Verizon pointed out in the letters that they do not disclose individually indentifying information. It also argued that it took steps to notify customers individually, publicly disclose details of the program, and provided a “clear and easy way” for consumers to opt out.

The pair, co-chairs of the bipartisan privacy caucus, released Verizon’s responses to their inquiry about the program, and said both companies “followed the law and exceeded common industry practices in this area.”

But they suggested that either the law or industry practice needed tweaking. “We are still concerned that Verizon has required customers to opt-out of this new program rather than opt-in,” they said in a joint statement Friday. “An opt-in mechanism would allow consumers, not the company, to decide whether to grant permission to use consumer information for targeted advertising purposes, especially in a program focused on geolocation from customer postal addresses.”

Markey and Barton said they would continue to monitor the issue, but understood the benefits of tailored advertising.

But, rhetoric helps no one.

Something needs to be done. If trust and cooperation disappear, the Internet — as we know it — is lost. Mulling that over during one of my swims at the Y, I had an epiphany: Instead of all or nothing, why not figure out:

What is needed for advertising and privacy to coexist on the Internet?

Based on the following definitions:

• Internet advertising: Is a form of promotion that uses the Internet to deliver marketing messages to attract customers.
• Internet privacy: Involves the exercise of control over the type and amount of information revealed about a person on the Internet and who may access said information.

And conditions:

• If people want to visit websites for little or no cost, advertising is needed.
• If websites are going to advertise, visitor privacy has to be insured.

I wrote an explanatory email, included my “question”, and sent it to sources of mine I knew to be involved in this discussion. Feeling good, real good, about how I was going to solve this, I waited for all the responses. And waited. And waited.

My teaching moment

If you are thinking, “He must be nuts”; most of the people I sent the email to agree with you. I suspect the few that responded, did so in hope of this being a “teaching moment” for yours truly.

It was.

First Lesson

Lenny Zeltser, good friend and well-known security researcher, started the ball rolling. He took me to task on my conditional statements. He pointed out that privacy as a concept is relative.

Zeltser: First, I’d like to comment on your statement: Privacy has to be insured. This implies that privacy is an absolute notion we must ensure. I’d argue that the notion of privacy is relative. It’s relative with respect to the times and more importantly with respect to the community and context in which it’s discussed.

It’s fascinating to compare the privacy norms of Internet users that are in their teens and twenties to those who are older. One might want to simplify that teens’ openness in sharing information that their parents believe should be private constitutes the “death” of privacy among the new generation.

In fact, the younger generation is developing elaborate behavioral norms to adjust to the increasingly open and inter-connected nature of the world in which they are growing up. I touched upon this in my post, Learn the Future of Privacy and Social interactions from Teens.”

Next, Lenny tackled my assumption that advertising is required:

Zeltser: Another premise that you state as a given is, ‘advertising is needed’. I agree that advertising isn’t going away any time soon. But, let’s not presuppose that advertising is the only way of providing a revenue stream to the entities offering content to consumers who expect to visit the sites without paying money.

The consumer might be willing to ‘pay’ for content in many ways, one of which is advertising. Another might involve the visitor lending his systems CPU and battery to performing computations while reading the content. A consumer may also agree to a subscription fee.

Finally, Lenny got to my question:

Zeltser: I bring up these points to highlight the ever-changing nature of privacy norms and expectations. Keeping that in mind, my answer to the question — What is needed for advertising and privacy to coexist on the Internet? — is yes, even though I don’t know what exactly such middle ground would entail.

Second Lesson

To be honest, I had no previous contact with Dr. Aleecia M. McDonald — renowned privacy expert. I have read many of her papers, all of them about this very subject. So, I was excited when I received a response from her.

Then I read the email.

Dr. McDonald wondered if I had a clue about online advertising and behavioral targeting. Okay. First Lenny’s email, now this, I wisely responded that I didn’t.

I’m guessing my confession wasn’t expected. She graciously spent several hours on a busy Saturday explaining the current situation with regards to online advertising and privacy.

Kassner: Lenny Zeltser mentioned that privacy has different meanings for different people. You seem to be in agreement. Would you explain, please?

McDonald: We tend to talk about user privacy as if users were all one uniform group. They are not. The research that I did with Lorrie Faith Cranor found about 18% of study participants want the benefits of behavioral advertising.

They want ads that are relevant to them. In interviews in the lab, some people were quite eager. For them, the future cannot come fast enough. However, they do not typically understand the privacy implications and mistakenly think their privacy is protected by laws that do not exist.

On the other side, 20% of study participants were very concerned with privacy. They recoil from the idea of data about their web browsing going out to advertisers, and in the lab there were people very concerned and passionate about their right to privacy.

But again, they do not understand how much benefit they derive from personalization, even simple things like frequency capping.

Now, to the 62% in the middle, I think of them as the swing voters of behavioral advertising. What we heard was, “Why would we want better ads when ads are the things I ignore?” They do not see any benefit to data going to advertisers. Perhaps with more information they would change their minds–into either the pro-target or pro-privacy groups.

Kassner: I get the impression there is a disconnect between what people believe to be the case and what actually is. Did that come from your research?

McDonald: Generally, people are happy with the idea of viewing ads to support seeing free content. They understand it, and like the trade-off. It is a familiar structure seen with TV, magazines, and newspapers.

Most people do not understand how much data and tailoring off-line advertisers currently work with. To make matters worse, people feel the online world is similar to the offline world: Ads for free content-not knowing that it’s ads plus their data.

