Searching For a Behavioral Targeting Regulation

How do they know that I love Space Invaders?

Xurxo Martínez

ABSTRACT
Behavioral targeting allows advertisers to know what the web user is interested in,
but also raises privacy concerns. Advertising industry tries to avoid Federal regulation.
Searching For a Behavioral Targeting Regulation Xurxo Martínez

Table of Contents
INTRODUCTION.................................................................................................................. 3
Definitions.................................................................................................................................. 4
Groups looking for a regulation.......................................................................................... 6
Energy Subcommittee on Communications, Technology, and the Internet................6
FTC........................................................................................................................................... 6
Advertising Industry............................................................................................................. 7
Privacy Advocates................................................................................................................. 8
Other key players..................................................................................................................... 9
NOTORIOUS CASES......................................................................................................... 10
Gmail.......................................................................................................................................... 10
Google Buzz.............................................................................................................................. 10
Facebook Beacon................................................................................................................... 11
Facebook Connect.................................................................................................................. 11
Web Coupons........................................................................................................................... 12
PRIVACY AS SOURCE OF CONCERN............................................................................ 13
LIKELY REGULATORY OUTCOMES.............................................................................14
CONCLUSSIONS................................................................................................................ 16

COM 558 U.S. Digital Media Law and Policy MCDM Summer 2010
Searching For a Behavioral Targeting Regulation Xurxo Martínez

INTRODUCTION
Behavioral Targeting—BT—is the most sophisticated system the
Advertising industry has come up with in order to track the activity of
web users, and be able to deliver personalized advertising to those.

The main tools for that purpose—cookies—are not new. But now the
advertisers can use the information from these cookies to build—
supposedly anonymous—profiles of the users, a kind of information very
valuable for advertisers. That new techniques have enabled a whole
market of third parties and middlemen who even get to match that
information with physical databases in order to have a complete picture
of the potential customer.

The quest for the user data is so aggressive, and little known for the
mainstream user, that has arisen questions about its legality and created a
growing feeling of insecurity among many individuals. Those concerns
were expressed first by privacy advocates, then the FTC, and lately users
through national surveys, and even the Congress. The privacy issues
related to popular services as Google or Facebook have made this a
public issue: one that is not quite well explained or understood.

With some delay, the main advertising associations are trying to avoid
Federal legislation through the introduction of a series of self-regulation
principles. Meanwhile, the chairman of the U.S. House Energy
Subcommittee on Communications, Technology, and the Internet, Rep.
Rick Boucher, has submitted a bill in line with the privacy advocacy
groups proposals, and even the FTC—who initially pushed for
advertisers’ auto-regulation—is considering a “Do not track” list in the
vein of the “Do not call” one.

In this paper I’ll also talk briefly about two issues related to BT: web
coupons, and what has been named Deep Packet Inspection.

COM 558 U.S. Digital Media Law and Policy MCDM Summer 2010
Searching For a Behavioral Targeting Regulation Xurxo Martínez

MAIN PLAYERS AND KEY TERMS

Definitions
- Behavioral Targeting—BT—: Tracking of individual Internet users across
multiple websites. Tracking cookies are being used to collect information about
surfing behavior and to send targeted advertisements to the users. That information is
not supposed to be enough to identify the user as a physical person—does not include
name, email, credit card number…—

We can talk about first party behavioral targeting—or first party transactions—
when the web site the user is visiting is the one who tracks the activity in order to
offer a product or option inside the same site —i.e. Amazon, Netflix...

- Cookie: Is a text file stored in a user’s web browser. Basically it identifies a web
user in a single browsing session, storing information about the user’s activity. That
allows not only for the advertisers to know about her or his habits, but also permits to
create statistical informs, to personalize the web experience in a specific site, and
contributes to make some of the functionalities of many websites possible.

- Super-cookies: A new bread of cookie-like objects that are harder to locate and
delete and provide even more information about the activity of the user. The main
examples are Microsoft’s “User Data Persistence” and Adobe’s “Local Shared
Objects”, otherwise known as Flash cookies1. The latter are installed when the user
wants to see an online flash video or a flash ad is loaded. As the regular cookies, it’s
primary function is to help the user—i.e. remembering the preferred audio volume
settings—but can also be used to help the tracking of the user and make sure that
advertising-related cookies are installed in the computer.

