call +44 20 7096 1079
March 04, 2009 | Jim Killock

Good practice in behavioural advertising?

The Internet Advertising Bureau, a digital marketing trade body, have launched Good Practice Principles for companies that collect and use data for online behavioural advertising purposes, which contain a number of clear problems:

  1. The guidelines presume that:

    "More relevant advertising is beneficial for both users and businesses: users discover more of what interests them and businesses find a better way to communicate with users."

    If users want more relevant advertising, and this is to be achieved by allocating them to "segments", why not let them choose the segments they want to belong to? We do not accept the claim that behavioural surveillance for profiling is a service to users.

  2. The guidelines promote the giving of notice to users with opportunities for them to opt out, to the detriment of low-key and qualified references to the need for consent (or "opting in").

    This is particularly problematic, as the sites using behavioural advertising are likely to be operating via cookies. Any ‘opt out’ would be stored by a cookie. So each time a user deletes their cookies, or changes browser or machine, they have to opt out. This makes opting out a repeated procedure, such that which would make all but the most stubborn user simply give their consent. This is not how consent should work, and a system that ‘pesters’ users into opting in is in our view an illegitimate attempt to substitute acquiescence for consent, whereas nothing but consent is acceptable.

  3. The guidelines about user choice also focus on allowing users to opt out. Only one is about consent, and that is opaquely expressed: "Each Member shall obtain consent to process data for the purposes of OBA [Online Behavioural Advertising] where the processing of data requires such consent."

    It should be a cardinal and emphatic principle of any such guidelines that every user who is profiled (whether pseudonymously or otherwise) must have given informed prior consent.

  4. The guidelines fail to give any warning about the problems of accounts used by multiple users (e.g. family members) who may be sharing machines or accounts. The guidelines must make it clear that the separate specific consent of every individual user must be obtained, and that this requirement is not satisfied by delegating to the account holder the responsibility for obtaining the consent of other users, or by embodying a consent, or a delegation of responsibility, in contract terms.
  5. The guidelines fail to require the consent of webhosts whose sites are visited by users, thereby encouraging the consequent industrial-scale breaches of webhosts' copyright and database right involved in the processing, as well as the criminal breaches of the prohibition on interception under section 1 of the Regulation of Investigatory Powers Act 2000.

For last weekend's Convention on Modern Liberty, we hosted a panel to discuss privacy in an age where the companies we as consumers choose to do business with online (as well as some we don’t) know more about us than ever before. The videos below feature, first, the opening presentations and, second, the Q&A that followed. Our panellists were, from right to left, David Smith (Deputy Information Commissioner (Data Protection), ICO), Iain Henderson (founder, Mydex.org), Jim Killock (Executive Director, Open Rights Group), Caspar Bowden (Chief Privacy Adviser, Microsoft EMEA), Peter Bazalgette (Media consultant and digital investor) and Wendy Grossman (journalist, blogger and folk singer).

The presentations are also available to stream and download in the Ogg format.

The Q&A is also available to stream and download in the Ogg format.

google plusdeliciousdiggfacebookgooglelinkedinstumbleupontwitteremail


Comments (9)

  1. Nick Stringer:
    Mar 06, 2009 at 11:37 AM

    The Internet Advertising Bureau's Good Practice Principles on behavioural advertising - published on Wednesday - do address the "problems" the Open Rights Group (ORG) outlines [NB Issue no. 5 is specifically not covered by the Principles as it refers to a particular business model. The Principles are industry guidelines].

    First and foremost, these new guidelines complement existing UK laws to protect people's personal information by outlining new practices to govern the collection and use of anonymous information for the purpose of behavioural advertising.

    Let me address each of the five issues that ORG outlines:

    1. "We do not accept the claim that behavioural surveillance for profiling is a service to users."

    We disagree. New IAB research (source: Toluna 2009) tells us that more than 50% of internet users do value more relevant advertising, reducing the amount of online advertising not relevant to a user’s interests. The research also identified that 85% of internet users would rather see advertising than pay for the content.

    Have a look at this blog post below which identifies why this type of advertising has significant benefits:

    http://community.brandrepublic.com/blogs/digitales/archive/2009/03/04/iab-amp-best-behavioural-targeting.aspx

    2. "The guidelines promote the giving of notice to users with opportunities for them to opt out, to the detriment of low-key and qualified references to the need for consent (or “opting in”)."

    The Principles are very clear where consent is required (see below answer). The IAB launched a new website on Wednesday - www.youronlinechoices.co.uk - that explains clearly what to do if you wish to opt-out. The website provides a wide range of information for internet users, explaining how behavioural advertising works, its benefits, FAQs (including the need to opt-out again if all cookies are deleted) and providing some top tips for users, such as getting more familiar with the privacy settings on their web browser.

    Users can of course choose to delete their cookies from their browser and, with some web browsers, users can select which cookies they want to delete. Businesses will have their own 'opt-out' facility as well. We are trying to make it a simple 'one stop shop' step for internet users.

    3. "It should be a cardinal and emphatic principle of any such guidelines that every user who is profiled (whether pseudonymously or otherwise) must have given informed prior consent".

    Our Principles make it clear where consent is required by UK law or by specific regulatory guidance. Our Principles also make it clear to internet users when anonymous information is collected and used for behavioural advertising, and how they can choose to decline this type of advertising.

    4. "The guidelines fail to give any warning about the problems of accounts used by multiple users (e.g. family members) who may be sharing machines or accounts."