When they hear data is part of this equation, people typically feel this is not the deal they agreed to at a societal level. It violates their mental models of how advertising works.

In the lab, people argued with me and said behavioral advertising could not exist. One woman said it sounded like something her “paranoid friend” might dream up. That study was about two years ago, and people are better informed today, but many misconceptions still remain.

Kassner: You mentioned that behavioral advertising is not that big a deal. That surprised me, having written extensively about it. What did you mean by that?

McDonald: Interestingly, it appears that behavioral advertising is not a large part of the online ad market today. Numbers overseas are around 4%. In the US, it is a little more, but less than 10% of online ads are behavioral. It is hard to get good numbers, but the Internet-advertising ecosystem is still predominately contextual ads.

Chris Hoofnagle makes a very good point about balance. Does it make sense to amass so much data about every uniquely-identifiable user in order to serve such a small percentage of ads? Is that a good trade at a societal level?

Kassner: You brought up something that really interests me. Advertisers are not in agreement about behavioral advertising?

McDonald: Users are not the only non-uniform group. Advertisers are just as divided about behavioral advertising:

• Some ad networks specialize in behavioral ads. For them, this is a fight for survival. Anything that changes behavioral ads looms as a threat.
• Other ad networks specialize in contextual ads and those that do not require identifying users — search ads. For them, if they curtail behavioral advertising, they improve their ability to compete in the market.

Kassner: Are websites serving content affected by this?

McDonald: Most of the content on the Internet is not advertising. For a first-party website like TechRepublic, it may not matter if ads are targeted, contextual, or random. All that matters is that the money flows. And even there, first-party sites are not a monolithic block.

• If a site is just me blogging in my basement, then there is no special value to my site and it is just like all the other blogs out there. Since my site is not special, I want to make money on the value of the visitors, which is what targeted ads do.
• But if the first-party site is particularly prestigious, then I want to make money based on the value of having ads on my special site.

Kassner: Do you see a downside for content websites that offer behavioral advertising?

McDonald: Behavioral advertising kills the value of brands for first-party sites. If an advertiser can show the same ad to a viewer on a basement blog for half the cost as on a top tier site like TechRepublic, how do you think that will end for TechRepublic? Here’s how:

• Short term: TechRepublic may get a boost from better click-through rates on behavioral ads leading to slightly-higher profits.
• Long term: TechRepublic can expect to become a commodity, no better than any of millions of other sites out there.

The point to all of this is not that behavioral ads are good or bad for the economy. The point is:

• Good or bad very much depends upon where you sit.
• Behavioral ads are such a small component that we have not seen this all roll out.

It may not be possible to answer some of the larger financial questions yet.

Kassner: I’ve been saving Do Not Track (DNT) for last. You say it could play a significant role, helping both consumers and advertisers. How is that possible?

McDonald: Much of the discussion around DNT is from the perspective of the FTC goals of transparency, choice, and control for users. That is great. I hope DNT will promote all of their goals.

If you turn it around and think about DNT from an advertiser’s vantage point, DNT has the potential to make them more money. Right now there are far fewer behaviorally-targeted ads than available advertising slots.

That gives advertisers a choice. They can push behavioral ads to the consumers who want them, creating higher profits than without a DNT mechanism to help them know their customers better.

Meanwhile, users who are in the pro-privacy segment get a mechanism — DNT — to help them remain private.

Kassner: Any further thoughts, Aleecia?

McDonald: As to your “question,” the way we get benefits from targeted ads and privacy is when there is a system that is both profitable and transparent. Both are necessary. DNT has the potential to move both goals forward at once.

Final thoughts

Wow. I have lots to think about. Talk about being simplistic. Still, there is room for hope. And, my question seems to have merit.

I’d like to thank Lenny and Aleecia. I see only benefits from their instruction in the ways of the world.

“Stories like that one are why one of the core principles of ‘privacy by design’ is for companies to make users’ data private by default,” says Cavoukian.

Out of a desire to have successful “social strategies,” many companies pimp out their users’ info as much as possible. Fitbit’s experience, and that of companies like Facebook and Google — sued for Beacon and Buzz, respectively — show the pitfalls of that strategy. Hence, Cavoukian’s decade-long campaign is finally starting to resonate with tech companies. Both Zynga and Groupon mention privacy as a business-limiting concern in the S-1 filings for their upcoming IPOs.

The Great White North’s privacy winds are blowing south to D.C. this year. The “privacy by design” phrase appeared in U.S. federal legislation for the first time in April in the Commercial Privacy Bill of Rights introduced in the Senate by John Kerry (D-Mass.) and John McCain (R-Ariz.). So what is ‘privacy by design’ exactly? It means simply that companies are starting to bake privacy into their products, relying less on privacy policies few bother to read.

Who wants some examples???

