FTC raises ante with opt-in

By Published on .

The Federal Trade Commission is floating a proposal to demand that third-party ad servers stop building and using profiles formed from tracking consumers on multiple sites--unless consumers specifically opt in to receive targeted advertising.

The Network Advertising Initiative, an association of ad servers, is trying to win governmental endorsement of an industry self-regulation code. Talks called by the group have riled traditional marketers because of the possible effect on their sites; the FTC has demanded opt-in as the price of its endorsement.

Opting in on a Web site generally means consumers have given permission, usually through registering on the site, for data to be collected; targeted ads are sent based on the data. Opting out typically means a site tracks users' Web activities unless consumers specifically state otherwise.

How often opting in would be required isn't clear.

In one meeting with marketers, representatives of the FTC and the U.S. Department of Commerce told them consumers need to be given a choice of opting in only when marketers seek to combine information gathered online with personally identifiable data gathered offline.

In another communication with NAI members, the FTC took a far broader stance, a participant said: Web sites would have to get consumers to opt in when collecting personally identifiable information, but need only ask consumers to opt out when collecting "behavioral" data--information gleaned from tracking users across multiple sites.

The NAI previously suggested its members would agree not to combine personally identifiable data with previously gathered anonymous data, and that offline data would only be combined with information gathered online when a consumer agreed.

The FTC is eyeing a more aggressive measure: that third-party ad servers get permission first before collecting any personally identifiable information or anonymous behavioral data, said one person close to the situation. He cited the FTC's concerns about segregating anonymous and personally identifiable online data. (The FTC declined to comment.) DoubleClick, for example, planned to connect names to anonymous online data before suspending the controversial idea earlier this month.

"If a third party [that] the consumer doesn't know about starts targeting you with ads based on what you did on 10 other sites, that's scary, and [it's] unlikely the FTC will permit that," the industry executive said.


At a PaineWebber conference last week, DoubleClick Exec VP Jeffrey Epstein said an opt-in requirement would hike marketing costs by forcing sites to offer incentives to get people to share their data. The pool of consumers that could be targeted would shrink, he indicated.

While the FTC's strict opt-in concept would apply to third-party ad servers, industry officials fear it also could apply to marketers' own sites. They argued opting out is sufficient--if done clearly.

John Kamp, senior VP of the American Association of Advertising Agencies, said: "Our position is that clear notice that can be understood is a reasonable choice and that an opt-in standard goes too far and could cripple marketing uses of the Web."

Some privacy advocates contend the issue is whether consumers are informed and involved.

"If you [as a Web site] give the users real control over their information so they understand their choices and make it easy for them to use their controls, then the consumers are going to trust you," said Ari Schwartz, a policy analyst with privacy group Center for Democracy & Technology. "But if information is being collected by third parties or if you [give users] very limited controls, there's going to be very little trust."


Pete Blackshaw, CEO of Planet Feedback.com and a former interactive marketing executive at Procter & Gamble Co., said opting out "will become a remnant of an early trial-and-error approach to Internet market research."

Third-party ad servers' opt-out opportunities generally are weak, mainly because people may not be aware of them, Mr. Schwartz said.

Mr. Schwartz pinpoints 24/7 Media as an ad server with a particularly complicated opt-out, which requires users to e-mail additional information to stop getting ads.


David Moore, president-CEO, defended 24/7's practices, adding: "We support advertising in exchange for content. . . . If you are a consumer and you like my content, you have to tell me something about yourself," which 24/7 can share with advertisers. "If you don't want to tell me about yourself, then pay me for my content."

Through 24/7 Connect, its recently relaunched ad-serving technology, "we have the ability to tie offline transaction data with online profiles, but we will not do that unless someone checks off a box on their online registration form, and we will only tie their data going forward from when they checked the box," Mr. Moore said. "And we give [users] notice and the option to say 'no' [to that]."

But in a March 6 statement, Mr. Moore said 24/7 has "never merged anonymous clickstream data with personally identifiable data, and we pledge not to do so until our industry, working together with governmental agencies, establishes standards in this regard."

Sweepstakes sites--one way to collect personally identifiable data--such as DoubleClick's NetDeals and [email protected]'s MatchLogic's DeliverE don't reveal the ad server behind the sites until the user accesses the privacy policy.

"They are giving consumers choices, but making it incredibly confusing," Mr. Schwartz said.

Martin Smith, VP-business development at MatchLogic, said the company has "a fully opted-in database that we own," a database of non-personally identifiable information that is separate from a database of people's names and addresses who have given their permission to receive e-mail services.

"We extract only anonymous information from the opt-in database to do the statistical modeling--like age, gender, level of income . . . everything but name, land-based address and telephone number."

Some sites appear to be giving adequate notice.

Drkoop.com recently altered its relationship with DoubleClick as a result of the privacy controversy. The health site had used DART, a DoubleClick service to manage ad serving for advertisers, but switched to DoubleClick-owned NetGravity, which sells software that sites use to serve ads in-house.

AltaVista Co.'s new opt-in policy lets users know about information being collected and asks them first, Mr. Schwartz said.

He said some sites tell people what they'll do with personal information but give them no choice.

In the end, opt-in still may be the safest option for sites to take.

"It's hard to do a bad opt-in," Mr. Schwartz said.

Copyright March 2000, Crain Communications Inc.

Most Popular
In this article: