Cybertelecom
Cybertelecom
Federal Internet Law & Policy
An Educational Project
Targeted Advertising / Online Profiling Dont be a FOOL; The Law is Not DIY


Derived From: Online Profiling: A Report to Congress, FTC (June 2000) PDF (Editor's Note: Please keep in mind that this description was written in 2000; the market and situation has evolved substantially)

Over the past few years, online advertising has grown exponentially in tandem with the World Wide Web. A large portion of that online advertising is in the form of "banner ads" displayed on Web pages - small graphic advertisements that appear in boxes above or to the side of the primary site content. Currently, tens of billions of banner ads are delivered to consumers each month as they surf the World Wide Web. Often, these ads are not selected and delivered by the Web site visited by a consumer, but by a network advertising company that manages and provides advertising for numerous unrelated Web sites.

In general, these network advertising companies do not merely supply banner ads; they also gather data about the consumers who view their ads. This is accomplished primarily by the use of "cookies" and "Web bugs" which track the individual's actions on the Web [it is also through the use of Deep Packet Inspection]. Among the types of information that can be collected by network advertisers are: information on the Web sites and pages within those sites visited by consumers; the time and duration of the visits; query terms entered into search engines; purchases; "click-through" responses to advertisements; and the Web page a consumer came from before landing on the site monitored by the particular ad network (the referring page). All of this information is gathered even if the consumer never clicks on a single ad.

The information gathered by network advertisers is often, but not always, anonymous, i.e., the profiles are frequently linked to the identification number of the advertising network's cookie on the consumer's computer rather than the name of a specific person. This data is generally referred to as non-personally identifiable information ("non-PII"). In some circumstances, however, the profiles derived from tracking consumers' activities on the Web are linked or merged with personally identifiable information ("PII"). This generally occurs in one of two ways when consumers identify themselves to a Web site on which the network advertiser places banner ads. First, the Web site to whom personal information is provided may, in turn, provide that information to the network advertiser. Second, depending upon how the personal information is retrieved and processed by the Web site, the personally identifying information may be incorporated into a URL string that is automatically transmitted to the network advertiser through its cookie.

Once collected, consumer data can be analyzed and combined with demographic and "psychographic" data from third-party sources, data on the consumer's offline purchases, or information collected directly from consumers through surveys and registration forms. This enhanced data allows the advertising networks to make a variety of inferences about each consumer's interests and preferences. The result is a detailed profile that attempts to predict the individual consumer's tastes, needs, and purchasing habits and enables the advertising companies' computers to make split second decisions about how to deliver ads directly targeted to the consumer's specific interests.

The profiles created by the advertising networks can be extremely detailed. A cookie placed by a network advertising company can track a consumer on any Web site served by that company, thereby allowing data collection across disparate and unrelated sites on the Web. Also, because the cookies used by ad networks are generally persistent, their tracking occurs over an extended period of time, resuming each time the individual logs on to the Internet. When this "clickstream" information is combined with third-party data, these profiles can include hundreds of distinct data fields.

Although network advertisers and their profiling activities are nearly ubiquitous, they are most often invisible to consumers. All that consumers see are the Web sites they visit; banner ads appear as a seamless, integral part of the Web page on which they appear and cookies are placed without any notice to consumers. Unless the Web sites visited by consumers provide notice of the ad network's presence and data collection, consumers may be totally unaware that their activities online are being monitored.

An Illustration of How Network Profiling Works

Online consumer Joe Smith goes to a Web site that sells sporting goods. He clicks on the page for golf bags. While there, he sees a banner ad, which he ignores as it does not interest him. The ad was placed by USAad Network. He then goes to a travel site and enters a search on "Hawaii." USAad Network also serves ads on this site, and Joe sees an ad for rental cars there. Joe then visits an online bookstore and browses through books about the world's best golf courses. USAad Network serves ads there, as well. A week later, Joe visits his favorite online news site, and notices an ad for golf vacation packages in Hawaii. Delighted, he clicks on the ad, which was served by the USAad Network. Later, Joe begins to wonder whether it was a coincidence that this particular ad appeared and, if not, how it happened.