• The most talked-about current example of good privacy by design is Google’s new social network, Google+. After flunking Privacy 101 with Buzz, which automatically built a public social network using Gmail users’ formerly private contact lists, Google has designed a social network with privacy as its building block. All contacts are placed in nonpublic “circles” (for example, “Friends,” “Colleagues” or “Family”) and users are asked to designate the circle to share with for every post they make. “If you don’t design privacy in at the architectural level, it can be devilishly hard to deal with later,” says Jules Polonetsky of the Future of Privacy Forum.
• Apple’s iPhone has a purple arrow icon that appears on the screen letting a user know any time their location information is being sent to an app. The design principle is to make sure users are made aware when their sensitive information is shared.
• For its parental monitoring app that can be placed on kids’ smartphones to allow for tracking of their movement, text messages and photos, Location Labs sends periodic alerts to the phone, reminding the coddled children that they are being monitored.
• A planned new feature for the iPhone would allow remote listening (say, if the phone were stolen). Designers mention in the patent that it would include a warning system to alert anyone looking at the phone that they’re about to be recorded or listened to. It’s unfortunate that a thief would be alerted, but will help prevent teenage girls from using a casually placed phone from spying on each other. “There’s always a tension between privacy and security,” says Mason Weisz, a corporate attorney at Hunton & Williams.
• Intel is working on digital billboards that use facial detection technology to target ads at people based on gender, age and race. But the billboards do not maintain information on their faces or any personally identifiable information.
• The business school admissions test GMAT used to confirm test-takers’ identities by fingerprinting them, arousing concern of those fingerprints being cross-purposed for criminal databases. So GMAT switched to scans of palm veins.

“In Silicon Valley, venture capitalists and entrepreneurs are saying privacy is dead, but that’s wrong. Customers’ reactions to privacy breaches proves that,” says Cavoukian. “Privacy has historically been viewed as an impediment to innovation and progress, but that’s so yesterday and so ineffective as a business model. Without user trust, technologies can’t move forward.”

Yet for all its innovative know-how and entrepreneurial spirit, the technology industry has yet to agree on a simple, meaningful solution to protect consumer privacy on the Internet.

So privacy watchdogs and lawmakers are stepping up the pressure, calling for laws that would require companies to stop the digital surveillance of consumers who don’t want to be tracked. They argue that effective privacy tools are long overdue from an industry that typically moves at breakneck speed.

“I want ordinary consumers to know what is being done with their personal information, and I want to give them the power to do something about it,” Senate Commerce Committee Chairman John D. Rockefeller, D-W. Va., said at a recent hearing.

Washington’s call to arms is a response to growing concern that invasive Internet marketing practices are eroding privacy online as every consumer move is observed, analyzed and harvested for profit.

Online publishers, advertisers and ad networks use “cookies,” Web beacons and other sophisticated tracking tools to follow consumers around the Internet — monitoring what sites they visit and what links they click, what they search for and what they buy. Then they mine that information to deliver what they hope will be relevant pitches — a practice called behavioral advertising.

“Right now we have a lawful system for tracking all of our movements online,” says Christopher Calabrese, legislative counsel for the American Civil Liberties Union. “And not only is it legal. It’s the business model.”

Calls for online privacy protections began with the Federal Trade Commission, which has challenged the industry to offer a digital tracking off switch. The FTC envisions something akin to the government’s existing “Do Not Call” registry for telemarketers. Consumers who don’t want to receive telemarketing calls can add their numbers to the list online or over the phone.

Companies including Microsoft and Mozilla have responded with various “Do Not Track” technologies. But an industry-wide solution is not close at hand.

That’s because putting the Do Not Track concept into practice is much more complicated than simply adding phone numbers to a database. The challenge is in reaching industry consensus on what Do Not Track obligations should mean, designing standard technology tools that are easy for consumers to use and setting common rules that all Websites and advertisers will follow.

One big part of the problem is that the industry needs to find a way to let consumers halt intrusive online marketing practices without preventing tracking critical for the Internet to function. After all, Internet companies rely on tracking not just to target ads, but also to analyze website traffic patterns, store online passwords and deliver customized content like local news. Nobody wants to stop those things.

Also complicating efforts to reach broad agreement is the lucrative nature of behavioral advertising.

Industry leaders argue that many consumers like targeted ads since they deliver personalized pitches that people may want. And because these ads tend to be more effective, advertisers are willing to pay more for them, says David Hallerman, an analyst with eMarketer.

Research firm eMarketer projects U.S. spending on online behavioral advertising will hit $2.6 billion by 2014, up from $775 million in 2008.

That enables Internet companies to offer everything from online stock quotes to unlimited email storage for free, says Anne Toth, Yahoo’s chief trust officer. Without sophisticated advertising technology, more websites and services could wind up behind pay walls, companies warn.

The problem, argues Jeff Chester, executive director of the Center for Digital Democracy, a privacy group, is that many consumers don’t know they’re being tracked. And even if they do, they have no idea what happens to their information — whether it is used to create personal profiles, merged with offline databases or sold to data brokers — and no practical way to stop the data collection.

With growing alarm in Washington, a coalition of industry trade groups– called the Digital Advertising Alliance — has established a self-regulatory program that places icons inside the online ads of participating advertisers, ad networks and websites. The icon links to a site that explains online targeting, and lets consumers install an opt-out cookie if they just want standard ads.

Among the groups participating in the alliance are the Interactive Advertising Bureau and the Direct Marketing Association, as well as individual companies including Google and Yahoo.

Even so, these efforts don’t go far enough for the FTC. While the agency has not endorsed any particular Do Not Track technology, it believes one promising approach could involve including a setting inside Web browsers. Now the browser companies, led by Microsoft and Mozilla, are responding with different approaches:

– Microsoft has a feature called “tracking protection” in Internet Explorer 9.0 that lets users create “black lists” of Web sites to be blocked and “white lists” of sites that are deemed acceptable. Users can set their browsers to automatically build these lists or can download existing lists.

– Mozilla has a setting in its Firefox 4 browser that sends a signal to alert websites, advertisers and ad networks if a user does not want to be tracked.

