on a user's computer, such as tracking tags from a visited Web site or downloaded software. In both cases, the user's Web-browsing activity is recorded anonymously and the user is unaware that he or she is observed. In general, this type of tracking does not affect the user's online experience in any noticeable way.

Active behavioral targeting is done by recording a consumer's proactive interaction with a company's marketing efforts; in other words, it will display e-mails or advertisements on a client's Web site and then implement follow-up marketing programs to deepen the relationship.

To put it simply, passive targeting tracks a consumer's Web-surfing activity, whereas active targeting tracks what a consumer does when he or she interacts with a particular brand.

Behavioral targeting has been an exceptionally successful marketing solution in the last 10 years. According to eMarketer.com, online sales ads are expected to more than double to a whopping $44 billion in 2011 from $17 billion in 2006. The bottom line: Behavioral targeting is big business and isn't going to disappear.

Behavioral Targeting Under Scrutiny

The success of behavioral targeting has not gone unnoticed by privacy advocates and the Federal Trade Commission ('FTC'). Indeed, on Nov. 1 and 2, the FTC hosted a Town Hall meeting entitled 'E-havioral Advertising: Tracking, Targeting, and Technology.' (For comments from the meeting, see, http://search.ftc.gov/query.html?qt=behavioral+marketing&col=hsr&col=news&col=full.) The FTC meeting brought together the who's who of online business, from AOL, Yahoo!, Google, eBay and Facebook, to privacy advocates such as the Center for Digital Democracy, the Consumer Federation of America and the Center for Democracy and Technology.

Much of the fervor surrounding the FTC meeting is the result of increased activity in the field of behavioral targeting, with frenzied mergers and acquisitions and private-equity investments, like the $100 million cash infusion into Specific Media. As a result, privacy advocates have called on the FTC to institute a Do Not Track List, akin to the Do Not Call List for telephone marketers. According to Advertising Age: 'Privacy advocates say current standards for collecting such data ' don't do enough to safeguard consumers against the potential pitfalls of data collection, and that most consumers don't understand how such data is being used.' Advertising Age, Oct. 30, 2007 (available online at http://commercialfreechildhood.org/news/privacygroups.htm). This proposed Do Not Track List would not block ads, but would prevent companies from tracking users' Web behavior. It would also require advertisers to submit a list to the FTC of Web sites that track consumer behavior.

As a result of this media frenzy and the FTC's meeting, some online companies have jumped the gun in announcing that they cater to consumers concerned with the privacy of their online experience. AOL recently announced that it would
let users opt out of online advertisements that are presented based
on behavioral-targeting data. This opt-out advertising program would deliver millions of public-service announcements to AOL-owned and AOL-operated ' and third-party 'networks, which apparently amounts to 91% of the U.S. online audience (see, 'AOL Sets Targeted Advertising Opt-Out', http://www.eweek.com/article2/0,1759,2210342,00.asp).

Growing Privacy Concerns

The concern for privacy is real, but the solution or solutions that might quell people's qualms remain elusive. The current concern is, in fact, merely a new twist on a nearly 10-year-old debate. The tracking of consumer behavior dates back to the mid-1990s. In its simplest form, an online store could recognize and remember users from previous visits on its site. By recognizing the consumer, the online store could offer special bargains and a streamlined checkout procedure with a user name and password. This activity eventually expanded to include newsletters based on customer preferences and special bargains specifically tailored to a single user. The Web was increasingly narrowing the online experience to make it unique and tailored to each individual consumer.

The concerns for privacy began to emerge in the late 1990s when DoubleClick Inc., one of the largest Internet advertisers, acquired Abacus Direct Inc., an offline direct marketer. With this acquisition, DoubleClick was leveraging its online information with information relating to consumers' offline habits. Prior to the merger, DoubleClick's activity had largely gone on under the radar because most of the information collected could not be matched to a particular individual, and most consumers were unaware of being tracked online in the first place. With the merger, however, much public attention focused on online advertising because DoubleClick could now combine online with offline information, and in that way gain access to personal information on consumers. With pressure from consumer groups and the FTC, DoubleClick eventually relented on its plan to combine the two.

That same year, however, the bankruptcy of Toysmart.com helped to exacerbate rapidly increasing concerns over consumer privacy. Prior to its bankruptcy filing, Toysmart had been apparently assembling a vast database that included information about its consumers. Toysmart sold the information to one of its creditors, despite a privacy policy that barred such a sale. The FTC sued Toysmart to prevent the distribution of this sensitive information. Although the case was eventually settled, it didn't help to quiet the clamor among the public over privacy matters.

