Feeds

Industry’s behavioural ad guidelines criticised

Six months given to sort out privacy protection

Internet Security Threat Report 2014

The trade body for the online advertising industry has produced guidelines for companies to follow to ensure that behavioural advertising does not breach users' rights to privacy. Privacy activists have said the rules do not protect users enough.

The Internet Advertising Bureau (IAB) has published the guidelines and Google, Microsoft Advertising, Yahoo! SARL and Phorm have all committed to following them. The IAB said that signatories have six months in which to comply with the rules.

Behavioural advertising tracks users' online activity and can target adverts to users according to what websites they have visited. Even advertisers concede, though, that the benefit to them of more targeted advertising has to be balanced with the privacy rights of internet users.

"The Good Practice Principles set out commitments to transparency, user choice and education. The Principles complement current UK data protection laws with new practices relating to the collection and use of online data," said an IAB statement.

The guidelines have three principles. Firstly, advertisers or website operators must inform users that their data is being collected and used for advertising.

Secondly, users must have a choice about whether they receive the advertising or not. Thirdly, companies must clearly outline what they are doing and how users can opt out of it.

"These are significant developments in offering people greater transparency and choice regarding behavioural advertising," said Nick Stringer, head of regulatory affairs at the IAB.

Digital rights body the Open Rights Group (ORG) said, though, that the protections offered by the rules were not good enough for users of the web.

In a statement on the body’s blog, executive director Jim Killock said that the way that the rules say users should opt out of the system is a problem.

“The sites using behavioural advertising are likely to be operating via cookies. Any ‘opt out’ would be stored by a cookie. So each time a user deletes their cookies, or changes browser or machine, they have to opt out,” he said. “This makes opting out a repeated procedure, such that which would make all but the most stubborn user simply give their consent.”

“This is not how consent should work, and a system that ‘pesters’ users into opting in is in our view an illegitimate attempt to substitute acquiescence for consent, whereas nothing but consent is acceptable,” said Killock.

“If users want more relevant advertising, and this is to be achieved by allocating them to ‘segments‘, why not let them choose the segments they want to belong to? We do not accept the claim that behavioural surveillance for profiling is a service to users,” said Killock.

Google, amongst others, has backed the plan.

"Google believes in two core principles of transparency and choice when it comes to user privacy. That is why we are supportive of these new, self-regulatory principles for online advertising which will enable consumers to increase their understanding of their web surfing options," said Mark Howe, UK country sales director for Google.

The guidelines say that companies should give clear notice about data collection, and that any contracts they sign with other companies in relation to the collection should commit them to doing the same.

The guidelines say that information on how to decline behavioural advertising should be "prominently displayed and easily accessible" on web sites.

The rules forbid companies from using behavioural advertising specifically to target children younger than 13. They also say that companies should consider other areas or target groups sensitive and should avoid targeting them, but they do not issue any instructions on what those groups or areas might be and exactly what action signatories should take.

"There are valid privacy concerns about creating a segment for [behavioural advertising] in some areas because they could be considered sensitive in certain contexts," say the guidelines. "Individual members may therefore make different judgements in their respective approach but will be guided by the over-riding objective of maintaining user trust."

See: The guidelines (pdf)

Copyright © 2009, OUT-LAW.com

OUT-LAW.COM is part of international law firm Pinsent Masons.

Internet Security Threat Report 2014

More from The Register

next story
Same old iPad? NO. The new 'soft SIMs' are BIG NEWS
AppleSIM 'ware to allow quick switch of carriers
Brits: Google, can you scrape 60k pages from web, pleeease
Hey, c'mon Choc Factory, it's our 'right to be forgotten'
Of COURSE Stephen Elop's to blame for Nokia woes, says author
'Google did have some unique propositions for Nokia'
FCC, Google cast eye over millimetre wireless
The smaller the wave, the bigger 5G's chances of success
It's even GRIMMER up North after MEGA SKY BROADBAND OUTAGE
By 'eck! Eccles cake production thrown into jeopardy
Mobile coverage on trains really is pants
You thought it was just *insert your provider here*, but now we have numbers
Don't mess with Texas ('cos it's getting Google Fiber and you're not)
A bit late, but company says 1Gbps Austin network almost ready to compete with AT&T
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.