Apple is expected to include a similar feature, called a “header,” in its Safari browser. Microsoft, too, recently added the feature to IE 9.0.

– Google’s Chrome browser is piggybacking on the Digital Advertising Alliance by offering a plug-in that saves opt-out cookies even if other cookies are erased. One criticism of the industry program is that users lose their opt-out preferences whenever they clear their cookies.

For such tools to work, however, there must be industry consensus on what Do Not Track obligations should actually mean. And right now, there is little agreement.

Nearly everyone accepts that publishers should be able to measure traffic volumes on their own sites, for instance. But should advertisers be allowed to track how many visitors see or click on their ads?

The industry’s self-regulatory program, for one, does not turn off data collection. Consumers who install an opt-out cookie no longer receive targeted ads from participating companies, but may still be tracked for non-advertising purposes. That doesn’t satisfy privacy watchdogs.

Microsoft Deputy General Counsel Erich Andersen says tracking protection offers a way around this debate since it lets consumers decide what to block. But this approach worries advertisers since it can block ads altogether, even generic ads.

And anyway, with Do Not Track signals in several popular browsers, websites and advertisers need to agree on how to respond, says Jules Polonetsky, director of the Future of Privacy Forum, an industry-backed group. Otherwise, he says, Do Not Track obligations could get defined for them by browsers or government officials.

Equally important for Do Not Track to succeed, the technology must be easy to find and use. If Do Not Track tools are too confusing or involve too much effort, people won’t embrace them, warns Marc Rotenberg, executive director of the Electronic Privacy Information Center. “We can’t expect users to spend a lot of time reconfiguring their browsers,” he says.

Privacy watchdogs are gravitating to Mozilla’s approach as particularly user-friendly. But it presents a different challenge: ensuring websites, advertisers and ad networks respect user requests not to be tracked. While Microsoft’s tracking protection blocks unwanted content — and requires no compliance by Websites and advertisers — a signal in a browser means nothing if it is not honored.

“Without anyone on the other end to recognize it, it’s a tree falling in the woods without anyone to hear it,” says Mike Zaneis, general counsel for the Interactive Advertising Bureau. Zaneis insists the Digital Advertising Alliance offers the best approach since so many Websites and advertisers are on board.

Alex Fowler, Mozilla’s global privacy and public policy leader, says the browser maker is talking with many big websites, advertisers and ad networks about honoring its Do Not Track signal. And many are open to the idea. Still, so far only a handful of industry players have actually pledged to honor the signal.

And that, privacy watchdogs say, shows why the government needs to get involved.

Senator Rockefeller is sponsoring a bill that would direct the FTC to write binding, industry-wide Do Not Track rules. There are similar bills in the House and the California legislature.

The Internet marketing industry wants to head off those efforts and insists it just needs more time to establish meaningful privacy controls.

For now, FTC Chairman Jon Leibowitz is willing to give the industry a chance before calling for legislation. Even without a government mandate, he noted, it’s in the industry’s self-interest to make Do Not Track work. After all, Leibowitz says, “nobody wants to be on the wrong side of consumers.”

Half of 64 online advertising firms did not remove their tracking cookies from consumers’ computers after they have opted out of behavioral ad targeting. Twelve percent of those firms failed to remove tracking cookies, or continued to place them on consumers’ systems even after those consumers opted out of tracking. The study, which was carried out over several months by researchers at the Stanford Security Lab, suggest that voluntary, industry led efforts to reign in unwanted user tracking online may be falling short.

However, at least one of the companies named in the report says that the researchers reached false conclusions about tracking based on external observations, and didn’t verify their findings with the companies in question.

Results of the study were published on the Web site of Standford Law School. Researchers looked at the actions of 64 out of 75 members of the Network Advertising Initiative (NAI), a voluntary Internet advertising industry group formed to address concerns about online privacy violations. Researchers tested to see if behavioral tracking cookies were placed both before and after users opted out of tracking and enabled the Do Not Track options offered by the advertising networks. The Stanford Researchers manually identified tracking cookies and observe how they were altered throughout each test.

Results were discouraging. All but one of the 64 companies whose cookies were observed left existing tracking cookies in place after users elected the Do Not Track option. Half of the 64 left the cookies in place after users opted out of tracking all together. The survey, when taken together with a similar study done by Carnegie Mellon University in February, identified eight current NAI members that appear to continue tracking users even after they opt out of tracking – often in violation of promises made in their own privacy agreements. Among those are: 24/7 Real Media, Adconion, AudienceScience, Netmining, Undertone, Vibrant Media and Wall Street on Demand.

The Carnegie Mellon Study, released in March, also found low levels of compliance with the requirements set forth by the Network Advertising Initiative and the Digital Advertising Alliance (DAA). Both groups were established as efforts by the industry to self regulate in the face of scrutiny from the U.S. Federal Trade COmmission (FTC). Both groups require members to provide features, like the Ad Option feature, that make it easy for consumers to opt out of online advertising and tracking.

Together, the Stanford study and the study by Carnegie Mellon suggest that industry oversight of the effectiveness of these features and advertisers adherence to the terms of their own privacy policies is lacking. For example, Stanford researchers found that NAI member Adconion’s privacy policy states that a user is “free to opt out of the Adconion Cookie.” But that opting out deleted only one of three tracking cookies placed by the company, and left the other two in place. Ad firm AudienceScience tells users in its privacy policy that it will “delete all previously collected information from the cookies, and put new information in the cookie which tells us to stop collecting information from that device.”Researchers found that opting out of AudienceScience removes its unique tracking cookie but not a “highly unique cookie that represents the user’s interests.” Furthermore, subsequent reloads of the content updated the interest cookie.