Embedded in the HTML code that Joe's browser receives from the sporting goods site is an invisible link to the USAad Network site which delivers ads in the banner space on the sporting goods Web site. Joe's browser is automatically triggered to send an HTTP request to USAad which reveals the following information: his browser type and operating system; the language(s) accepted by the browser; the address of the referring Web page (in this case, the home page of the sporting goods site); and the identification number and information stored in any USAad cookies already on Joe's computer. Based on this information, USAad will place an ad in the pre-set banner space on the sporting goods site's home page. The ad will appear as an integral part of the page. If an USAad cookie is not already present on Joe's computer, USAad will place a cookie with a unique identifier on Joe's hard drive. Unless he has set his browser to notify him before accepting cookies, Joe has no way to know that a cookie is being placed on his computer. When Joe clicks on the page for golf bags, the URL address of that page, which discloses its content, is also transmitted to USAad by its cookie.

When Joe leaves the sporting goods site and goes to the travel site, also serviced by USAad, a similar process occurs. The HTML source code for the travel site will contain an invisible link to USAad that requests delivery of an ad as part of the travel site's page. Because the request reveals that the referring site is travel related, USAad sends an advertisement for rental cars. USAad will also know the identification number of its cookie on Joe's machine. As Joe moves around the travel site, USAad checks his cookie and modifies the profile associated with it, adding elements based on Joe's activities. When Joe enters a search for "Hawaii," his search term is transmitted to USAad through the URL used by the travel site to locate the information Joe wants and the search term is associated with the other data collected by the cookie on Joe's machine. USAad will also record what advertisements it has shown Joe and whether he has clicked on them.

This process is repeated when Joe goes to the online bookstore. Because USAad serves banner ads on this site as well, it will recognize Joe by his cookie identification number. USAad can track what books Joe looks at, even though he does not buy anything. The fact that Joe browsed for books about golf courses around the world is added to his profile.

Based on Joe's activities, USAad infers that Joe is a golfer, that he is interested in traveling to Hawaii someday, and that he might be interested in a golf vacation. Thus, a week later, when Joe goes to his favorite online news site, also served by USAad, the cookie on his computer is recognized and he is presented with an ad for golf vacation packages in Hawaii. The ad grabs his attention and appeals to his interests, so he clicks on it.

Profiling Benefits and Privacy Concerns

Benefits

Cookies are used for many purposes other than profiling by third-party advertisers, many of which significantly benefit consumers. For example, Web sites often ask for user names and passwords when purchases are made or before certain kinds of content are provided. Cookies can store these names and passwords so that consumers do not need to sign in each time they visit the site. In addition, many sites allow consumers to set items aside in an electronic shopping cart while they decide whether or not to purchase them; cookies allow a Web site to remember what is in a consumer's shopping cart from prior visits. Cookies also can be used by Web sites to offer personalized home pages or other customized content with local news and weather, favorite stock quotes, and other material of interest to individual consumers. Individual online merchants can use cookies to track consumers' purchases in order to offer recommendations about new products or sales that may be of interest to their established customers. Finally, by enabling businesses to monitor traffic on their Web sites, cookies allow businesses to constantly revise the design and layout of their sites to make them more interesting and efficient.

Network advertisers' use of cookies and other technologies to create targeted marketing programs also benefits both consumers and businesses. As noted by commenters at the Public Workshop, targeted advertising allows customers to receive offers and information about goods and services in which they are actually interested. Targeted advertising can also improve a consumer's Web experience simply by ensuring that she is not repeatedly bombarded by the same ads. Businesses clearly benefit as well from the ability to target advertising because they avoid wasting advertising dollars marketing themselves to consumers who have no interest in their products.

Additionally, a number of commenters stated that targeted advertising helps to subsidize free content on the Internet. By making advertising more effective, profiling allows Web sites to charge more for advertising. This advertising revenue helps to subsidize their operations, making it possible to offer free content rather than charging fees for access.

Finally, one commenter suggested that profiles can also be used to create new products and services. First, entrepreneurs could use consumer profiles to identify and assess the demand for particular products or services. Second, targeted advertising could help small companies to more effectively break into the market by advertising only to consumers who have an interest in their products or services.

In sum, targeted advertising can provide numerous benefits to both business and consumers.

Concerns

Despite the benefits of targeted advertising, there is widespread concern about current profiling practices. Many commenters at the Workshop objected to network advertisers' hidden monitoring of consumers and collection of extensive personal data without consumers' knowledge or consent; they also noted that network advertisers offer consumers few, if any, choices about the use and dissemination of their individual information obtained in this manner. As one of the commenters put it, current profiling practices "undermine[] individuals' expectations of privacy by fundamentally changing the Web experience from one where consumers can browse and seek out information anonymously, to one where an individual's every move is recorded."

