Since last January, I've been traveling across the United States to meet with companies engaged in online behavioral advertising (also called interest-based advertising). I have met with scores of engineers, entrepreneurs, program managers, privacy counsel, executives, business leaders, and policy advisors from nearly 20 different entities. Companies ranged from some of the largest industry players in California's Silicon Valley to small startups crammed into the converted lofts of New York's Silicon Alley. The labels for the companies vary - networks, exchanges, data management platforms, to name a few. Regardless of label or specific business model, the companies I met with enable online advertising targeted to perceived interests that are inferred from users' online activities.
So what did I find during these meetings? Perhaps not what you'd expect given the inflammatory debate raging on in some corners of the world about these "invisible corporate trackers." I found people eager to discuss consumer privacy, actively engaged in privacy by design, and deeply committed to responsible data handling practices. I watched presentations about segregating and de-identifying data, hashing, encryption, and efforts to minimize data collection or block the collection of sensitive data. I heard people repeatedly make statements such as, "we thought about, but didn't implement, a certain business model because it wasn't transparent" or "we decided against this practice because some people may view this particular topic as sensitive." I was genuinely impressed by the Herculean efforts of some companies to safeguard data and minimize potential risk to consumers. In fact, many efforts I witnessed during my meetings with commercial enterprises far exceeded the privacy procedures I observed while serving as a chief privacy officer in the federal government.
It's certainly possible that I just didn't visit the right (or wrong) companies. After all, if you are pushing the envelope on consumer privacy issues you may not want to meet with a privacy lawyer and former regulator. And to be truthful, I have had some brief, informal conversations with companies I generally don't work with that raised some eyebrows. The business practices of those entities made me wonder if they have thought about notice, transparency, and choice (much less the other FIPPs) in a meaningful way. "I'll be reading about these guys in the WSJ," I thought to myself.
To be sure, companies - like government agencies and non-profits - sometimes make mistakes. And yes, eager engineers sometimes skip procedures, good people make bad choices, and not every decision demonstrates Solomon's wisdom. It's also true that company executives sometimes say regrettable things and marketing materials puff up the predictive data mining potential of products and services. But for the most part, I have found that online advertising companies are working very hard to create innovative products while engaging in responsible data management practices and respecting user choice.
No one denies that companies seek to make money (yes, even profits). I'm not suggesting that they all embrace privacy by design or sign up for self-regulation with purely altruistic motives. Trust me, even lawyers and engineers working for the most responsible government agencies wouldn't engage in privacy by design either if a CPO, backed up by the E-Government Act and Office of Management and Budget memos, didn't require it. In the case of the private sector, the Federal Trade Commission (FTC) and consumer advocates get some of the credit for pushing the industry in the right direction.
But regardless of motivation (consumer trust is actually a big one), I'm finding that companies today are working very hard to address concerns about consumer privacy. More and more privacy controls are being baked in from the beginning. In addition, self-regulatory codes of conduct already require member companies to address the very issues identified by the FTC in its recently released privacy report (security, notice, retention, access, etc.).
What does this mean - beyond the fact that I now have gold status on U.S. Airways from traveling to all these meetings? I hope it means that our collective future includes a great online experience that consumers trust, a dynamic and growing digital economy, and a dizzying array of free content and services supported by interesting and relevant ads.
This column was originally published on May 4, 2012.
Marc Groman joined the NAI in December 2011 as its Washington-based executive director and general counsel. Marc brings to this position over a decade of experience with technology, marketing law, and consumer privacy issues. As executive director, Marc leads NAI's efforts to develop and maintain high standards for online behavioral advertising. Marc also serves on the Board of Directors of the Digital Advertising Alliance.
Prior to joining the NAI, Marc served as the Federal Trade Commission's first chief privacy officer, where he built an award-winning privacy program from the ground up. In 2009 and 2010, he served as counsel on the Energy and Commerce Committee in the U.S. House of Representatives. While on the Committee, Marc drafted a significant consumer privacy bill and shepherded data security and breach notification bills through passage in the House.
Marc has a B.A. magna cum laude in international relations from Tufts University and a J.D. cum laude from Harvard Law School. He is a Certified Information Privacy Professional and is a member of the Board of Directors of the International Association of Privacy Professionals.
May 22, 2013
1:00pm ET / 10:00am PT
June 5, 2013
1:00pm ET / 10:00am PT