AudienceScience now removes both the unique and the interest cookie from the customer’s machine, but was always in compliance with the NAI guidelines, CTO Basem Nayfeh told Threatpost.

Previously, when users chose the opt-out option, AudienceScience stripped personal information from the cookie and overwrote a unique customer ID with an opt-out ID. However, the company left the cookie itself and would update a time stamp setting within the cookie – in essence: indicating when the last time the cookie was seen by AudienceScience’s systems, Nayfeh said.

Stanford researchers couldn’t analyze the content of the cookie itself (it was encrypted) and failed to contact AudienceScience to clarify how the cookie was being altered after the opt-out option was selected, he said. Because the time stamp field was updated, reserachers observing the cookie would note that its size and encrypted value change, suggesting that the company was continuing to update the cookie with the consumer’s information.

Nayfeh said the company now removes the cookie entirely.

“In retrospect, I think confusion caused by the decision to not remove the cookie, as should have been done in the first place,” he said.

In a blog post, NAI Executive Director Charles Curran said that the researchers at Stanford confused “do not target” choices offered by online advertisers and “do not track” features that are built into many new browsers.

The group’s code commits members to providing an opt-out of the use of online data for behavioral advertising that will “make their ads more relevant,” but also recognizes that “companies sometimes need to continue to collect data for operational reasons that are separate from ad targeting based on a users online behavior.”

In the end, NAI it has what might be considered a ‘failure to communicate’ (our term not theirs) with the Stanford and CMU researchers. That is: the researchers expect that advertisers are looking for the kind of public interest ban on collecting “any data” from consumers, whereas the NAI and its members just feel a need to adhere to what NAI describes as “self regulatory commitments to limit ad targeting based on user interests.”

Nayfeh of AudienceScience thinks the industry led efforts are working.

“I think people in the industry take (the NAI guidelines) more seriously than people think we do,” he said.

It remains to be seen whether the FTC will step in with blanked protections for online privacy. The FTC has voiced concerns over Web tracking in the past, but so far hasn’t issued hard and fast rules limiting it. In December, 2010, for example, the Commission introduced preliminary report on protecting consumer privacy that called for a framework to address privacy issues raised by consumers and called for the creation of a Do Not Track mechanism. FTC Chairman Jon Leibowitz declared that consumers “deserve far better from the corporations we trust our data with.” Browser manufacturers have responded with extensions and built in features for their Web browsers that allows users to opt-out of ad tracking cookies.

This is the “cookie law” that governs what information a web site can collect on its visitors without explicitly asking them if it’s OK.

When the deadline to implement it passed in May only Estonia, Denmark and the UK had taken steps to bring it into law.

Denmark has now decided to puts it draft rules on ice indefinitely and the UK has given firms a year to comply.

To give the UK’s Information Commissioner’s Office its due, its guidance on the law is probably the most comprehensive of any member state so far.

Internet Stalking

This Directive was born of consumer concerns upon finding adverts for a particular product they had previously looked at mysteriously appearing on subsequent sites they visited.

This led to an outcry as people realised they were basically being stalked around the internet.

And who was this sneaky perpetrator? Cookies.

Most cookies perform basic functional tasks like storing your login details or personal preferences.

The perceived villain of the piece was “third party cookies” – the ones that enable companies to work out what you like and what you might want to buy, thus allowing them to tailor their marketing to you.

So the Directive was drawn up which divided cookies into those which are “strictly necessary” for a service being provided and others, which will require consent from users.

Confusion

This has caused uproar, particularly among Europe’s marketing community, who are thoroughly confused.

Matt Isaacs is CEO of Essence, which develops and places online advertising for brands such as Google, eBay, eHarmony and YouTube.

“Some are suggesting that it means nothing more than making users aware of the standard security options within their browsers, while others believe it means users need to be proactively alerted of each and every cookie ever placed on their machine,” he says.

The problem is the definition of “strictly necessary” is very narrow, says Ben Allgrove, partner at the international law firm, Baker & McKenzie.

He believes the term would cover a cookie that enables an online shopping basket to function, but it would not cover a cookie that remembers you prefer your website in English rather than French.

“This law can’t be complied with in any sensible way,” Mr Allgrove says.

“If you had full compliance you’d have pop ups coming up all the time asking for consent; consumers hate that and most web browsers automatically block the pop ups anyway.”

Lifeblood

Marketing professionals argue cookies are misunderstood and most actually enhance the consumer experience, allowing people, for example, to be directed to a Hilton hotel rather than Paris Hilton. (Or indeed, vice versa.)

Paul Carysforth is a partner at Amaze, which runs online marketing campaigns for companies like Unilever, Lexus, Toyota, Coca-Cola and Dyson.

He says cookies are the lifeblood of an online business and restricting them will do more than just interrupt consumers’ while they are online.

“Cookies are the primary means by which all online businesses determine the return on their investment,” he says.

“Without cookies it would be almost impossible for companies to understand their ROI and in particular isolate which strategies are delivering a positive return, and which would hamper investment and innovation.”

Slightly more optimistic is Ben Cooper from Tullo Marshall Warren, which has created online campaigns for the likes of Lynx, Guinness, Nissan and Sony Ericsson.

