Opt-in, First-and Third-Party sites: What CDD & PIRG Told the FTC

[First in a series based on our FTC filing from 18 Feb.  Excerpt]:





Consumers should be accorded the same kind of user opt-in control on first-party and third-party sites alike. First-party sites, it is clear, engage in a wide range of data collection and targeting approaches unknown even to their regular visitors, and user consent for these practices should be required. In addition, as first-party publishers increasingly engage in forms of data sales and sharing for the purposes of consumer tracking and targeting, the distinctions between first and third parties are eroding. …Turn, for example, operates a “data-driven” ad-targeting platform that “crunches 2000+ behavioral, contextual, inventory, and ad selection variables within 25 milliseconds… all to determine the right ad, right time, right price, and right audience.”  “Turn operates one of the largest marketing platforms on the Internet… ranked 6th in US audience reach, just behind companies like Google….”  A recent research paper by TURN discusses how its “data mining solution enables marketers to cost-effectively identify interactions and variables of thousands of data points. It also allows them to look at the entire user profile at the time of impression receipt and do a thorough analysis of the impact of all the variables on a campaign (including latent variables which go beyond the audience segmentation and are often times overlooked).”  Turn explains that its “secret sauce” is a “scalable infrastructure [that] enables us to read an individual user’s data profile from among hundreds of millions of profiles within a very small time frame, generally 2 or 3 milliseconds. And, we do this over 100,000 times a second (8+ billion times a day).” …

The company says in that statement that it “does not collect PII,” while saying that the following is only non-personal information: “…the IP address used to access the Internet, the type of browser used, which and how many Business Partner web pages have been viewed, search terms entered on Business Partner websites, referring/exit pages, and the date and time a Turn Ad was viewed.” In its discussion of the use of cookies and Web beacons, the company claims that such tracking and analysis isn’t personally identifiable. But the privacy policy and the claim that its targeting is all based on non-PII dta flies in the face of what its long list of “data partners” provide (let alone its own pronouncements on the ability to track and target an “entire user profile”). Its data partners include Bizo, IXI, TARGUSinfo, Polk, Datalogix, Almondnet, Bluekai and eXelate.

Bizo data provides “business demographics of a person which may include, but is not limited to job function, seniority, company size, industry, geography, etc.” IXI’s digital ad data enables online marketers to “target only the consumers that have the right financial profile for each offer and brand…. [with] real-time user classification capabilities…. [that] ranks online consumers based on their expected ability to pay their financial obligations… [and] provides a powerful, complete and accurate estimate of your prospects’ and customers’ total household income… [along with an] estimate of a household’s spending after accounting for the fixed expenses of life (housing, utilities, public transportation, personal insurance and pensions).”   TARGUSinfo’s data includes “names, addresses, landline phone numbers, mobile phone numbers, email addresses, IP addresses and predictive attributes” (continually updated “10 times daily”).  TARGUSinfo also facilitates the collection of “audience targeting data high-quality, offline attributes—including demographics, shopping behaviors, lifestyles, preferences and brand affinities—that are verified… to accurately identify Internet users and link them to attributes—such as demographics, buying behaviors and attitudes—in a real-time… manner…. enabling you to target the most relevant ad to every user regardless of location or media buying methodology.”  “AdAdvisor services use cookies that give you a window to rich, predictive data on over 50 million unique US users.”  Polk can provide “consumer detail (e.g., age, household income, gender), phone numbers, email addresses,” along with “comprehensive customer profiles with unique automotive variables…. The number of registered vehicles in a household, When a household will likely be in the market for their next vehicle purchase, How much will likely be spent on the next vehicle purchase,” and “reliable and extensive ethnic data including those with the highest levels of purchasing power—Hispanics and Asians.”  Datalogix, “a source for real-world data for online targeting” uses “tens of millions of …Affiniti Cookies to support online targeting.”  “DataLogix’ audience platform is powered by a database with over $1 trillion dollars in consumer spending behavior.”  “Available data spans hundreds of product categories and a host of recency, frequency and monetary value data elements.”  AlmondNet “partner(s) with Data-Owners & Media-Owners to facilitate the delivery of relevant, targeted (based on recently-conducted searches for products/services) ads to consumers wherever they go…,” “…based on their observed online behavior wherever they may be found.”  “[O]ur technology collects information about Users from our data partners, and from Users as they visit our partner web sites.”