- Beacon (aka web bugs): An object, embedded in a website or e-mail, that tracks
which user in which computer is visiting a specific web page or reading an email. In
web pages usually works in combination with cookies. Unlike cookies, is not stored in
the user’s computer. That means the user cannot remove it.

- Deep Packet Inspection—DPI—: A series of technologies that help Internet

Service Providers—ISPs— to identify and control the information packages that are
transmitted through their networks. Its primary use is to anonymous control of the
information traffic—i.e. Comcast use it to know is their customers are using Bit
Torrent and slow the download, without knowing who the actual user is—but
potentially can track the whole activity of the web user, and even sell the data from its
customer to a third party.

- Contextual advertising: A system that reads the text content displayed to the user
and offers related advertisements, usually in text form. The most popular service of
this kind is Google Ad words, present in both Google Search results and Gmail.

- Sensitive information or personally identifiable information: To the effects of

1
http://www.eff.org/issues/online-behavioral-tracking

COM 558 U.S. Digital Media Law and Policy MCDM Summer 2010
Searching For a Behavioral Targeting Regulation Xurxo Martínez

BT and privacy, any piece of data that is likely to identify one web user: from the
name to an email address, a telephone, financial account number, or persistent online
identifiers as the Internet Protocol address (IP address). It applies also to data that can
reveal racial or ethnic origin, political opinions, sex, or religious beliefs.

- IP address: Numerical label, which identifies a computer or group of networked

computers that use the Internet Protocol to connect to the public Internet. Its function
is to identify the computer that is asking for a web site or document, and then to
provide the requested information. Depending on the ISP, the address can be static—
always the same—or dynamic—changes with each Internet session—.

- Browser: Application that allows any user to retrieve and present information
located in the World Wide Web. That information can be either a web page or a file—
audio, video, image, and pdf...—. In order to perform its tasks, the browser not only
gets information from web servers, but also sends information—mainly petitions—,
including the web identity—IP—from the user. Most browsers host cookies by
default, enabling the tracking of the user’s activity.

- Publisher: The owner of the web page, video, or document that the user accesses
through the browser. Usually this publisher will get money from the display of web
ads. Usually collects permission from the user to use their information for
advertisement purposes.

- Middlemen: It would include tracking companies, data brokers and advertising

networks. All of them would be included, with the advertisers and the publishers in
what the Boucher bill calls ‘Covered entities’. Those are defined as any person or
company—excluding government agencies—engaged in interstate (web) commerce
that collects data containing sensitive or personal information from more than 5,000
individuals.

- Profile: The package of data stored by a middlemen, publisher or advertiser about

an Internet user.

- Opt-in: the process through which a web user is offered the option to receive some
specific advertisement, or have his or her personal information shared with a third
party. That means that there won’t be any kind of advertisement delivering without a
previous consent.

- Opt-out: here the user has the option to stop receiving unsolicited advertisement. It
puts the burden on consumers to learn how the privacy polices work, how the data is
collected and shared, and decide if they are ok with that.

- The Guidelines: It refers to the “Self-Regulatory Principles For Online Behavioral

Advertising”, created by the advertisement industry after proposals by the FTC. In
those both first party BT and contextual advertisement are excluded2.

2
http://goo.gl/ta3g (National Law Review)

COM 558 U.S. Digital Media Law and Policy MCDM Summer 2010
Searching For a Behavioral Targeting Regulation Xurxo Martínez

Groups looking for a regulation

Energy Subcommittee on Communications, Technology, and the Internet

The chairman of this U.S. House Subcommittee, Rep. Rick Boucher, and the also
member Rep. Cliff Stearns, presented last May a bill on privacy issues. Boucher is a
well-known advocate of consumers’ rights in the Internet and against intrusive
advertisement. He created the Digital Media Consumer's Rights Act (DMCRA)
legislation and co-authored the CAN-SPAM Act of 20033.

The main points the bill wants to regulate are:

 Privacy policy disclosures: the websites that collect sensitive data should make
it clear, as the use they will make of such information.
 Opt-in for sensitive data, and easy opt-out for any kind of data.
 Option for the users to modify their profiles and opt-out the sharing of their
data with third parties.
 Ensure the security and control of the data stored.
 The FTC as implementer and enforcer of the rules.

FTC
The Federal Trade Commission has as a principal mission to promote the “consumer
protection”. In the last years the agency has lobbied for the online advertisement
industry to self-regulate BT practices and respect the user’s expectancy of privacy.
FTC Chairman Jon Leibowitz has warned the industry that it is facing the “last clear
chance” to avoid specific governmental regulation4.

