Privacy concerns pose an increasing threat to ubiquitous online tracking practices that underpin many commercial successes on the web. As a matter of course, many online actors record website visitors' Internet Protocol (IP) addresses, which are strings of numbers identifying a device connected to the Internet. Data generated by cookies, web beacons and other tracking and identification tools also are commonly collected. Sites featuring a search engine regularly link search terms with the IP address of the search engine user. This "web usage information" is useful in managing and improving web-based services, but its greatest commercial value is in advertising. Using IP addresses, cookie identification numbers and other data, information drawn from across the web can be correlated, forming a profile of a user's online behavior that reveals interests, rough geographical location and online habits—all of which can help place ads where they are more likely to return "clicks" and ultimately, sales. Web usage information is critical to the online advertising market, worth approximately $20 billion annually.
Until recently, few have questioned the standard assertion that web usage information raises minimal privacy concerns, as such data alone do not identify an individual person. Indeed, polls suggest that the public is generally unaware of the scale of online tracking and the growing use of "behavioral targeting" in placing online ads. But these trends are now driving a variety of regulatory responses to online tracking in the United States and abroad, which could expand as the public learns it is being watched.
FTC Principles for Behavioral Advertising
The staff of the Federal Trade Commission's (FTC) Bureau of Consumer Protection recently proposed a set of voluntary online behavioral advertising privacy principles (Advertising Principles). Released simultaneously with the FTC's approval of Google Inc.'s $3.1 billion acquisition of DoubleClick, Inc., the Advertising Principles were perhaps a concession to some members of Congress who requested scrutiny of the deal's privacy implications. Combining the databases of the Internet's largest search company and the Internet's largest ad placement firm purportedly could yield more detailed user profiles. Such profiles might identify unique individuals, support behavioral targeting or pose risks if disclosed under government compulsion or via a security breach. Privacy advocates emphasize that web usage information currently goes largely unregulated.
FTC staff define "behavioral advertising" broadly as "tracking a consumer's activities online, including the searches the consumer has conducted, the web pages visited, and the content viewed in order to deliver advertising targeted to the individual consumer's interests." In sum, the Advertising Principles encourage online actors to:
- Provide prominent, consumer-friendly notice that web usage information is collected for advertising purposes;
- Offer consumers an easy-to-use mechanism for "opting out" from such collection; and
- Provide reasonable security for web usage information, retaining it only as long as a legitimate need exists.
The FTC is currently accepting comments on the Advertising Principles. For the online advertising community, proactively adopting the Advertising Principles (or similar practices) may be preferable to awaiting backlash regulations in the wake of a future incident. Also, competition on privacy protection could arise—the AOL division of Time Warner Inc. has announced that it will allow people to remove themselves from its tracking databases.
IP Addresses May Be "Personal Information" in the EU
Although the FTC and Congress have concerns about web usage information, the greatest threats to standard Internet practices currently come from the European Union. In nonbinding but influential statements, EU privacy regulators have long sought to impose relatively onerous European privacy standards on online actors, even those based outside the European Union. For example:
- EU data protection authorities (DPAs) claim jurisdiction over U.S. companies that place cookies on EU individuals' hard drives, arguing that these companies are using "equipment" located in the EU.
- At a January 21, 2008 European Parliament hearing, DPAs reiterated their view that IP addresses are "personal information" under EU law when persons associated with an IP address are merely reasonably "identifiable."
In either case, an online actor conforming to standard Internet practices may lack an individual's name, contact information or other data normally considered "personal information." Indeed, DPAs admit that web usage information itself may not identify unique individuals. Nonetheless, under these interpretations of EU law, the actor might have to register its databases with EU authorities, obtain individuals' express consent before collecting data, sharply limit data retention periods, cut off data transfers to the United States and more.
Where Is the Harm?
Massive amounts of web usage information continue to be collected and used to place online ads. But so far, it is difficult to find a case of significant privacy harm. The FTC admits that some web usage information "may not be traceable to any individual consumer or computer, and therefore may do little harm." The EU has not officially adopted the DPAs' interpretations. Internet users currently seem to appreciate ad-supported free services more than they dislike online tracking. It may be possible to facilitate the commercial potential of profiling while inhibiting web usage data from identifying unique persons. Now may be the time for website operators and the greater online advertising community to agree on industry best practices—perhaps the FTC's Advertising Principles—in order to deflect heavier regulation later.