Ball State University, Privacy, and Research Sponsorship by Marketers

Ball State University has developed a reputation for engaging in interactive media research, often working with marketing companies such as Nielsen.  Its Center for Media Design just released research on privacy, suggesting in their comments that the debates on privacy have been over-simplied, including by advocates.  Like many others, Ball State examines privacy and fails to fully explore how online data collection really works in the context of contemporary digital marketing.  But given Ball State’s close ties with online marketers–including the staff of the Center for Media Design–perhaps it’s not surprising that its review didn’t place the issue under the appropriate critical lens.

For example, Sequent Partners, which works on online marketing and other related issues, is a partner of Ball State.  Sequent explains that:
Sequent Partners is the majority shareholder in Media Behavior Institute, a consumer-centric and media-neutral multimedia research company formed in 2008 and which enjoys a uniquely close relationship with Ball State University. Media Behavior Institute applied the University’s observational research and conducted the Nielsen Council for Research Excellence Video Consumer Mapping study, the most ambitious multi-media measurement ever conducted.

Sequent Partners is also a shareholder and active member of the Media Trust LLC. This team was formed specifically to analyze in-market advertising and media response, and best-of-class sources of single-source data. Media Trust offers the most insightful set of evaluation tools for media and advertising.

Sequent Partners also has a long-term development and product management relationship with OTX Research (Ipsos ASI) in the area of multimedia advertising research.

Working at the Media Behavior Institute is Mike Bloxham, the long-time research director for the Center for Media Design, who just left the university to also work at a digital media start-up.

The privacy debate is an important one, as are many of the issues at stake in the digital communications era.  The public needs independent research to help address these serious and complex issues.  Scholars and universities have an important role to play.  Ball State is not the only school with its hand-out for grants and research contracts.   But such relationships create conflicts that need to be addressed, including ensuring the research is designed to serve the broader public–not just the special interests supporting the school.

Facebook’s new DC Lobbyist: Oops, I mean “Customer Service” Rep!

Are they a lobbyist to reach out to the GOP or a mere “customer service” representative who can help guide powerful  politicians through the Facebook social media marketing maze?  Read this excerpt from Clickz.com and decide for yourself:

Facebook has hired a Republican Party insider to beef up its political outreach team. Former digital strategist at the National Republican Senatorial Committee, Katie Harbath…will join the firm’s small Washington, D.C.-based team as associate manager, policy…The company considers the role to be a customer service position
, aimed at helping legislators and their staffers, congressional committees and political campaigns make better use of Facebook. Until now, Facebook’s U.S. Politics Page, politics-related media partnerships, and Capitol Hill outreach has been handled primarily by two Facebook public policy execs, Adam Conner Andrew Noyes, the firm’s manager, public policy communications….[and] Twitter also is building out a D.C. staff. In January, Adam Sharp, was set to begin his work as the company’s government and political partnerships manager. He is charged with helping lawmakers, politicians, and government staff take better advantage of the micro-blogging site.

Pepsi Exec Tells What Keeps Facebook’s Zuckerberg “Up at Night”–Guess What it Is [Annals of Social Media Marketing & Privacy]

Shiv Singh is the head of digital marketing for Pepsi’s beverage line-up.  At a recent “Social Media Week” event, he discussed how brands should increase efforts to “listen” to social media conversations.  Mr. Singh said that:
“Twenty-five percent of all time spent online is spent on Facebook.  We only get to see and listen to a small slice of that. That [larger slice] is the missing link. We sometimes overstate the benefits of listening and we don’t acknowledge the fact that we’re not listening to everything as a whole. Mark Zuckerberg and his team at Facebook are brilliant, but if there’s one thing that keeps him awake at night it’s that the default state for profiles is not public.”

No doubt, if privacy advocates and responsible policymakers–and concerned Facebook users–hadn’t objected, the profiles would be public by default.  Given that Facebook’s ad revenues are connected to having such a goldmine of data free to its partners, having profiles be public by default would give us privacy nightmares.