Right now the FTC is not only thinking about a “Do not track” list—similar to the “do
not call” for telemarketers—, but even to force each site to show a brief summary of
their privacy policy to each user during their first visit. This option would clearly
disclose each site policy, but also become extremely annoying for a new user, or even
one that has changed of ISP5.

Among their main concerns, we can talk about:

 Give more information—and in a transparent way—to the user, who should be
able to easily opt-out. In the ‘Guidelines, the FTC don’t choose between opt-in
and opt-out. They just say that those should “be clear, easy-to-use, and
accessible to consumers.”
 Obtain permission from the users when their information or profile is going to
be shared with a third party or it is going to be used in a way not reflected in
the original privacy policy.
 The use of sensitive data—related to heath, financial states—and what kind of
data do the advertisers collect from minors.
 Prohibit ISPs to collect personal data through DPI.

3
http://en.wikipedia.org/wiki/Rick_Boucher
4
http://goo.gl/4SSS (Privacy & Security Law Blog)
5
http://goo.gl/c45x (Ars Technica)

COM 558 U.S. Digital Media Law and Policy MCDM Summer 2010
Searching For a Behavioral Targeting Regulation Xurxo Martínez

The FTC has focus their efforts in BT, considering that both contextual advertising
and first party behavioral targeting raise far less privacy issues.
Advertising Industry
This refers to a cross-industry coalition of web advertisers that try to complain with
some of the FTC requisites.

Members include the American Association of Advertisers Agency, the Association

of National Advertisers, the Interactive Advertising Bureau, the Direct Marketing
Association and the Council of Better Business Bureaus. This coalition has created a
series of guidelines named “Self-Regulatory Principles For Online Behavioral
Advertising”.

The intention of this set of principles is double:

 Avoid the option of a Federal regulation of BT. They fear a conservative
legislation, based on the principles of classic marketing, which would
discourage innovation and progress.
 Convince the users that their tactics do not violate their intimacy. And even
that BT is positive for them, as they will only receive relevant advertisement.
A study of ninety online marketers released in May 2010 by the Ponemon
Institute indicated that despite an acknowledged return on investment from
behavioral ads, hundreds of millions of dollars are being held back from
online behavioral ads due to privacy concerns6.

Among the measures the advertisers have already introduced or are willing to, we can
highlight these:
 Disclosure data collection and the kind of use that will be done on the
webpage where the ad is displayed—non on the web of a middlemen, as the
user would never know where to look for it—. Some advertisers are starting to
display a behavioral ad icon with a blue square with a lowercase "i" in a circle,
making clear that the ad has been selected through BT.
 Let consumers decide whether their data can be transferred or user by another
entity. Some advertisers are even willing to give the users access to their
profile, in order to modify it—and, so, get more accurate ads—, or to decide
what kind of data do they want the advertiser to know about. One example is
the Seattle-based middlemen BlueKai, through their registry7.

Even more, the advertisers have said that they are even willing to cooperate with the
FTC in order to enforce the observance of their rules. An article in Wire explained
that the Council of Better Business Bureau is seeking software to detect targeted ads
that lack these mechanisms, and report non-complying ad networks to the FTC8.

Privacy Advocates
A group of entities and privacy watchdogs have lobbied for a strong regulation of BT,
arguing that is an invasion of privacy, can be used to take advantage of vulnerable

6
http://goo.gl/spKg (Tech IT News)
7
http://tags.bluekai.com/registry
8
http://goo.gl/ezXw (Wired)

COM 558 U.S. Digital Media Law and Policy MCDM Summer 2010
Searching For a Behavioral Targeting Regulation Xurxo Martínez

consumers, or even discriminate them, and that the profiles may be used for purposes
beyond commercial ones9.

Here we present their main proposals:

 Personal and behavioral data should be relevant to the purposes for which they
are to be used. Any change in the use of the data should include a new consent
from the user.
 No behavioral data should be collected or used from children and adolescents
under 18 to the extent that age can be inferred.
 Sensitive information should not be collected or used for behavioral tracking
or targeting. Sensitive information should be defined by the FTC and should
include data about health, finances, ethnicity, race, sexual orientation, personal
relationships and political activity.
 The FTC should establish a Behavioral Tracker Registry.
 Use of behavioral targeting for individual redlining activities should be illegal.
 Websites should only initially collect and use data from consumers for a 24-
hour period. After that they should ask the user for consent. Data collected on
users who gave consent must not be retained beyond a period of three months.

