2010 Will Be a Decisive Year for Ad Privacy and Regulation

It was a busy year for the digital ad space in terms of regulatory scrutiny, both in the U.S. and in Europe. As increasing amounts of user data are leveraged for behavioral ad targeting and audience segmentation, regulators on both sides of the Atlantic have turned their attention to the legality and necessity of tracking users’ online behavior.

The practice of data collection for online ad purposes is far from new, and behavioral targeting firms and publishers have been selling those insights to advertisers for years. In 2008, proposed network-level deep-packet inspection technology drew the attention of regulators, as privacy advocates and consumers expressed concerns about their ISPs monitoring their every online move in order to target them with ads.

Although that technology, provided by firms such as Phorm and NebuAd, was eventually abandoned by ISPs after overwhelming criticism from privacy advocates and concerned consumers, regulators have taken the opportunity to continue their probe into the online ad business more widely.

Following a series of hearings, roundtables and data privacy events in the U.S. this year, Congress is now widely expected to pass legislation on the matter. That bill will likely grant the FTC power to regulate the space more closely, specifically in relation to user privacy and the data collection practices that are now commonplace on the Web.

Rep. Rick Boucher, who heads up the House Subcommittee on Communications, Technology and the Internet, has signalled that such legislation may require Web sites to disclose “every piece of information that they collect from visitors and how that information is used by the website that collects it.” He also stipulated that users “should have control over that process,” a requirement that could have major implications for the online ad business if users decide to opt out of data collection en masse.

To stave off formal regulation, industry bodies such as the Interactive Advertising Bureau (IAB) and the Network Advertising Initiative (NAI) this year took measures to educate consumers and help them manage their privacy online. Both the NAI and the IAB have put forth self-regulatory guidelines to encourage more transparency, and the Federal Trade Commission also unveiled revised principles for behavioral advertising earlier this year.

In addition, the IAB recently launched an ad campaign of its own in an attempt to combat the perception that online advertising is “creepy,” and to better educate consumers about how and why data their data is used online.

Meanwhile in Europe, regulators have expressed similar concerns, and have spent the year repeatedly hinting at the prospect of further legislation. Consumer awareness and choice were again mentioned as E.U. regulators expressed dissatisfaction with IAB self-regulatory proposals.

Ultimately, that scrutiny culminated in the passing of an EU directive requiring explicit user consent for the placement of cookies, the technology on which the vast majority of online ad data practices are based.

The bombshell directive was passed in October, but must now be interpreted and implemented at a local level by the E.U.’s 27 member states. Exactly how that law is enforced will be left to national authorities, but it clearly states that the storage and access of information on user equipment “is only allowed on condition that the subscriber or user concerned has given his/her consent, having been provided with clear and comprehensive information.”

In the view of Struan Robertson, a technology lawyer and legal director at law firm Pinsent Masons who specializes in areas including data security and online marketing, it will be “extremely difficult to interpret it in a way that allows the delivery of cookies without user consent.” The IAB recently argued that users’ browser settings would qualify as that consent, but given the fact that they must also be presented with “clear and comprehensive information” about the use of their data, the risk that a significant number of users will choose to reject such tracking appears very real. Web companies and ad firms in Europe must wait to see how it is implemented and enforced in each state before they can judge the impact on their businesses.

Meanwhile, in the U.S., new legislation was expected as early as November, but did not come to fruition. That bill is now likely to be introduced in the new year. As a result, 2010 could provide a few headaches for online ad firms both in the U.S. and across Europe.

Related reading