The flood of news stories on the information-collection and on the internet behavioral marketing (“OBA”) practices of search engines, mobile apps, brand advertisers, and social networksis giving many men and women a quite distinct feeling: the creeps. Regardless of whether the stories are about concerns more than Facebook sharing its users’ profile facts with advertisers, Google bypassing default browser settings, or Target figuring out a teenager is pregnant just before her parents do, the natural reaction is to picture the companies’ personnel as shadowy, green-eyed peepers crouching in the darkness.
The curious factor about OBA practices is that it’s hard to identify the direct “harm” it causes. Courts have struggled with this concern in several privacy lawsuits. Plaintiffs usually fail since they can’t show legally cognizable harm. For their element, regulators are clearly unsettled by OBA, but even after getting comments from dozens of interested parties for a 2009 report, the FTC was unable to articulate whether or how OBA straight harmed customers. Academics have done intriguing investigation on the pros and cons of OBA, but the research has not but translated into any consensus on acceptable practices.
Consequently, industry leaders, privacy advocates, and regulators have not established normative guidelines based on the harm caused by various forms of OBA. Rather, they have focused on making a comprehensive “notice and choice” regime. Below this regime, customers are meant to see how their data is employed and decide on whether or not they want to allow such use. This is wonderful, assuming organizations participate, but it ignores a essential actual-world dilemma. News today of the California Attorney Common’s agreement with major app-enabling companies to alleviate information collection issues just with far more privacy policy announcements is the latest example of these efforts (in my view largely ineffectual). When it comes to OBA, most consumers are disadvantaged by what professionals call “knowledge asymmetry.” Even if organizations tell consumers precisely what data they’re collecting and how they’re using it, most folks do not have the expertise to understand the complete implications. This reality challenges the notion of “informed consent” and suggests that “notice and choice” are not sufficient.
But in the absence of concrete harm, how do we distinguish OBA practices that are benign from those that are unacceptably intrusive? Sadly, uproar more than the most up-to-date privacy outrage tends to blur these distinctions. There are, even so, at least seven factors that stand out as significant “creepiness” indicators. OBA that scores high on any of these variables ought to be scrutinized very carefully and, at a minimum, market leaders really should think about establishing guidelines that discourage such practices.
Creep Element No. 1: Linking behavioral data with distinctive identifiers
One of the most powerful methods to deliver targeted ads to consumers is to assign a exclusive identifier to individuals and track their on-line behavior across multiple web sites, platforms, and apps. Even so, as Apple located when its use of UDIDs (Unique Device Identifiers) resulted in a public outcry, this is also one of the practices customers find most disturbing. Even though Apple is eliminating the use of UDIDs from its development platform, app developers (and their marketing executives) are pushing tough to locate options. Some mobile marketing and advertising firms advocate the use of MAC addresses in lieu of UDIDs. Other people have proposed an open source UDID option. Setting aside security issues related with some of the UDID options (MAC addresses? Genuinely?), the dilemma with these options is they aren’t truly any less unnerving than the technologies they seek to replace.
Creep Factor No. two: Detail and scope of information collection
Most men and women have some tolerance for “being watched.” After all, we’re social creatures, and we comprehend that, at some level, other people will observe what we do and attempt to gain benefits from what they discover. But there’s a point at which information collection can make consumers feel like they’re trapped in a kind of Orwellian Panopticon. For example, if a information collection practice is both broad (i.e., relating to behavior in several contexts, like emailing, texting, net browsing, and voice calling) and granular (i.e., capturing specifics of the behavior, as in keystroke-logging), expect a sharp rise in the sale of tin-foil hats, simply because shoppers will do something to keep away from this kind of practice. Just ask companies like Phorm and NebuAd, who partnered with World wide web Service Providers a couple of years ago to use deep-packet inspection technologies to deliver targeted ads to users. If you want to know how that story ends, you can read all about it in the transcripts of the congressional hearing.
Creep Factor No. 3: OBA based on “negative” assumptions
It’s tough to envision how regulators would address this problem, because it is inherently subjective, but it is nevertheless relevant. OBA is all about creating assumptions based on recognized functions of the consumer. Nonetheless, these assumptions can have unfavorable, positive, or neutral connotations. If the underlying assumptions are unfavorable, buyers will most likely uncover this intrusive. For example, if I’m a marathon runner, I’m perfectly fine obtaining targeted advertisements promoting the latest workout app. If I’m a pudgy couch potato…not so much. (I’m a 42-year old lawyer who spends most of his day sitting in front of a computer monitor, so you can guess which scenario I determine with.) Consumers are considerably more likely to uncover OBA based on unfavorable assumptions (e.g., you’re fat and need to have to perform out) intrusive, not to mention tacky.
Creep Element No. 4: Sensitivity of information
There’s a reason the ancient penalty for peeping Toms was gouging out their eyes. Some information is so sensitive that, even if it’s anonymized, consumers will not tolerate its collection and use. For a notably disconcerting example, read the Wall Street Journal’s reporting on Neilson Co.’s practice of scraping a private on the internet forum for discussion threads from individuals suffering from emotional disorders. Neilson was monitoring what shoppers were saying about a variety of pharmaceutical products on the forum. The information Neilson collected wasn’t tied to folks and wasn’t employed for direct marketing purposes. But when the story broke, you could practically hear buyers sharpening their stakes.
Creep Factor No. 5: Impact on operability
This is 1 issue that courts view as a legally cognizable harm. If data collection and tracking technology significantly impacts the operability of users’ computers or mobile devices, as in the case of spyware, adware, and malware, the sense of intrusion can be overwhelming. Consumers will run, not walk, away from these kinds of practices.
Creep Factor No. 6: Ease of opting out
Zombie cookies are 1 example of this concern. They’re HTTP cookies that are automatically recreated (I prefer the word “respawned”—much creepier) immediately after users attempt to delete them. This technologies can make it virtually impossible for users to opt out of being tracked. Any firm utilizing zombie cookies to collect or monetize sensitive information is about as wholesome as John Hinckley, Jr.
Creep Element No. 7: Lack of notice
On the web apps and services might provide numerous varieties of notice to users about what’s becoming completed with their information, but it’s secure to say that any OBA information-collection practice conducted with completely no consumer notice is seriously disturbing. A good example of this is a practice known as “device fingerprinting.” Device fingerprinting creates a special identifier for computers, cell phones, and other devices based on a mixture of externally observable characteristics like installed font styles, clock settings, and TCP/IP configuration. In addition to being problematic because it creates a persistent, unique identifier (see “Creep Aspect No. 1”), this details is collected “passively,” and in most instances users can’t even detect that it’s happening.
There are undoubtedly many other “Creep Variables,” but I’ve tried to identify the worst of them. The point is that not all data collection and OBA poses the very same threat to consumers’ sense of individual privacy. By identifying specific practices most likely to be viewed as intrusive, sector leaders, trade organizations, and regulatory bodies might discover it less difficult to establish the level of notice required, or whether some practices must be prohibited outright. These criteria could also be helpful for firms developing OBA and tracking technologies who want to create sustainable companies.
After all, no one likes a creep.
Slade Cutter is a licensed lawyer, Certified Data Privacy Professional, and member of the Mobile Marketing Association’s Consumer Best Practices Committee. He provides general counsel and compliance consulting services to firms in the interactive media and e-commerce spaces.
[Credit for top image: Zurijeta/Shutterstock]