The most consistent and significant concern expressed about profiling is that it is conducted without consumers' knowledge. The presence and identity of a network advertiser on a particular site, the placement of a cookie on the consumer's computer, the tracking of the consumer's movements, and the targeting of ads are simply invisible in most cases. This is true because, as a practical matter, there are only two ways for consumers to find out about profiling at a particular site before it occurs. The first is for Web sites that use the services of network advertisers to disclose that fact in their privacy policies. Unfortunately, this does not typically occur. As the Commission's recent [year 2000] privacy survey discovered, although 57% of a random sample of the busiest Web sites allowed third parties to place cookies, only 22% of those sites mentioned third-party cookies or data collection in their privacy policies; of the top 100 sites on the Web, 78% allowed third-party cookie placement, but only 51% of those sites disclosed that fact. The second way for consumers to detect profiling is to configure their browsers to notify them before accepting cookies. One recent survey indicates, however, that only 40% of computer users have even heard of cookies and, of those, only 75% have a basic understanding of what they are.

The second most persistent concern expressed by commenters was the extensive and sustained scope of the monitoring that occurs. Unbeknownst to most consumers, advertising networks monitor individuals across a multitude of seemingly unrelated Web sites and over an indefinite period of time. The result is a profile far more comprehensive than any individual Web site could gather. Although much of the information that goes into a profile is fairly innocuous when viewed in isolation, the cumulation over time of vast numbers of seemingly minor details about an individual produces a portrait that is quite comprehensive and, to many, inherently intrusive.

For many of those who expressed concerns about profiling, the privacy implications of profiling are not ameliorated in cases where the profile contains no personally identifiable information. First, these commenters felt that the comprehensive nature of the profiles and the technology used to create them make it reasonably easy to associate previously anonymous profiles with particular individuals. This means that anyone who obtains access to ostensibly anonymous data - either by purchasing the data or hacking into it - might be able to mine the data and link it to identifiable individuals. Second, commenters feared that companies could unilaterally change their operating procedures and begin associating personally identifiable information with non-personally identifiable data previously collected. Third, commenters noted that, regardless of whether they contain personally identifiable information, profiles are used to make decisions about the information individuals see and the offers they receive. These commenters expressed concern that companies could use profiles to determine the prices and terms upon which goods and services, including important services like life insurance, are offered to individuals (for example, products might be offered at higher prices to consumers whose profiles indicate that they are wealthy, or insurance might be offered at higher prices to consumers whose profiles indicate possible health risks).44 This practice, known as "weblining," raises many of the same concerns that "redlining" and "reverse redlining" do in offline financial markets.

Another concern expressed by commenters is that, as consumers begin to learn more about companies' monitoring activities, fear of online monitoring will discourage valuable uses of the Internet that are fostered by its perceived anonymity. As one commenter noted:

The anonymity that the Internet affords individuals has made it an incredible resource for those seeking out information. Particularly where the information sought is on controversial topics such as sex, sexuality, or health issues such as HIV, depression, and abortion; [sic] the ability to access information without risking identification has been critical.

Indeed, in support of this point, this commenter cites studies that it believes suggest that, in both the online and offline world, the perceived anonymity of computer research facilitates access to these kinds of sensitive information. By chilling use of the Internet for such inquiries, several commenters asserted, profiling may ultimately prevent access to important kinds of information.

Finally, some commenters expressed the opinion that targeted advertising is inherently unfair and deceptive. They argued that targeted advertising is manipulative and preys on consumers' weaknesses to create consumer demand that otherwise would not exist, and that, as a result, targeted advertising undermines consumers' autonomy.

Ultimately, consumers' privacy concerns are businesses' concerns; the electronic marketplace will not reach its full potential unless consumers become more comfortable browsing and purchasing online. That comfort is unlikely to come unless consumers are confident (1) that they are notified at the time and place information is collected who is collecting information about them, what information is being collected, and how it will be used and (2) that they can choose whether their personal information is gathered, how it is used, and to whom it is disseminated.

FTC Behavior Advertising Principles

Online Profiling

Congressional Hearings

Caselaw

Papers

NebuAd

News

© Cybertelecom ::