Industry’s behavioural ad guidelines criticised
Six months given to sort out privacy protection
The trade body for the online advertising industry has produced guidelines for companies to follow to ensure that behavioural advertising does not breach users' rights to privacy. Privacy activists have said the rules do not protect users enough.
The Internet Advertising Bureau (IAB) has published the guidelines and Google, Microsoft Advertising, Yahoo! SARL and Phorm have all committed to following them. The IAB said that signatories have six months in which to comply with the rules.
Behavioural advertising tracks users' online activity and can target adverts to users according to what websites they have visited. Even advertisers concede, though, that the benefit to them of more targeted advertising has to be balanced with the privacy rights of internet users.
"The Good Practice Principles set out commitments to transparency, user choice and education. The Principles complement current UK data protection laws with new practices relating to the collection and use of online data," said an IAB statement.
The guidelines have three principles. Firstly, advertisers or website operators must inform users that their data is being collected and used for advertising.
Secondly, users must have a choice about whether they receive the advertising or not. Thirdly, companies must clearly outline what they are doing and how users can opt out of it.
"These are significant developments in offering people greater transparency and choice regarding behavioural advertising," said Nick Stringer, head of regulatory affairs at the IAB.
Digital rights body the Open Rights Group (ORG) said, though, that the protections offered by the rules were not good enough for users of the web.
In a statement on the body’s blog, executive director Jim Killock said that the way that the rules say users should opt out of the system is a problem.
“The sites using behavioural advertising are likely to be operating via cookies. Any ‘opt out’ would be stored by a cookie. So each time a user deletes their cookies, or changes browser or machine, they have to opt out,” he said. “This makes opting out a repeated procedure, such that which would make all but the most stubborn user simply give their consent.”
“This is not how consent should work, and a system that ‘pesters’ users into opting in is in our view an illegitimate attempt to substitute acquiescence for consent, whereas nothing but consent is acceptable,” said Killock.
“If users want more relevant advertising, and this is to be achieved by allocating them to ‘segments‘, why not let them choose the segments they want to belong to? We do not accept the claim that behavioural surveillance for profiling is a service to users,” said Killock.
Google, amongst others, has backed the plan.
"Google believes in two core principles of transparency and choice when it comes to user privacy. That is why we are supportive of these new, self-regulatory principles for online advertising which will enable consumers to increase their understanding of their web surfing options," said Mark Howe, UK country sales director for Google.
The guidelines say that companies should give clear notice about data collection, and that any contracts they sign with other companies in relation to the collection should commit them to doing the same.
The guidelines say that information on how to decline behavioural advertising should be "prominently displayed and easily accessible" on web sites.
The rules forbid companies from using behavioural advertising specifically to target children younger than 13. They also say that companies should consider other areas or target groups sensitive and should avoid targeting them, but they do not issue any instructions on what those groups or areas might be and exactly what action signatories should take.
"There are valid privacy concerns about creating a segment for [behavioural advertising] in some areas because they could be considered sensitive in certain contexts," say the guidelines. "Individual members may therefore make different judgements in their respective approach but will be guided by the over-riding objective of maintaining user trust."
See: The guidelines (pdf)
Copyright © 2009, OUT-LAW.com
OUT-LAW.COM is part of international law firm Pinsent Masons.
Sponsored: Network DDoS protection