As a result of this, the FTC decided to take matters into its own hands by hosting joint workshops with the U.S. Department of Commerce and inviting the largest online marketers to address these growing concerns. The FTC published its findings in two 1998 privacy reports circulated to Congress (Federal Trade Commission, Privacy Online: A Report to Congress Part 1 (June 1998) available at www.ftc.gov/reports/privacy3/priv-23a.pdf; and Federal Trade Commission, Privacy Online: A Report to Congress Part 2 Recommendations (July 2000), available at www.ftc.gov/os/2000/07/onlineprofiling.pdf). The conclusion these reports presented was that the industry should try to self-regulate prior to Congress stepping in and imposing regulation. The report did, however, outline the 'five core principles of privacy protection' that are also termed 'fair information practices.' These five core principles are:

1. Notice/awareness;
2. Choice/consent;
3. Access/participation;
4. Integrity/security; and
5. Enforcement/redress.

On the issue of notice requirement, the report calls it 'the most fundamental principle. Consumers should be given notice of an entity's information practices before any personal information is collected from them. Without notice, a consumer cannot make [an] informed decision as to whether and to what extent to disclose personal information.'

Advertisers responded by forming a trade group called the Network Advertisers Initiative, with the mandate of monitoring the industry's privacy-reform efforts. This attempt at industry self-regulation has been largely viewed as insufficient in protecting consumer privacy.

What Is Online Privacy?

The biggest problem in regulating privacy online is that there is no standard definition of what constitutes privacy. Nobody knows, nor can a modicum of observers agree on, how to define, much less regulate, online privacy. A vast array of definitions exists, each reflecting a subjective viewpoint. At one end of the spectrum are individuals claiming that privacy is an inalienable right that should be granted to all citizens. At the other end of the spectrum is a Big Brother approach, in which the opinion is held that individuals want privacy only when they have something to hide. Definitions of privacy reflect a community standard that, in our jurisprudence, is inherently problematic. Indeed, parts of the Communications Decency Act were successfully challenged because they contained language purporting to regulate obscenity on the Web and, therefore, ran afoul of our constitutional rights to free expression. A community standard on privacy could face the same challenges.

Some attempts at resolving the privacy conundrum are worth noting. Professor Lawrence Lessig of Stanford Law School, for example, has suggested that privacy should be a property right and that each individual should have the option of using technology to personally calibrate the extent of private information given away. Because it is a property right, the right to control the release of such information resides within each user. University of Michigan Law School Professor Jessica Litman, on the other hand, has proposed a tort-based approach that would permit redress in instances where a consumer's expectations with regards to his or her private information are violated by a particular brand. This approach is similar to legislation that creates a cause of action in the case of sensitive medical or financial information.

Perhaps most notable is how the European Union ('EU') has handled privacy issues. In the mid-1990s, the EU enacted the Directive on the Privacy of Personal Data (Directive 95/46/EC). The Directive establishes privacy as a fundamental human right and provides that each EU citizen is to have 'information self-determination.' It limits collection of personal information to the purposes for which it was gathered and imposes a rigorous notice requirement for information collection. The Directive also provides that each EU citizen is to have access to the information so that he or she can correct any errors. It also requires appropriate security to prevent inappropriate dissemination of information.

Although the Directive is a great standard for the EU, it would likely face multiple constitutional challenges in the United States. Indeed, the Directive's limitations on the dissemination of personal information would likely run afoul of our First Amendment right to freedom of information. The Directive could similarly be challenged under the takings clause of the Fifth Amendment ' a regulation preventing profilers from using their data might be considered a government taking without due compensation.

The Lessons Of Spyware

Although behavioral targeting is largely unregulated, it is worth mentioning that spyware has received much greater legislative attention. Proponents of behavioral targeting will adamantly distinguish spyware from their services, but the distinction is not always so evident to outsiders. In fact, spyware and adware are often interchangeably mentioned as dreaded interruptions in a user's enjoyment of the Web. Both involve computer programs that are installed (or install themselves) on a computer to perform or track a user's activities, but only one (i.e., spyware) is malevolent in nature.

There is no federal legislation on the issue, but several states have enacted laws addressing spyware. In 2004, Utah enacted the Spyware Control Act, and in 2005, California followed suit with the Consumer Protection Against Computer Spyware Act. The important point to note is that the definition of spyware could potentially be read to include adware practices that lack the consent of the user; in other words, spyware legislation could criminalize some behavioral-targeting practices involving adware programs that lack user consent. A similar federal Antispyware Bill was introduced to Congress this year, and referred to a judiciary committee. If the bill is passed by Congress, it will bring a new meaning to notice requirements for adware programs.

Conclusion

Privacy advocates are often dismissed as advocates merely looking for a cause. They are, however, crucial to the development of the online ecosystem and individual privacy rights. The online-advertisement community is a billion-dollar business that is expected to triple within the next five years. Against this massive industry, users must balance a desire to protect the dissemination of personal information online with the ability to enjoy many sites free of charge. Somewhere in the middle lies the future of the online experience.