He says there is a new challenge for marketers.

“There is little value in communicating with individuals who are patently not engaged or interested,” he says.

“With the changes in the cookie legislation we are now faced with trying to convince individuals that there is indeed value in sharing their information with a particular brand,” he adds.

Mr Cooper says there could be something of a return to “the good old days” of marketing.

“In some sectors, notably financial services, there has already been a resurgence in the use of direct mail where, for some products and services, the returns can be measured more accurately and the targeting has improved,” he says.

Prior consent

What will test companies operating across Europe perhaps the most is just how much “prior consent” will be required by regulators before a consumer is judged to have accepted cookies.

Here things get more confusing than ever as the 27 nations of the EU have differing ideas.

“In the Netherlands there is discussion about whether consent must be ‘unambiguous’, which might make browser settings – a convenient way of getting consent – less likely to be acceptable,” says Matthew Norris, global head of technology and media at the insurer Hiscox.

“German and French legal commentators use the term ‘opt in’ and that is more draconian than the UK, where the Information Commissioner’s Office has specifically said that UK law does not amount to a requirement to opt in,” he says.

There is talk in some places of a “double opt in”, where consumers would have to click on two separate links to give their consent.

European divide

Eduardo Ustaran, a partner in Field Fisher Waterhouse’s privacy and information group, says early signs are that member states will fall into one of these two camps – those that impose a strict “opt in” consent requirement and those that recognise the ability of visitors to express consent through, for example, appropriate browser or other application settings.

Mr Ustaran believes a double click policy “would be fatal to online commerce”.

Many are waiting for the browser companies to ride to the rescue with enhanced security settings that will allow consumers to weed out the cookies they do and don’t want.

The strain of enforcement could be very big on the regulators.

“There are millions, if not billions of websites in Europe and the world accessed by UK citizens,” says Richard Dennys, chief marketing officer at Qype, Europe’s largest consumer reviews site.

“Will the UK be issuing legal proceedings against non-UK websites which are accessed by UK citizens? How many prosecutions can they handle per year? Will there be test cases, then appeals, then what?”

But Ben Allgrove from Baker and McKenzie says a “wait and see” approach will not suffice as regulators are empowered to hand out big fines and cause big dents in brand images.

“Enhanced browser controls may not happen and you can’t palm off your obligations to a browser manufacturer,” he says.

Eduardo Ustaran is advising clients to identify all their cookies, assess their necessity (for the functionality of the site) and intrusiveness, make clear and prominent disclosures on their websites about cookie use, and consider potential strategies for giving users effective control over them.

Back to school

The cookie law was pushed through to satisfy a public that was suddenly aware their privacy was at risk, even if they weren’t sure how.

Essence’s Matt Isaacs thinks it is time consumers were educated as to what cookies are and how organisations use them to enhance a user’s online experience.

“This obviously requires an industry wide acknowledgment and commitment to consumer privacy, but also a focused approach to educating consumers about online privacy and when it’s safe to release personal information online,” he says.

But as yet there is no co-ordinated approach from industry on either of these and unless it comes soon it might be too late; the horse will already have bolted and be causing traffic chaos on the internet super highway.

Gator, later known as Claria, offered users downloadable software that served pop-up ads, targeted based on the sites they had visited. Like most other companies with a similar business model, it ultimately shuttered.

The reasons for adware companies’ demise, however, didn’t have nearly as much to do with their tracking of tracking people’s Web use as with complaints about the installation procedure. Many people said that they downloaded the software without realizing what it would do — or, worse, that their computers were hijacked and the software was installed by third parties without their consent. Additionally, some users complained that adware programs slowed down their machine and interfered with their ability to surf the Web.

What’s more, behavioral targeting is largely invisible to consumers, while adware made its presence known all too well.

Given those differences, do the folks at Havas really think that policy concerns could put behavioral targeting companies out of business? “I don’t think it will happen, but is it within the realm of possibilities? Yes,” says Adam Kasper, Director of Digital Investments at Media Contacts USA, one of the report’s authors. “If advertisers don’t get on board with this program and efforts,” he says, referring to a cross-industry self-regulatory initiative to notify users about targeting and allow them to opt out, “I am concerned that there could be a larger FTC action that could limit the use of cookies.”

For all of its warnings, however, the Havas report more or less repeats the basic recommendations that have been around for at least 10 years. That is, the report says that ad networks should at a minimum give consumers information about data collection and allow them to opt out of receiving targeted ads. The report includes some newer recommendations — including that companies place an icon on or near ads that are being served based on data, and emphasizes that privacy policies should be written in plain English — but these details don’t change the basic notice and opt-out framework that’s long been in place. (Report co-author Evidon also is one of the companies that powers the you-are-being-tracked icons.)

The report calls attention to one of the thorniest points of contention between the industry and privacy advocates — whether companies should be required to stop collecting data about consumers who have opted out of behavioral targeting — but doesn’t answer that question. Current self-regulatory standards call for companies to allow consumers to opt out of receiving targeted ads, but don’t mandate that ad networks stop amassing information about those users.

“The difference between opting-out of seeing a targeted ad vs. opting-out of being tracked is subtle, but important,” the report says. “Unresolved issues like this, and countless others, will continue to elevate the focus on privacy throughout the government and will stoke society’s fears that one’s personal data are available to anyone who wants it.”

