Making Tracks Visiting ‘The Trackers’

Since last January, I’ve been traveling across the United States to meet with companies engaged in online behavioral advertising (also called interest-based advertising). I have met with scores of engineers, entrepreneurs, program managers, privacy counsel, executives, business leaders, and policy advisors from nearly 20 different entities. Companies ranged from some of the largest industry players in California’s Silicon Valley to small startups crammed into the converted lofts of New York’s Silicon Alley. The labels for the companies vary – networks, exchanges, data management platforms, to name a few. Regardless of label or specific business model, the companies I met with enable online advertising targeted to perceived interests that are inferred from users’ online activities.

So what did I find during these meetings? Perhaps not what you’d expect given the inflammatory debate raging on in some corners of the world about these “invisible corporate trackers.” I found people eager to discuss consumer privacy, actively engaged in privacy by design, and deeply committed to responsible data handling practices. I watched presentations about segregating and de-identifying data, hashing, encryption, and efforts to minimize data collection or block the collection of sensitive data. I heard people repeatedly make statements such as, “we thought about, but didn’t implement, a certain business model because it wasn’t transparent” or “we decided against this practice because some people may view this particular topic as sensitive.” I was genuinely impressed by the Herculean efforts of some companies to safeguard data and minimize potential risk to consumers. In fact, many efforts I witnessed during my meetings with commercial enterprises far exceeded the privacy procedures I observed while serving as a chief privacy officer in the federal government.

It’s certainly possible that I just didn’t visit the right (or wrong) companies. After all, if you are pushing the envelope on consumer privacy issues you may not want to meet with a privacy lawyer and former regulator. And to be truthful, I have had some brief, informal conversations with companies I generally don’t work with that raised some eyebrows. The business practices of those entities made me wonder if they have thought about notice, transparency, and choice (much less the other FIPPs) in a meaningful way. “I’ll be reading about these guys in the WSJ,” I thought to myself.

To be sure, companies – like government agencies and non-profits – sometimes make mistakes. And yes, eager engineers sometimes skip procedures, good people make bad choices, and not every decision demonstrates Solomon’s wisdom. It’s also true that company executives sometimes say regrettable things and marketing materials puff up the predictive data mining potential of products and services. But for the most part, I have found that online advertising companies are working very hard to create innovative products while engaging in responsible data management practices and respecting user choice.

No one denies that companies seek to make money (yes, even profits). I’m not suggesting that they all embrace privacy by design or sign up for self-regulation with purely altruistic motives. Trust me, even lawyers and engineers working for the most responsible government agencies wouldn’t engage in privacy by design either if a CPO, backed up by the E-Government Act and Office of Management and Budget memos, didn’t require it. In the case of the private sector, the Federal Trade Commission (FTC) and consumer advocates get some of the credit for pushing the industry in the right direction.

But regardless of motivation (consumer trust is actually a big one), I’m finding that companies today are working very hard to address concerns about consumer privacy. More and more privacy controls are being baked in from the beginning. In addition, self-regulatory codes of conduct already require member companies to address the very issues identified by the FTC in its recently released privacy report (security, notice, retention, access, etc.).

What does this mean – beyond the fact that I now have gold status on U.S. Airways from traveling to all these meetings? I hope it means that our collective future includes a great online experience that consumers trust, a dynamic and growing digital economy, and a dizzying array of free content and services supported by interesting and relevant ads.

This column was originally published on May 4, 2012.

Related reading

Overhead view of a row of four business people interviewing a young male applicant.