Among the members of the coalition we can highlight the Center for Digital
Democracy, the Consumer Federation of America, Electronic Frontier Foundation,
Privacy Lives, or the World Privacy Forum. In September 2009 the groups delivered a
legislative primer to the Congress.

9
http://www.democraticmedia.org/book/export/html/409

COM 558 U.S. Digital Media Law and Policy MCDM Summer 2010
Searching For a Behavioral Targeting Regulation Xurxo Martínez

Other key players

Although the discussion is focused on advertisers, regulators, and consumer rights
advocates, the global issue is more complex, and a complete overview of the main
players should include also:

 The providers of content in the Internet—Publishers—, who many times are

not transparent about how the visitors of their sites are being tracked, usually
as a way of profiting from their personal information.

 The web browser vendors. The browsers allow the action of potentially
intrusive cookies. During the design of the Internet Explorer 8, the
development team created a product that prioritized user’s privacy over
commercial interests, considering that the default should be some private
browsing10. That means that if the user wanted to receive/install the cookies
she or he should give consent.

That would have turned the acceptance of cookies from a kind of Opt-out to an
Opt-in model. After some discussion, the final version of the popular
Microsoft browser didn’t make the swift and the users concerned with the use
of their data via cookies need to turn the security options on.

 The Media plays a big role in the public perception of privacy and the threats
of Behavioral Targeting. On one side the Media voices out practices that can
be unknown for many Internet users. On the other side they can create alert
over a number of practices.

A recent series of articles by the Wall Street Journal under the generic title of
What They Know11, have been highly controversial. In one of the infographics
they showed how some of the most popular U.S. websites give data about any
individual who visits their site to advertisers12. Some influential bloggers, like
Jeff Jarvis13, have argued that there’s nothing new about advertisers tracking
us, while tracking companies say that portraying cookies as some kind of
spying is misleading14.

 The ISPs. The companies that provide access to the Internet obviously also
have control over how their customers browse through the Net. ISPs are
waiting to see what happens with BT and the public privacy concerns before
starting to use the profiles they own to make business—through DPI—and
offer the “best potential clients” to both advertisers and Publishers.

10
http://goo.gl/cIyi (Wall Street Journal)
11
http://online.wsj.com/public/page/what-they-know-digital-privacy.html
12
http://blogs.wsj.com/wtk/
13
http://www.buzzmachine.com/2010/07/31/cookie-madness/
14
http://www.bluekai.com/president20100804.html

COM 558 U.S. Digital Media Law and Policy MCDM Summer 2010
Searching For a Behavioral Targeting Regulation Xurxo Martínez

NOTORIOUS CASES
Now I will review some publicly notorious cases regarding Internet privacy, that
have raised concerns on the general public about the way the data they consider
private can be treated. I’ll also review what can be the next privacy big case: web
coupons and their match of online and offline information on the client.

Gmail
The free email service by Google was, in 200715, one of the very first places where
users could experiment Google Ad words, a contextual advertising service that
scanned the mails in order to find keywords and select automatically a series of text
advertisements. That means that if the text of the mails talks about someone named
Michael from Jordan who likes strawberry Jam, the ads will offer to buy the Space
Jam DVD.

While opening someone else’s letter or postcard is a Federal offense16, email

providers can read the content of electronic correspondence. As a private provider,
Google has set a series of terms and conditions regarding this issue, which should be
accepted by the user before starting to receive the service.

But even though users have accepted the terms and conditions, those still expect their
communications to be safe and private. Google has stated repeatedly that their work is
limited to scan for words that can help to display related advertisement, not literally
“reading” the content. And will not keep a log of which ads went to which users, nor
will it keep a record of keywords that appear often in an individual’s email17.

In the case of case of U.S. v. Warshak—one of the first ones regarding email
communications—the Sixth Circuit ruled that the user has a right to privacy that is
only diminished if the subscriber or user agrees to the ISP’s terms of service18. Finally
the subscriber is receiving a free service that pays through the reception of
advertisement.

Google Buzz
In February 2010 Google launched a new application tied to the Gmail service, called
Google Buzz. In short it was a social networking tool that allowed Gmail users to
share items with all or part of their network, vote on them, or comment. Google failed
at explaining the users how the information about their network would be shared and
how to modify their preferences.