    I refer again to our new site - www.youronlinechoices.co.uk - which includes a tip for users to establish separate user accounts (as many users in households already do), to enable the privacy settings to be tailored to each individual internet user within a household.

    5. "The guidelines fail to require the consent of webhosts whose sites are visited by users, thereby encouraging the consequent industrial-scale breaches of webhosts’ copyright and database right involved in the processing, as well as the criminal breaches of the prohibition on interception under section 1 of the Regulation of Investigatory Powers Act 2000."

    This issue is not relevant or applicable to many behavioural advertising business models, such as those provided operated by advertising networks. To this extent, it is not an issue we have specifically covered in our Principles. Our Principles are industry guidelines.

    Privacy is at the heart of the future of the internet. The IAB believes trust is paramount. This is what underpins the development of these Good Practice Principles. They remain a working document – as every self-regulatory initiative should be in this sector – to take account of changing technology and business models. It’s important that we – industry, consumers, government, regulators, privacy groups – get this right and we’re more than happy to continue our existing dialogue with the ORG to achieve this.

  2. DaveK:
    Mar 05, 2009 at 02:37 PM

    >"nothing but consent is acceptable."

    I think you could usefully strengthen that to "nothing but *informed* consent is acceptable". That difference has shown its importance in the past in the context of free ad-supported software that has a consent clause buried deep in reams of EULA that (technically but not morally) consents to the installation of all kinds of nasty spyware.

  3. A Very Worried Messenger:
    May 18, 2009 at 05:43 PM

    http://www.whatdotheyknow.com/request/confirm_validity_of_statement_by#outgoing-18797
    Thank you for your request for information in which you quote a statement by ISBA and ask for any correspondence between Ofcom and ISBA to confirm the validity of the statement.
    This was received on 17 May 2009.
    I am writing to advise you that the information you requested is not held by Ofcom.


    Faster communication systems should not mean loss of "Human Rights" it's up to Web Programmers & Industries to provide proper acceptable consent methods.

    http://www.theregister.co.uk/2009/05/18/eu_cookie_monster/
    Most browsers have a default setting that allows cookies. Most people never change that (and many don't know that the setting exists). So a court might reasonably question how consent can be implied from a default setting. If no question is asked, silence does not convey consent.

  4. Blog of Change » My selection of links for March 4th through March 13th:
    Mar 14, 2009 at 01:08 AM

    [...] The Open Rights Group : Blog Archive » Good practice in behavioural advertising? - [...]

  5. Pete:
    Mar 06, 2009 at 03:59 PM

    In response to Mr. Stringer

    1. When Which? surveyed their customers, ~66% didn't want Phorm, ~42% said they'd even switch to a different ISP if it was introduced.

    Ads don't fund all the content on the internet, that's simply a hoax.

    Why not ask people what advertising they want to see? You don't need to spy on people, or profile them. Marketing is about meeting aspirations; ask me what I aspire to.

    2. Opt in, in, in, in, in. In. Its 33% shorter, and much easier to spell than 'out'.

    3. Refer to 2.

    4. So you expect internet users to reconfigure their machines to accomodate your unwelcome and flawed business models? That's thoughtful of you, steam roller your customers.

    How do you think they will respond to that approach? With open arms?

    5. Go on say it. You know you want to. Phorm is dead in the water.

  6. A Very Worried Messenger:
    Mar 06, 2009 at 04:12 PM

    @Nick Stringer

    Just a quick comment, but I will have a lot more to say on other parts of your statement either here or elsewhere later. (real World commitments call!)

    ___
    when anonymous information is collected and used for behavioural advertising, and how they can choose to decline this type of advertising.
    ___

    1/ In many cases it can be proved on closer examination that these details are not really anonymous when all the parts of the puzzle are added together!

    2/ **Wrong way round again YOU SHOULD ASKING FOR PERMISSION FIRST not telling users how to choose to decline!**

  7. mADSLug:
    Mar 06, 2009 at 07:00 PM

    I was very glad to read Nick Stringer's comments about why DPI data harvesting was not included. I would like to ask him this one question:

    If DPI is "not relevant or applicable to many behavioural advertising business models, such as those provided operated by advertising networks" why have the IAB accepted as a signature to this current document a business which does [plan to] use DPI as a source for the majority of the data it collects while using the advertising partner website model for the small data set that comprises the balance of its data protfolio?

    Most people reading that document could be confused and be lead to understand that all the businesses signing up to the code will, from September, be limiting their data sources to the 2 sources listed in the guidelines, i.e. from that date they will cease to use as a source for data other data mining techniques like network log analysis, DPI, other demographic and geo-demographic data miners, etc.

    That document is far too limiting in its current form and only covers those data collection techniques which have become normal industry practice over the last 10+ years.

    Even 'personally identifiable data' in that document includes only data which could be used to identify an individual while they are offline. Which rather beggars the question as to the omission of any IAB guidelines with regard to PID which identifies users online.

  8. A Very Worried Messenger:
    Mar 05, 2009 at 07:01 PM

    Also related to this item is this scheduled debate!

    https://nodpi.org/2009/03/04/press-release-house-of-lords-round-table-event/

  9. A Very Worried Messenger Says:
    Mar 05, 2009 at 06:48 PM

    More than "one year" on & still the same issues!

    But I ask "One BIG Question" about the stance by the IAB:-

    If Phorm & Nebuad etc were actually acceptable, as your survey tries to convey (but fails miserably via missing details) then why are your ALL going through this Public Relations Exercise?

    ***Still Trying to convince Web Surfers who regard this "DPI snooping" as "Totally Unacceptable!"***



This thread has been closed from taking new comments.