The Evolution of Online Behavioral Advertising Self-Regulation
We've been talking about online behavioral advertising (OBA) as a privacy issue for more than 10 years. We've had Congressional hearings, Federal Trade Commission (FTC) roundtables and self-regulatory programs addressing the issue since the early 2000s. Recall that the Network Advertising Initiative (NAI) was formed all the way back in 1999 to provide consumers with education about data collection, usage and choice.
That being said, we now find ourselves in the most exciting era to-date for self-regulatory progress. Here's a timeline of recent events:
Admittedly, the FTC expressed frustration with the pace of progress early on in the self-regulatory movement. “Industry efforts to address privacy through self-regulation have been too slow, and up to now have failed to provide adequate and meaningful protection,” a December 2010 FTC report said. Industry progress made in 2011, however, has been incredible and has substantially improved the privacy ecosystem and will continue to do so.
Taking a closer look at 2011 and looking to the future we can see three distinct phases of this self-regulatory movement emerge:
Phase I: Early Implementation (January to May)
Ad Networks Took The Lead: OBA implementation was solidly with the ad networks; many advertisers left implementation decisions and approaches to the networks.
Working out Glitches: Chief among these was the risk of “collision” whereby multiple parties would serve duplicative icons, resulting in icons “colliding” on the display ad. A specification has since been developed by a Digital Advertising Alliance (DAA) technical working group, and it has helped significantly to mitigate this issue. The group is now building metadata into the icon-serving process to arbitrate ad calls in real time and prevent icon collisions.
A Few Advertisers and Publishers Experimented: A few brand advertisers, keen to demonstrate self-regulatory progress and avoid legislation, implemented compliance solutions on portions of their advertising buys or networks. Many experimented with icon placement and privacy notice wording, conducting trials with DAA-approved compliance providers.
Too Many Advertisers Hung Back: With legislative uncertainty, a perceived lack of approval by the FTC, and concerns about implementation issues and expenses, many advertisers and publishers took a “wait and see” approach in early 2011.
Membership Organizations Started Applying Pressure: The IAB announced that their requirement of self-regulatory compliance would begin at the end of August. Other industry groups also announced their compliance timelines and the Council of Better Business Bureaus (CBBB) started to lay out its enforcement plans and priorities.
Consumers Began To Catch On: Consumers were only beginning to be aware of the Advertising Option Icon and their privacy choices. That spring TRUSTe conducted consumer research with Harris Interactive and found that consumer awareness of the Advertising Option Icon stood at 5%, which was not surprising given how recently the self-regulatory program had launched.
Phase II: Rapid Expansion (May to Present)
By summer and autumn of 2011 enough progress had been made by the industry to convince major advertisers that hanging back was not a winning strategy.
Major Advertisers Took the Lead: Large brand advertisers recognized that self-regulatory compliance was a strategic decision that should not be left to their ad networks. Privacy officers and advertising and marketing executives were now actively reviewing their compliance efforts and requesting information from approved compliance providers, as well as undergoing initial tests and implementations.
Innovation Occurred In Privacy Messaging: With major brands on board more companies used the icon-triggered privacy notice experience to communicate their overall privacy program and commitment, not just their behavioral advertising activities.
Implementation Now At Scale: By late fall 2011 over 600 billion icon impressions were being served on a monthly basis by the ad industry and approved compliance providers. Many of the most pressing technological challenges in compliance systems have been resolved.
Enforcement Efforts Have Begun: Both the Direct Marketing Association (DMA) and CBBB have begun to send “compliance alerts” to major advertisers warning them of non-compliance. In November 2011 the self-regulatory program released decisions in its first six compliance cases. Each of the targeted companies, whose non-compliance resulted from broken or faulty opt-out mechanisms, agreed to fix their practices to comply with the self-regulatory program.
Regulatory Action – One word, Chitika: The FTC took action with an ad network that failed to honor consumer opt- outs. Despite the threats early in the year regarding privacy legislation, no new legislation was passed. However, big privacy regulatory developments occurred in the EU with the passage of a new e-privacy (or “cookie”) directive and new Data Protection directive expected early in the 2012.
Consumers Are Starting to Pay Attention: With billions upon billions of icon impressions delivered to date, consumers are starting to pay attention. TRUSTe now serves 20 billion icon impressions every month via our TRUSTed Ads compliance platform; each month consumers access TRUSTe's preference manager an estimated 12,000 to 96,000 times; and, we process between 2,000 and 10,000 opt-out requests. While overall opt-out rates remain well below 1 percent, these rates should not be the metric used to gauge the success of the self-regulatory program. The goal of the program is to empower consumers with notice and control and toward that end the program has made substantial progress, with tens of billions of display ads now covered under the program.
We're now at the end of this phase and now the questions are:
- To Brand Advertisers: If you're not participating, why not? When?
- To Ad Networks: Can you prove that you're honoring opt-outs?
- To Compliance Providers: What more can you do?
Phase III Predictions: Toward A More Trusted Ecosystem
All parties in the ad ecosystem take the march toward consumer control of privacy seriously. Advertisers, agencies and data brokers are anxious to understand how they can safely collect data about consumers with transparency and control in place.
Major Advertisers and Data Companies Will Look at Deeper Solutions: They will pursue tactics that make their activities more transparent to consumers and partners and try to solve additional issues like how to separate behavioral profile and analytic cookies.
The Program Will Go Mobile: Now that a self-regulatory program for traditional online ads is firmly in place and progressing nicely, the industry must look at how to address privacy concerns on mobile devices. The mobile platform will present unique challenges given apps operate independently of web browser frameworks, as well as the obvious form factor issues associated with mobile devices.
DNT and OBA Compliance Will Go Global and Start to Reconcile: There will need to be reconciliation between distinct approaches to behavioral advertising privacy: we have an upcoming EU cookie directive deadline as well as anticipated growth in both the DAA self-regulatory program as well as browser Do Not Track (DNT) implementations. The DAA is working with international partners to expand the self-regulatory program abroad and has been actively developing a compliance framework suited to the mobile platform.
“Data Leakage” Will Become A Focus: Consumer concern will pressure companies to go beyond simple transparency and choice to prove that personally identifiable information (PII) is not being transmitted or stored by third-parties where it is not intended. Companies will look to have the integrity of their data partners validated by getting certified by independent third parties like TRUSTe. This, in turn, will lead to greater trust by consumers that their PII or other sensitive data is not being shared without their permission.In short, the progress and momentum sustained in 2011 by self-regulation seems poised to continue in 2012, especially given increasing concern for privacy and protections voiced by consumers, regulators and media outlets alike.