Saying that online companies have failed to protect the privacy of Internet users, the Federal Trade Commission recommended a broad framework for commercial use of Web consumer data, including a simple and universal “do not track” mechanism that would essentially give consumers the type of control they gained over marketers with the national “do not call” registry.

Those measures, if widely used, could directly affect the billions of dollars in business done by online advertising companies and by technology giants like Google that collect highly focused information about consumers that can be used to deliver personalized advertising to them.

While the report is critical of many current industry practices, the commission will probably need the help of Congress to enact some of its recommendations. For now, the trade commission hopes to adopt an approach that it calls “privacy by design,” where companies are required to build protections into their everyday business practices.

“Despite some good actors, self-regulation of privacy has not worked adequately and is not working adequately for American consumers,” Jon Leibowitz, the chairman of the trade commission, said. “We’d like to see companies work a lot faster to make consumer choice easier.”

Many of the problems the F.T.C. is trying to tackle involve third parties that use technology to surreptitiously follow a user around the Web, collecting data and then selling it, usually without the user’s knowledge.

“Our main concern,” Mr. Leibowitz said, “is the sites and services that are connecting the dots between different times and places that a consumer is online and building a profile of what a consumer is doing.”

The recommendations, which were contained in a 79-page report, were cautiously received by browser makers including Google, Mozilla and Microsoft, who said they would examine the report and provide feedback to the commission.

Mike Zaneis, the senior vice president and general counsel of the Interactive Advertising Bureau, said the industry generally supported the concepts proposed but opposed some of the strict measures preferred by consumer advocates.

The online advertising industry, Mr. Zaneis said, would suffer “significant economic harm” if the government controlled the do-not-track mechanism and there was “a high participation rate similar to that of do not call.” Mr. Zaneis said the industry would continue to build upon a self-regulatory framework and had recently put in place the use of icons on select online advertisements that allow users to opt out of customized advertising.

“If your goal is to have a red flashing icon that says, ‘Click here to opt out of targeting,’ and to incentivize people to opt out, then we don’t share that goal,” Mr. Zaneis said.

Currently, millions of Internet users who want to opt out of behavioral tracking have to navigate their browser privacy controls, download plug-ins or opt out by clicking on an icon near an ad that is part of the industry self-regulatory program.

The report recommends that companies adopt simpler, more transparent and streamlined ways of presenting consumers with their options rather than the “long, incomprehensible privacy policies that consumers typically do not read, let alone understand.” And the report recommends that data brokers give consumers “reasonable access” to any data they have collected.

Mr. Leibowitz said the commission’s report was not a call for legislation but a guide to lawmakers and regulators.

“Most of us on the commission believe it is time for a ‘do not track’ mechanism,” Mr. Leibowitz said. But at least one commissioner refused to support the issuance of a report that included requiring the mechanism.

In addition, David C. Vladeck, director of the commission’s consumer protection bureau, said Wednesday at a conference sponsored by Consumer Watchdog, “I do not think that under the F.T.C.’s existing authority we could mandate unilaterally a system of ‘do not track.’ ”

The F.T.C. report asks for the public and industry to comment on its recommendations and to make other suggestions over the next two months.

On Thursday, the House Subcommittee on Commerce, Trade and Consumer Protection will hold a hearing to examine the feasibility of a simple method of opting out of online tracking.

If Congress were to mandate a “do not track” feature, it could upend the business models of some advertising agencies and companies who gather consumer data and build profiles of Internet users. But it would not prevent basic targeted advertising, where an individual site serves up ads related to a search terms.

Marc Rotenberg, the executive director for the Electronic Privacy Information Center, said the proposal of a ‘do not track’ mechanism was an important step but not the end of the conversation.

“There’s a growing sense that the online ad industry is out of control from a privacy perspective and that some rules need to be put in place,” said Mr. Rotenberg, whose organization has not decided whether to support the ‘do not track’ proposal. “I don’t think we’re at the point yet where we can say ‘do not track’ is the silver bullet when it comes to online advertising.”

The makers of the most widely used Web browsers said Wednesday that they supported consumer privacy and had already made efforts to protect it as part of their products.

In a statement, Google said, “We agree with the F.T.C. that people should be able to understand what information they share and how it’s used. That’s why we simplified our privacy policies earlier this year, offer control through our privacy tools, and explain our approach to privacy in plain language and through YouTube videos in our privacy center.”

Harvey Anderson, general counsel for Mozilla, stated in a blog post: “While we’ll need more time to digest and evaluate the details, we’re encouraged by what we’ve seen so far. In particular, the F.T.C. has proposed a set of principles that align well with the Mozilla manifesto and our approach to software development.”

Apple, which makes the Safari browser, declined comment. In a statement, Microsoft said that the latest version of its browser, Internet Explorer 8, “has some of the most robust privacy features on the market,” including features it calls InPrivate Browsing and InPrivate Filtering, which allow a user to browse the Web without being tracked.

But those types of features also illustrate some of the shortcomings that the F.T.C. found in current industry efforts. The Microsoft browser requires a user to set those enhanced privacy controls at the start of every new browsing session.

Chris Soghoian, a privacy and security researcher, said using privacy options in most Internet browsers “doesn’t do much.”

At the Consumer Watchdog conference, Mr. Soghoian said that because many of the companies that make Web browsers are also supported by advertising networks, “the design decisions are motivated by a desire not to hurt their advertising divisions.”

“The situation right now is laughable,” he added. “There certainly isn’t a single one-stop shop.”