AOL Touts its “Powerful Data Warehouse” inc. from behavioral targeting. Hello, Arianna–Remember Privacy!

Excerpts from AOL’s Advertising.com “Adlearn” system and its experts:

* The sheer size and scale of AOL makes us a powerful data warehouse. We have massive amounts of data and raw ad serving logs coming from the AOL Advertising organization (including Advertising.com, ADTECH, behavioral and contextual logs, etc.). Our systems are processing five billion transactions (clicks, conversions, etc.) per second.

*access to inventory, data and analytics is going to become fairly liquid in the marketplace. This will lead to automation advancements in platforms and media planning tools that advertisers leverage to place campaigns…Automation will also impact the publishing side of the equation. Content will be created based on demand by users, and advertisers will align themselves with that content as it is created…Every impression in the future will be data-driven – we won’t serve run-of-network campaigns any longer. You will know something about the user before you serve an ad and every creative will be dynamically-generated.

and “eAddressable household level targeting

  • Survey-based Targeting (MRI/Household Propensity): Target users within households that demonstrate the highest propensity to use certain products or services as indicated by MRI consumer survey panel data matched to Mosaic Household Lifestyle Clusters.
  • Purchase-based Targeting (IRI/Household Propensity): Target users within households that demonstrate the highest propensity to buy certain products as indicated by IRI consumer purchase panel data matched to Mosaic Household Lifestyle Clusters.
  • Offline Consumer Model Targeting (Experian eAddressable Audiences): Target users within households using Experian’s statistical modeling based on hundreds of offline data elements that are most predictive for defining the specific audience of consumers.
  • Custom Database Match: Target users within households that are both the advertiser’s best prospects and AOL media consumers with offline database matching.
  • Mosaic Household Lifestyle Cluster: Target users within households that are categorized by Experian’s 60 Mosaic lifestyle consumer segments.

Leading Health, Privacy, and Consumer Groups Call on FTC to Protect Adolescent Privacy online

For Immediate Release:  Feb. 18, 2011
Child, Health and Consumer Advocates Ask FTC for Teen Privacy Protections, including Do-Not-Track and No Behavioral Targeting

Today a Coalition of Child, Health and Consumer Advocates filed comments on the Federal Trade Commission’s proposed privacy framework asking for increased privacy protections for adolescents.   The coalition includes leading advocates such as the Center for Digital Democracy, the American Academy of Child and Adolescent Psychiatry, American Academy of Pediatrics, Children Now, and the Consumer Federation of America.

Privacy protections are needed as teens are increasingly subjected to privacy invasions online. Teens are using new media technologies for key social interactions and to explore their identities. This increased use of digital media subjects them to wholesale data collection and profiling of even their most intimate interactions with friends, family, and schools. Meanwhile, recent research in psychology and neuroscience reveals that teens are more prone to risky behavior when their anxieties and peer relations are exploited. Privacy protections are needed to keep the online world social and safe.

Companies should not use data to behaviorally profile teens. The framework should also provide enhanced choice for adolescents, including a Do Not Track feature. In implementing “privacy by design,” companies should consider the needs and vulnerabilities of teens.  They should address those vulnerabilities by, for example, minimizing the amount of data collected from teens.  Data that is collected should be retained for only short periods and should be afforded greater security.

“Teens live online today,” said Guilherme Roschke, attorney for CDD. “This time of development and maturation requires privacy protections. Teens cannot go it alone against the vast data collection and profiling infrastructure of new media technologies that not even adults can understand.”

“Because of their avid use of new media, adolescents are primary targets for digital marketing,” explained co-signer Kathryn C. Montgomery, Ph.D. “The unprecedented ability of digital technologies to track and profile individuals across the media landscape, and to engage in sophisticated forms of targeting, puts these young people at special risk of compromising their privacy.”