The basic problem was the auto-follow function that Google used to create
automatically a list of “followers” for Google Buzz user, based on the most emailed
contacts list. That made that many users were sharing content inadvertently with

15
http://goo.gl/BBfT (Information Week)
16
http://goo.gl/HoKu (Legal Information Institute)
17
http://www.wired.com/news/business/0,1367,62917,00.html
18
http://goo.gl/pzqr (Law Journal Library)

COM 558 U.S. Digital Media Law and Policy MCDM Summer 2010
Searching For a Behavioral Targeting Regulation Xurxo Martínez

people with whom they had mail relationship but they didn’t necessarily consider
friends, at the time that disclosure to their entire network the mail relationship.

The users of the Gmail who accepted to try Google Buzz never thought that their
contact list would be made public, or that anyone related to, say, their ex-boss, would
be able through Google Buzz to reach their personal e-mail. They expected that
personal data to be something locked in their Gmail account and that wouldn’t be
public through that new networking feature. The company was forced to change the
auto-follow system for one based on recommendations just days after the launch19.

Other than the contacts issue, another of the problems during the early days of the
service was the difficulty for the users to understand and change their default settings.

Facebook Beacon
Starting in November 2007, Facebook allowed information about their users collected
via a beacon to be transmitted from affiliated retailers to Facebook, and even show
this information to the user’s network. Most of the times this happened without the
user being aware. Several newspapers and blogs told the story of a man who bought a
ring online for his wife. The website was affiliated to Facebook, and the news about
the purchase were published in his profile, making it possible for all his network,
including his wife, to know about the supposedly surprise gift20.

After a series of articles in press and blogs attacking the beacon, Facebook changed
its operation for an Opt-in system. But a class action was presented in California,
alleging that the company didn’t sought after the user’s approval before implementing
the beacon21.

Facebook Connect
Facebook has more than 500 million users worldwide. Near one third of them—round
160 million—are in the United States. That means 160 million Americans that have
given them their names, likes, email, list of friends, and interests.

Through their application Facebook Connect they offer a trusted authentication

method for any website. For a regular Publisher, that means that Facebook will do the
job of identify any web user. For the social media company it means two things:
 They will get even more information about the user, as they control her or his
activity in other web sites, being able to deliver even more precise advertising.
 Facebook become a kind of ID regulator of the Internet. In a way, their
authentication system becomes an online version of a government releasing ID
cards for their citizens.

Facebook Privacy Policy

19
http://www.nytimes.com/2010/02/15/technology/internet/15google.html
20
http://goo.gl/ZCTC (Washington Post)
21
http://goo.gl/rgnn (TechCrunch)

COM 558 U.S. Digital Media Law and Policy MCDM Summer 2010
Searching For a Behavioral Targeting Regulation Xurxo Martínez

Another of the main privacy complaints against Facebook is related to the continuous
changes in their privacy policy. It would be reasonable to ask for a system that would
be clear, easy-to-use and simple. Instead, as a graphic from the The New York Times
showed22, Facebook released in May 2010 a version with 50 settings, more than 170
options, and 5,830 words—more than the United States Constitution, and more than
this paper—.

Web Coupons
During 2009, in part due to the economic crisis, the redemption of coupons grew a
27% v. 200823. Internet coupons still represent a small portion of the whole business
—0.5% of the total number of coupons and 1.5% of the redemptions—, but
redemption rates for Internet coupons are by far the fastest growing in the business,
up 263% from 2008 to 2009. The site Groupon.com grew from 238,000 unique
visitors in July 2009 to 6,491,554 in July 2010, according to Compete.com24. That
means that we are facing a fast growing marketing segment, one that also uses BT
tactics in order to retrieve information about the users.

The issue with this new breed of coupons—as the ones that are sent to mobile devices
—is that when matching the physical person that comes into the shop with the data
provided with regular BT, the retailer—or whichever middleman who can have access
to the data the retailer gets while the redemption of the coupon—can connect the
actual name with the supposedly anonymous online data.

A The New York Times article25 explained recently how a company named RevTrax
operates: they are a third party who displays the coupon ads on the retailer’s site or
any other web page. As they are ‘just’ middleman they don’t need to have a privacy
policy, even when they are the ones who collect the personal information of the users,
including the keywords they used before getting to the coupon—i.e. cheap trekking
boots—.

