The Security Risks with Sharing Documents and How to Prevent Them

by Adi Ruppin, Confidela
Dec 2, 2009 10:06:19 AM

The Federal Trade Commission (FTC) is ramping up efforts to explore online behavioral advertising on December 7th in the first of three consumer privacy roundtable discussions. The FTC will examine the privacy, regulatory, and business issues of online behavioral advertising amongst consumer and privacy advocates, business leaders, and government in the first roundtable event.

Jordan Prokopy is a privacy specialist at Anzen Consulting Inc.. Co-author Megan Brister is a partner with Anzen and has over 10 years of information privacy experience. And co-author Miyo Yamashita is the founding partner of Anzen and specializes in the impact of data protection laws on privacy practices.

Online behavioral advertising enables businesses to serve advertisements that closely relate to the inferred interests of a consumer. For example, a consumer accesses an online bookstore to find books about golf. If that bookstore engages in online behavioral advertising, then its network advertiser will use cookies to track information about the consumer, including, among other things, search queries (e.g., “learn to golf”), products the consumer views (e.g., Tiger Woods' "How I Play Golf”), and the length of time the consumer remains on each page. When the consumer leaves the online bookstore to visit an airline’s Web site, where the consumer subsequently books a flight from Washington to Vancouver, the airline’s Web site displays corresponding advertisements on popular golf destinations in the Washington and Vancouver areas. The Web site is able to serve these targeted advertisements because the network advertiser has an arrangement with both the bookstore and airline Web site, among others.

Consumer Privacy Concerns

Targeted advertisements are intended to provide consumers with beneficial, free content and to reduce unwanted advertising. However, both consumers and privacy advocacy organizations have raised questions about the implications of online behavioral advertising on consumer privacy. According to a recent survey by University of California, Berkeley (UC Berkeley) and the University of Pennsylvania, 66 percent of Americans object to online advertising tailored to their interests, which is contrary to the claims of many advertisers. Further, this number increases to approximately 80 percent once consumers are informed of the means by which advertisers collect their data for targeted advertising. This confirms prevailing concerns from consumer and privacy advocacy groups, which center around two major issues. First, businesses engaged in online behavioural advertising have generally been slow to adopt transparent consumer data collection and tracking policies. This is a concern particularly for vulnerable groups such as minors or non-English speaking consumers, who may not have the capacity to understand legally written policies or to readily find policies on data collection and use that may be “buried” on a Web site. The invisibility of data management practices also raises concerns for other consumer groups, who have argued that without knowledge and control over the collection of data, Web sites may mishandle such data, exposing sensitive information about consumer health, finances or sexual orientation.

Second, Web sites may track even tech-savvy consumers without their knowledge. In a study conducted by UC Berkeley, the University found that over half of the top 100 Web sites set Flash cookies, which are not controlled through the browser’s privacy settings and are stored in a different location. This means that if a consumer deletes his or her cookies, Flash cookies continue to persist. More deceptive methods may also be used to reinstate non-Flash cookies that consumers have deleted – a practice referred to as “re-spawning.”

Responding with Self-Regulation

These privacy concerns were the motivating force behind establishing self-regulatory principles for online behavioral advertising in the U.S. The FTC began reviewing this practice in 1999 and has held several workshops over the last 10 years to discuss the issues involved in online behavioral advertising. In February 2009, the FTC released self-regulatory guidelines to serve as the basis for industry self-regulatory efforts to address behavioral advertising privacy. The guidelines comprise four principles:

1. Transparency and consumer control
2. Reasonable data security and limited data retention
3. Express consent for material changes to existing privacy policies and practices
4. Express consent for using sensitive data

To show the industry’s commitment to self-regulation, some of the largest media and marketing trade associations in the U.S., known as the Trade Group (e.g., American Association of Advertising Agencies, Association of National Advertisers, Direct Marketing Association, Interactive Advertising Bureau and Better Business Bureau), also developed its own self-regulatory principles. These principles largely reflect those of the FTC, but expand upon them by promoting education and accountability. In particular, these principles advise industry, as a first step, to develop robust industry-specific Web sites that provide education to consumers and businesses about online behavioral advertising.

Building a Case for Legislation

Despite efforts to self-regulate online behavioral advertising, both consumer groups and government have called for a legislative approach. In September 2009, a coalition composed of 10 privacy and consumer advocacy groups submitted a legislative primer urging Congress to draft new legislation for the regulation of online behavioral advertising. The coalition proposed that the U.S. Congress establish legislative rules that delineate fair information practices and limit information collection and use.

The FTC has also recently imposed punitive measures to curb privacy violations for online behavioral advertising irrespective of evidence of consumer harm. Moreover, it is expected that FTC officials will determine in February 2010 whether it will create legally binding guidelines to govern advertisements delivered online by consumer tracking.

The FTC will explore regulation again at the first of three consumer privacy roundtables in Washington next month.

What Does This Mean for Businesses?

The FTC continues to make online behavioral advertising a priority. Therefore, it is important for businesses engaging in or contemplating online behavioral advertising to take the following steps:

• Understand self-regulatory regimes: Know how the FTC and Trade Group self-regulatory principles affect your business and consumer data handling practices.
• Make privacy policies clear and accessible: Post transparent privacy and data management policies, which are easy to understand (i.e., avoid overly legalistic language) and easy to locate.
• Provide consumer notice and choice: Provide consumers with clear and concise notices about how their information is handled (outside of the privacy policy statement) and respect consumer choices by providing them with the ability to opt out of the collection, use, or disclosure of their information.
• Protect consumer data online: Employ data security practices that protect the online data you collect from consumers and ensure this information does not fall into the wrong hands.
• Limit retention of data: Limit the consumer online data that you collect and store.
• Anticipate privacy-specific legislation: Because the Internet transcends geographical borders, you should expect that, if the U.S. Congress enacts legislation for online behavioral advertising, other countries, such as Canada and Mexico, will shortly follow suit. Be prepared to comply with privacy-specific legislation.

About the Authors

Megan Brister, CISSP, PMP: A partner with Anzen Consulting Inc., Megan has built a career in the data protection field working with both private and public organizations to develop effective and practical privacy and information security programs. Megan has conducted dozens of privacy impact assessments for clients in marketing, advertising, technology, data management, and health care as well as advised government and regulators. Megan has over ten years of information privacy experience and is a Certified Information Systems Security Professional (CISSP) and Project Management Professional (PMP).

Jordan Prokopy, BSc, MA: A privacy specialist at Anzen, Jordan focuses on the privacy issues surrounding the management of personal information for customer service and marketing. Jordan also specializes in online behavioral advertising, particularly the privacy best practices and regulatory requirements for advertising networks, advertising exchanges, and publishers. Jordan has a Master’s of Arts in Biomedical Ethics and Bachelor of Science in Biology and Mathematics from McGill University.

Miyo Yamashita, PhD: The founding partner of Anzen, Miyo has a Ph.D. in Communications from McGill University, where she specialized in the impact of data protection laws on privacy practices. Miyo has been working in the information privacy field since 1990, during which time she has designed and implemented corporate privacy programs, conducted dozens of privacy impact assessments, legislative reviews, gap assessments, and developed strategic privacy plans for governments, health care delivery organizations, the private sector, and charities.

About Anzen

Anzen Consulting Inc. is a leading information privacy firm, recognized for consistently delivering practical, cost-effective privacy solutions that support our clients' business goals. Our diverse team of privacy consultants and lawyers has a detailed understanding of privacy laws and policies, privacy and security best practices, and privacy and risk management frameworks. Anzen works with a wide range of clients whose businesses depend on the use and management of personal information.