The full coalition includes:

Center for Digital Democracy, American Academy of Child and Adolescent Psychiatry, American Academy of Pediatrics, Berkeley Media Studies Group, a project of the Public Health Institute, Children Now, Consumer Federation of America, Consumer Watchdog, David VB Britt, Retired CEO, Sesame Workshop, Ellen Wartella, Kathryn Montgomery, National Policy & Legal Analysis Network to Prevent Childhood Obesity, a project of Public Health Law & Policy, The Praxis Project, Privacy Rights Clearinghouse, Public Good, Public Health Institute, Tamara R. Piety, and World Privacy Forum

Guilherme Roschke
Staff Attorney / Fellow
Institute for Public Representation
First Amendment and Media Center
Georgetown University Law Center
T:(202) 662-9543
F:(202) 662-9634
gcr22@law.georgetown.edu
http://www.law.georgetown.edu/clinics/ipr/
**********

Digital Pharma Watch—Study Shows Privacy at Risk on Social Media Health Sites

Just as the FTC and (we assume) the Commerce Department’s Internet Policy Task Force are examining what the new safeguards should be for sensitive data involving online health marketing, there is an important new research study in the Journal of the American Medical Infomatics Association.  As Information Week reports, the study “examined 10 diabetes-focused social networking sites [and]  found that the quality of clinical information, as well as privacy policies, significantly varied across these sites.  The study, “Social but safe? Quality and safety of diabetes-related online social networks,” was conducted by researchers in the Children’s Hospital Boston informatics program…and found that only 50% presented content consistent with diabetes science and clinical practice.  The research…also revealed that sites lacked scientific accuracy and other safeguards such as personal health information privacy protection, effective internal and external review processes, and appropriate advertising.”

The study underscores the issues raised by CDD and its colleague privacy and consumer protections groups last November in a complaint filed at the FTC.

NTIA’s Strickling on Privacy: He Forgets Consumers!

Here’s an excerpt via Politico from their interview with Department of Commerce NTIA Chief–and potential privacy policy maven–Lawrence Strickling.  Note the absence of consumers in his description of the problem and issues.  The Commerce Department, which is jockeying to have a greater role in the privacy debate (which the largest data collectors like because they are afraid of the consumer watchdog-minded FTC), better start making consumer needs come first–if they are to have any credibility here in the U.S. and with the EU.   It appears from the interview the Commerce Department has largely made up its mind to rely on “voluntary enforceable codes of conduct.”   Here’s what Larry said in a Q & A:

NTIA is also getting into the privacy discussions.

It’s part of the larger Internet Policy Task Force that’s underway here at Commerce where our agency — along with other agencies — is looking at a number of Internet policy issues. Privacy is first and foremost on the list, but we’re also looking at the protection of intellectual property, cybersecurity, and we’ll be looking at the free flow of information. For Commerce, our theme links all these topics around the notion of innovation, preserving the job creation and business expansion aspects of the Internet and trying to protect that going forward. So in the area of privacy, the task force did issue the green paper late last year. Comments just came in on that, so people are starting to work their way through them, with the goal that we’ll take the green paper and turn it into a more final pronouncement of the Department of Commerce or perhaps even the administration’s policy on privacy later this spring.

Do you think there should be a government office specifically dedicated to privacy?

We certainly believe that if we’re going to move forward with these voluntary enforceable codes of conduct with the industry that the function of convening and organizing that process should sit [in the government]. Our believe is that the Department of Commerce, and in particular NTIA, is the appropriate place for that function to reside. When we start talking about offices that sounds more bureaucratic and maybe requires departmental administrative orders. But on the issue of making sure that function is done, yes, based on what we see in the comments, we think that’s an appropriate idea. We think it’s a necessary idea in terms of working with industry and we’ll see how this all plays out over the course of the spring.

What is NTIA doing internationally on the privacy front?

Privacy has big international implications because the Council of Europe is looking at redoing what they’ve done in privacy. The European Union is looking at this issue. OECD is looking at the issue. So we’re very cognizant of the need to make sure our policy, whatever it is, is designed in a way to best harmonize with what’s happening in the rest of the world, and in particularly Europe.