After the user prints the coupon and redeems it, RevTrax get the information back
from the retailer and can complete the user profile. That way they can also get to the
conclusion that people from, say, Kirkland, is more likely to buy equipment for
outdoor activities through coupons than those in Seattle. The following step would be
to make a better offer to Seattle users—as they are harder to convince—than to those
in Kirkland. This is called ‘online redlining’, and the advocates of online privacy
define it as a form of discrimination.

22
http://goo.gl/3lyo (The New York Times)
23
http://goo.gl/3a5I (Nieman Journalism Lab)
24
http://siteanalytics.compete.com/groupon.com/
25
http://www.nytimes.com/2010/04/17/business/media/17coupon.html

COM 558 U.S. Digital Media Law and Policy MCDM Summer 2010
Searching For a Behavioral Targeting Regulation Xurxo Martínez

PRIVACY AS SOURCE OF CONCERN

Some of the cases reviewed in the previous section—mainly those related to Google
and Facebook—have made regular Internet users more aware of their online privacy,
and more worried about how much these service companies use their data, and how
much advertisers know about them.

In an Annenberg poll conducted between June and July 2009, 66 percent of American
adults indicated they did not want websites or networks targeting advertisements to
them. Even a majority (54%) of younger consumers (18-24) "rejected" behavioral
advertising. In addition, 92% of the respondents said there should be a law requiring
websites and advertising companies to delete stored information if asked to26.

Is very interesting to see that young people is also worried about how their
information is being used. The digital natives are supposed to be far less worried
about privacy. On this vein, a research published in August 2010 shows that young
Facebook users are more interested in privacy issues than what it was believed27. The
study examines "the attitudes and practices of a cohort of 18- and 19-year-olds
surveyed in 2009 and again in 2010 about Facebook's privacy settings". The results
show how even most the occasional Facebook users—79%— modified at least twice
their settings during 2010. This data opposes to the idea that young people is less
concerned about online privacy.

On the other hand, while all the articles and negative buzz about Facebook’s privacy
issues have made them scored pretty low in the 2010 American Consumer
Satisfaction Index—in the lower 5% of all measured private sector companies—28, the
company is continuously growing in number of users. Maybe the concerns of the
users are less important than the benefits they get from the service.

Advertisers and middlemen collect information that is increasingly more specific. One
company, Clearsight has announced that it has enough information to link 65 million
IP addresses to actual email and post mail addresses29. Even more, some companies
are starting to match offline and online data, being able to put name and yearly
income to the users that have a certain cookie installed30.

And if advertisers use that data, could someone else do the same? Family law attorney
Brad LaMorgese thinks so, and plans to use it as evidence in lawsuits:
"It's a great, ready-made source, almost puts the investigation together for you,"
LaMorgese said, noting that how much money spouses spend online and what sites
they visit are crucial details in a divorce case. "If someone is doing all sorts of things
online, why wouldn't a court want to know that?" 31.

26
http://goo.gl/ZdQQ (Broadcasting & Cable)
27
http://goo.gl/CZ4W (UIC)
28
http://goo.gl/971T (Foresee Results)
29
http://goo.gl/K4jb (Mediapost)
30
http://adage.com/digital/article?article_id=142903
31
Advertiser tracking of Web surfing brings suits. The National Law Journal
(March 2, 2009). Gale Document Number:A195138320

COM 558 U.S. Digital Media Law and Policy MCDM Summer 2010
Searching For a Behavioral Targeting Regulation Xurxo Martínez

LIKELY REGULATORY OUTCOMES

As we have seen when reviewing the main players in search of a regulation, there is a
huge tension between two different positions:

 The Advertising industry position is to let the market and the industry self-
regulate, and see the profits rise.

 On the other side, the sectors concerned about privacy issues think that
consumer privacy must be given special and priority consideration when
government “measures” the economic benefits related to any data collection
activity.

The representatives of both positions—the advertisers on one side; and the privacy
advocates, and the Energy Subcommittee on Communications on the other—are
trying to advance each one on their side in order to get a solid regulation. Both know
that time is crucial and are tying to play with that. Now I’ll expose the three more
likely resolutions:

1. Self-regulation by the advertisers

o The advertisers need to implement the most urgent improvements
collected in the Guidelines—such as the behavioral ad icon—and conduct
a PR campaign in order to explain users that advertising is a fair trade for
the free content they are getting—as TV—, explaining how users are
tracked and how to decide about what is done with their data.

o And they need to do it before the Boucher bill is voted. Because even if it
doesn’t go on but gets a significant amount of support, there will be for
sure some kind of Federal legislation soon.

o Other challenges they need to overcome are the huge privacy crisis that
services as Facebook or Google create, and to make sure that not only the
main advertisers, but also middlemen as RevTrax or even the ISPs, follow
the Guidelines.