The report released today, which the agency has been preparing for the past year, is aimed at providing a framework for improving privacy as consumers shop and communicate using the Internet. Data are sometimes collected online “in an irresponsible or even reckless manner,” according to the report.

“Technological and business ingenuity has spawned a whole new world,” FTC Chairman Jonathan Leibowitz said on a conference call with reporters. “The FTC wants to ensure that this thriving marketplace is built on sound privacy practices and consumer choice.”

The do-not-track proposal is aimed at online advertisers’ practice of recording consumers’ movements on the Internet, compiling a profile of their preferences in order to target them for marketing. The most practical way to give consumers options is through a setting on the computer browser signaling their choices for collecting and using data, according to the report.

Companies may be unwilling to embrace such a proposal given the potential to sell products to people based on their interests, said Lisa Sotto, a privacy lawyer with Hunton & Williams in New York who advises companies on advertising, data and security matters.

“Issue-based advertising really is the holy grail for marketers,” said Sotto. “The ability to speak directly to an audience that is most receptive to your message is very exciting. The idea that people may be able to turn off in droves is a difficult pill to swallow.”

Online Ad Revenue

Online advertising revenue swelled to $12.1 billion in the first half of 2010, up 11 percent from the same period a year earlier, according to the Interactive Advertising Bureau and PricewaterhouseCoopers LLP.

A coalition of online marketers and advertisers opposes a federally managed system or a law that would dictate a do-not- track framework and recently introduced a self-regulatory initiative they say is a step in the right direction.

“Industry needs to redouble its efforts in self regulation,” said Mike Zaneis, senior vice president and general counsel of the Interactive Advertising Bureau, which represents more than 460 sellers of online advertisers and is part of the self-regulatory initiative led by the American Association of Advertising Agencies and the American Advertising Federation for a total of 5,000 marketers.

Industry-Led Effort

Zaneis said 58 companies started complying with an opt-out icon introduced last week letting consumers say they don’t want to be tracked and 30 more companies are ready to add the symbol on their websites. “We don’t think a do-not-track law is necessary,” Zaneis said.

Proposals letting online users tell Internet sites not to collect and analyze information about them based on their online history are backed by consumer groups. The idea is based on the do-not-call register the FTC set up in 2003 that lets consumers block telemarketing calls at home.

“Some consumers are troubled by the collection and sharing of their information,” the staff said in the report. “Others have no idea that any of this information collection and sharing is taking place.” Some “may view it as worthwhile,” according to the report.

The FTC report also calls for industry to provide prominent, simple and clear privacy notices and allow consumers to review the data they have collected about them.

‘Step Up’

“Industry must step up to the plate,” Leibowitz said. “The value of industry doing something itself is that they can move more quickly than legislation.” The FTC doesn’t currently have a position on the do-not-track measure, he said.

The do-not-track plan is a partial solution, said Susan Grant, director of consumer protection at the Consumer Federation of America, which represents more than 300 national, state and local consumer groups.

“It doesn’t resolve all the issues raised by behavioral advertising, but it would give people more control over the collection and use of their information until we can hash out the rest of the complex issues that would be involved in getting some baseline privacy regulation,” Grant said.

Chris Soghoian, a privacy and security researcher, said opt-out proposals can be tricky with strong solutions likely to be opposed by industry.

Advertiser Acceptance

“There’s a difference between ‘do not track’ and ‘do not use,’” Soghoian said today at a privacy conference organized by Consumer Watchdog in Washington. “Even if you opt-out, the advertisers still track you around the Web. I don’t think the ad networks are going to accept any kind of strong opt-out mechanism without having their arms twisted.”

David Vladeck, director of the FTC Bureau of Consumer Protection, said today that the agency doesn’t have authority to manage and enforce do-not-track, which would require an act of Congress.

“There are ways we can coax, cajole and charm industry, but I don’t believe the FTC has the existing authority to mandate a do-not-track system,’” Vladeck said, speaking at the privacy conference in Washington today.

The World Privacy Forum says that one of the agencies about to issue a report, the Department of Commerce, shouldn’t play a leadership role in shaping online privacy policy because that agency is seen as pro-business. Instead, the World Privacy Forum (and some other advocates) argue that the Federal Trade Commission should take the lead on Internet privacy. Just today, the World Privacy Forum issued a paper questioning Commerce’s track record on privacy issues.

Yet, of the two upcoming reports, the FTC’s will likely recommend self-regulation, while Commerce’s will likely recommend that Congress enact new online privacy laws based on Fair Information Practices principles. For that reason alone, the upcoming Commerce Department report sounds like it could have more of an impact on online data collection than an FTC report that calls for continued voluntary self-regulation.

Consider, Fair Information Practices principles would require that companies notify consumers about online data collection and allow them to consent. Those principles also would prohibit companies from using data for purposes other than what it was collected for. In other words, insurance carriers probably wouldn’t be allowed to assess people’s health risks by purchasing data about their magazine subscriptions, under the principles.

But even though the World Privacy Forum and others have made clear they oppose the Commerce Department’s involvement in developing online privacy laws, some advocates, like the Center for Democracy & Technology — which itself has called for new baseline laws based on fair information principles — appear to support Commerce’s call for new laws.

Meantime, the think tank Future of Privacy Forum is taking the position that two heads are better than one. “We need the FTC and Commerce working together — pushing and pulling and a combination of both law and serious but flexible and business practical self-regulation,” the group says in a new blog post. “Creating a false sense of competition or conflict will result in inaction and lack of progress.”