U.S. Online Marketers Want Obama Adm. to Press for Weaker Privacy Safeguards for EU, Asia-Pacific & Other Global Citizens & Consumers

The U.S.’s larger marketing, advertising and media lobbying organizations want the Obama Administration to help them continue to engage in behavioral data profiling and other digital marketing techniques without meaningful safeguards.  Trade groups–including the Direct Marketing Association, Interactive Ad Bureau, and the 4A’s–  told the Obama Commerce Department it wants it to negotiate a trade deal with the EU and elsewhere that would give U.S. online ad companies, in essence, a free pass on data collection and tracking.  Can you believe they want U.S. self-regulation (ineffective and a cover to permit the expansion of consumer data collection) to be the global standard.  File this under digital Chutzpah!  They wrote in a [my emphasis]  filing:

We support the Department’s recommendation that the U.S. government continue to develop a framework for mutual recognition of an international data privacy framework. The Department has an important role in representing and advocating for the interests of American businesses.  We believe that the Department has the experience and expertise needed not only to represent the interests of U.S. industry, but to lead the global privacy policy debate.  We recommend that the Department advocate for a global framework consistent with U.S. privacy standards, including the Self-Regulatory Principles for Online Behavioral Advertising, which have allowed U.S. companies to lead the world in innovation and to remain economically competitive.  In addition to decreasing regulatory barriers to trade and commerce, global interoperability should promote—or at a minimum not impede—economic competition and innovation.  We believe the U.S. approach to privacy policy meets these goals.

Here’s who signed the filing.  Attention EU–watch out.  And a question for the Obama Administration.  Which side of the keeping the online medium a real reflection of democratic potential will you be on?

American Advertising Federation
American Association of Advertising Agencies
ASAE
Association of National Advertisers
Coalition for Healthcare Communications
Direct Marketing Association
Electronic Retailing Association
Interactive Advertising Bureau
MPA — The Association of Magazine Media
National Business Coalition on E-Commerce and Privacy
Newspaper Association of America
Performance Marketing Association
TechAmerica

Pandora to Investors: We are Afraid of “Do-Not-Track” Privacy Rules and also Google’s Clout

From Pandora’s recent S-1 IPO filing at the SEC [our bold]:
excerpt:  Existing privacy-related laws and regulations are evolving and subject to potentially differing interpretations, and various federal and state legislative and regulatory bodies may expand current or enact new laws regarding privacy and data security-related matters. We may find it necessary or desirable to join self-regulatory bodies or other privacy-related organizations that require compliance with their rules pertaining to privacy and data security. We also may be bound by contractual obligations that limit our ability to collect, use, disclose, and leverage listener data and to derive economic value from it. New laws, amendments to or re-interpretations of existing laws, rules of self-regulatory bodies, industry standards and contractual obligations, as well as changes in our listeners’ expectations and demands regarding privacy and data security, may limit our ability to collect, use, and disclose, and to leverage and derive economic value from listener data. We may also be required to expend significant resources to adapt to these changes and to develop new ways to deliver relevant advertising or otherwise provide value to our advertisers. In particular, government regulators have proposed “do not track” mechanisms, and requirements that users affirmatively “opt-in” to certain types of data collection that, if enacted into law or adopted by self-regulatory bodies or as part of industry standards, could significantly hinder our ability to collect and use data relating to listeners. Restrictions on our ability to collect, access and harness listener data, or to use or disclose listener data or any profiles that we develop using such data, would in turn limit our ability to stream personalized music content to our listeners and offer targeted advertising opportunities to our advertising customers, each of which are critical to the success of our business...


We use DoubleClick’s ad-serving platform to deliver and monitor ads for our service. There can be no assurance that our agreement with DoubleClick, which is owned by Google, will be extended or renewed upon expiration, that we will be able to extend or renew our agreement with DoubleClick on terms and conditions favorable to us or that we could identify another alternative vendor to take its place. Our agreement with DoubleClick also allows DoubleClick to terminate our relationship before the expiration of the agreement on the occurrence of certain events, including if DoubleClick determines that our use of its service could damage or cause injury to DoubleClick or reflect unfavorably on DoubleClick’s reputation
….In fiscal 2010 and the nine months ended October 31, 2010, advertising revenue accounted for 90.9% and 86.4%, respectively, of our total revenue, and we expect that advertising will comprise a substantial majority of revenue for the foreseeable future. In fiscal 2010 and the nine months ended October 31, 2010, Google accounted for 11.4% and 7.4%, respectively, of our total revenue. We deliver online ads provided by Google through our service, and Google sources us with advertising customers through ad exchanges.