The online advertising industry is exploding in technological complexity and economic growth. The Interactive Advertising Bureau (IAB) estimates the industry grew at approximately 15% last year and that by 2015, it will be worth an estimated $500 billion. It is an economic powerhouse.
The internet has evolved into a free-content model and is dependent upon advertising revenue to pay the bills. Online advertising is based on serving relevant adverts to the right user at the right moment, and it achieves this through the use of, among other things, cookie technology. However, the evolution of cookie technology has been blamed for causing tension between consumers and website owners.
To address this tension, policy-makers in the US, UK, EU, and Canada have either imposed different flavors of regulation upon the online advertising industry or self-governing regulatory programs have arisen. The common theme running through it all, however, is the empowerment of consumers by giving them notice of tracking and the ability to control it.
In the US, the online advertising industry, in lieu of prescriptive legislation, was given the opportunity to create a self-governing code of conduct. The industry responded, through the Digital Advertising Alliance (DAA), and created the Self-Regulatory Program for Online Behavioral Advertising (OBA) – a first-of-its-kind comprehensive Self-Regulatory Program for the advertising industry.
At its highest level, the program calls for companies that engage in OBA – using cookies and other technologies to track consumers and serve relevant adverts – to adhere to the seven principles of the program. If a company doesn’t adhere to the DAA Principles, it can be held legally accountable by the Council of Better Business Bureaus (CBBB).
The DAA Principles presently apply only to the online environment, not the mobile space. Separate Mobile Principles were released during July 2013. The Mobile Principles extend the existing DAA Principles into the mobile space and impose new obligations and requirements for first parties, such as application owners, and for third parties, including ad networks.
Similar to the existing DAA Principles, under the Mobile Principles consumers must be given notice and control. The challenge in the mobile space, however, is that tracking at the application level is not done through cookies but through device identification. Each smart device has a unique identifier that sends a signal that can be tracked and communicates the type of application we are using. Based on this signal, advertisers can build an accurate profile about us and serve relevant adverts within the app itself.
To date, there have been 19 publicized enforcement actions by the CBBB for non-compliance with the DAA Principles. Yet, many privacy advocates feel the DAA Self-Regulatory Program has not been successful enough and are calling for robust legislation in the form of Do-Not-Track (DNT). Although Sen Jay Rockefeller (D-WV) recently proposed the Do-Not-Track Online Act of 2013, it is unclear whether there is the political appetite to pass DNT.
Federal Trade Commission (FTC) Commissioner Maureen Ohlhausen, in a speech at the DAA’s First Annual Summit on June 5, 2013, stated that she did not favor more baseline privacy legislation at this time and was concerned that DNT might have a chilling effect on competition and innovation in the industry, upsetting the very model upon which the internet is based and potentially causing many small business owners - which rely on advertising - to go out of business. However, it should be noted that the Chairwoman of the FTC, Edith Ramirez, has called for DNT to be implemented, and has encouraged the online advertising industry to come to a consensus on technical and compliance standards for DNT.
Industry adherence to the US Self-Regulatory Program is estimated to be over 90% by the DAA. Because the program has appeared to work so well in the US, the template has been adopted in the EU under the European Interactive Digital Advertising Alliance (EDAA). This should not be confused with what is known in the EU as the ‘cookie laws’ or ePrivacy Directive, which require a website that is tracking (or enabling others to track) visitors to provide notice and obtain consent before that tracking can take place. Although the EDAA Self-Regulatory Programme is in its infancy, over 100 companies that engage in OBA in the EU have already signed up and publicly stated their adherence to the EDAA Principles. This standard of implied consent is quickly becoming the de facto standard throughout the EU.
Companies that participate in the Self-Regulatory Programs are discovering that being transparent with their customers and giving them control makes good business sense. Given the growth of the online advertising industry, it certainly appears that consumers are voting with their wallets, saying that as long as they are given accurate information about data collection and uses, and are given the ability to control those practices, they are more than willing to do business with the website.
With heterogeneous online and mobile properties, it can be difficult to ensure that a company properly informs consumers about the data being collected and what it is used for, or even that what is stated in a privacy or security policy actually reflects reality. Unfortunately, there is no one-stop solution. The most effective approach to compliance is also the best business approach: be transparent with the customer by giving honest and thoughtful disclosure of what you are doing, and give them the ability to control your information collection and use practices. Empower your customer and you will earn their trust.
Privacy regulations may differ, but there is always a commonality to them all: transparency and control. If you do nothing else, adhere to these two principles and you will be well on your way to complying with most of the major privacy initiatives.
But this advice is easier said than done. There is endless commentary on what it means to be transparent to the consumer. And with the advent of mobile, for example, the transparency obligations are more difficult. The private sector is only now bringing to market privacy tools that empower consumers to exercise their privacy preferences in the mobile ecosystem. Nevertheless, the industry is still young, so there will be further innovation in this area. These are exciting times.
Patrick Nielsen is the director of security at Evidon. His main role is to develop software that secures online business data and brings transparency to online advertising. Prior to this, Nielsen was department head and global spokesperson at Kaspersky Lab, where he specialized in application security, cryptology, Public Key Infrastructure (PKI) and social engineering. His application security and cryptography research has been featured in the curricula of several major universities, as well as in EU information security policy.