Last week, the Digital Advertising Alliance (DAA), as association of 6 online advertising groups1, published a set of Self-Regulatory Principles for Multi-Site Data. These principles are designed to cover data collection above and beyond the standards the group adopted for behavioral advertising. These principles are a mixed bag. Even while the new standards offer the potential to improve transparency and user choice in some instances, the language of the standards is loose enough to allow many of the concerning practices to continue unabated.2 And, as is often the case with self-regulatory models, the DAA’s new standards won’t be enforced. Companies that violate the principles suffer no consequences.
Regulation of online tracking has been long-debated by industry figures and privacy advocates. At the core of the debate is how to strike a balance between users’ rights to protect their privacy when browsing the web and the needs of companies to implement new online services without burdensome government regulation. Thoughtful self-regulation has been heavily promoted by the advertising industry, and last Monday’s announcement is likely an attempt to obviate possible governmental regulation. This is no surprise; Congress has introduced several bills that could regulate the collection of online data and the advertising industry is thus eager to prove their corporate citizenship when it comes to protecting privacy and choice.
But users should be skeptical about the DAA’s self-regulatory scheme, especially given their less-than-stellar performance record in safeguarding privacy in the past. We can see case studies in the limits of self-regulation in two of the DAA’s major online privacy initiatives: the advertising opt-out tool and the advertising icon.
- The DAA’s web-based opt-out tool can be used to install opt-out cookies on one’s browsers. The usability of this approach was evaluated by researchers at Carnegie Melon University in a study published a few weeks ago (Why Johnny Can’t Opt Out: A Usability Evaluation of Tools to Limit Online Behavioral Advertising). The study found that users struggled to use the DAA tool: they found it difficult to navigate to the actual opt-out page; it wasn't obvious that opting out of all trackers required switching out of the default tab on the opt-out page; they didn’t realize that deleting cookies would negate the opt-outs; and they weren’t able to confirm whether opting out was effective. Perhaps most concerning, users didn’t grasp what the opt-out meant: users assumed that opting-out through the DAA form stopped online tracking, when in fact it merely adjusts the advertisements that are displayed. Tracking doesn't stop.
- The DAA is also responsible for the advertising option icon, designed to inform consumers about data collection and use practices. Like the opt-out tool, the advertising icon doesn’t actually do anything to stop online tracking. It’s merely designed to inform and educate users – and it may not even be able to do that. A 2011 survey by Truste found that, while 70% of respondents were aware of online behavioral advertising, less than 5% recognized the DAA’s icons. And as security researcher Jonathan Mayer of Stanford noted, the icon often doesn’t appear at all.
Like the DAA’s previous initiatives, there are no teeth in the Principles for Multi-Site Data. Enforcement is supposed to be achieved through a qualified, objective and independent professional service using procedures and standards generally accepted in the profession. While this is a good starting place, there are no repercussions spelled out for receiving a bad report. There’s no indication that fines or even formal reprimands will be issued to bad actors, and no provision for removing bad actors from the DAA.
This is similar to the DAA’s accountability program for online behavioral advertising, in which the Direct Marketing Association and the Council for Better Business Bureaus (CBBB) accept complaints about companies that are suspected of violating the self-regulatory guidelines. Beyond their byzantine processes for filing and responding to complaints, it’s unclear what the DMA and CBBB will actually do with any of the complaints they receive. On Tuesday, the CBBB released its first summary of decisions regarding online behavioral tracking. In the six instances, the CBBB convinced the company to adjust its practices, in most instances by having the company extend the expiration date of its opt-out cookie. The DAA self-regulatory approach doesn’t actually give consumers a method to say no to online tracking.
The DAA can and should take affirmative steps to protect user privacy. Most importantly, they could adopt forward-thinking standards for respecting Do Not Track, a browser setting currently available in Safari, Internet Explorer and Firefox. When turned on, Do Not Track sends a simple signal that tells websites that a user doesn’t want to be tracked. Users don’t have to visit a special website to turn it on and clearing cookies won’t turn it off; it’s a simple way for users to clearly communicate that they want to be able to use the Internet without handing over loads of sensitive data to companies with which they have no relationship.
While there are benefits to the DAA’s self-regulatory program, it should not be taken as a replacement for other forms of regulation. And the DAA’s self-regulatory principles, while not bad, fall far short of the user benefits of Do Not Track.
- 1. The DAA is made up of 6 major online advertising groups, including American Association of Advertising Agencies (4A’s), American Advertising Federation (AAF), Association of National Advertisers (ANA), Direct Marketing Association (DMA), Interactive Advertising Bureau (IAB), Network Advertising Initiative (NAI)
- 2. Jonathan Mayer of Stanford University has a good summary of the principles here.