2. Strong Federal regulation

o Either the Boucher bill passes or a new proposal comes later and gets
enough support. Here we would see the FTC as main enforcer of the new
rules. The more restrictive the legislation comes to be, the more
advertising companies and middlemen will struggle.

3. The Congress doesn’t pass new legislation, but the FTC obtains power to
impose a series of minimum standards
o That would be a compromise where the advertisers would accept to be
sanctioned by the FTC, create some kind of database in order to control the
different companies who engage in BT, and how they use the data; and
follow strictly the Guidelines.

COM 558 U.S. Digital Media Law and Policy MCDM Summer 2010
Searching For a Behavioral Targeting Regulation Xurxo Martínez

In any of the aforementioned scenarios, what will happen for sure is that the internet
user will be able to have a broader control over the information that advertising
companies compile on them.

Also Opt-out formulas will become clearer and more accessible, so those individuals
really worried about how advertisers manage their data will be able to avoid BT and
get the regular non-personalized advertisements.

But if Federal regulation passes, or if the FTC is allowed to regulate tightly the BT
practices, we can face a situation in which consumer privacy measures will be taken
in advance, as prevention. A situation where the FTC would allow a new development
based on its potential ability to threat the privacy rights, more than on its commercial
or inventive values. That will, for sure, decrease the innovation speed in the industry,
and would even threaten the growth of this kind of advertising.

That last possibility raises another question: BT is designed to provide users with
more relevant ads. That should translate in higher profits. Right now the online
content industry—mainly news-related sites—is unable to become profitable offering
free content that is paid just with the money they receive from regular advertising. If
now BT don’t replace the classic random ads system and provides them with more
profits, the Publishers will be likely to start charging for the content, or at least for the
experience of browsing their content without seeing any kind of ad, damaging the
ecommerce sector.

COM 558 U.S. Digital Media Law and Policy MCDM Summer 2010
Searching For a Behavioral Targeting Regulation Xurxo Martínez

CONCLUSSIONS
As technology guru Tim O’Reilly has stated, personal data collection can be key for a
number of good purposes, foster invention and help to solve complex problems32. His
point is that, in today’s world, technology is driving us to collaborate in ways that
were previously impossible. And the sharing of data is one of the main ways in which
this collaboration can really happen.

Is important to find a balance between innovation and the privacy concerns, because
the later can even prevent some users to buy online or surf freely the Internet.

The users should be aware of how the bargain works—the advertising pays for the
free content—, and the advertisers be more transparent about their activities. Also the
publishers should be clear about whom do they track information for, or whom do
they permit to track users from their websites.

Regarding the debate about the Opt-in and the Opt-out, it seems clear that any user
should be able to easily and effectively Opt-out from receiving behavioral
advertisement. The same way, there should be some kind of acceptance when anyone
is about to gather from the user the kind of information that we have defined as
sensitive or personally identifiable information.

Another restriction for the advertisers should be to use that sensitive and personal data
only for the purposes that it was given by the user. A different use of the data should
be subject to a new consent.

Is dangerous to offer a “Do not track” list, at least with that denomination. And is
dangerous because there is a big difference between BT and the telemarketing
practices that the “Do not call” list tried to avoid: in BT the individual who would ask
to be in that list won’t receive less advertisement because of that, but just will see
random ads when browsing. Even more, it is possible that, as BT ads are more
profitable, this person will get more ads than a web user who won’t sign for the list.

Regarding privacy policies, companies should be clear and simple. The user shouldn’t
face such an amount of choices that would cause paralysis. The policies should be
appropriate for the average user of the site. That means that a site for teenagers should
have a privacy policy much simpler than a Forum for Linux programmers.

The alternative to BT will be probably to pay in order not to have ads at all or to
suffer more regular ads when browsing the web, as the profit advertisers and
Publishers get for today’s banners is decreasing, and even contextual advertising is
stuck and not growing.

Summarizing, the privacy concerns should provoke some kind of regulation of BT,
but always keeping in mind the advantages that this kind of advertisement brings.

32
http://goo.gl/bRiN (Readwriteweb)

COM 558 U.S. Digital Media Law and Policy MCDM Summer 2010