The leading trade associations in the online advertising industry have just released their new self-regulatory principles—the first comprehensive self-regulatory principles industry has produced, which track closely with the suggested guidelines released by the FTC in February.

I commend the industry for setting a new standard in transparency, consumer control and data security. These Principles do much to empower Americans to make their own decisions about privacy, but I fear that many critics of so-called “targeted advertising” will never be satisfied, no matter how high industry raises the bar.

These critics have insisted that ordinary users can’t be trusted to make the “right decisions” about privacy and have insisted on imposing restrictive default “opt-in” rules for the online data collection that makes online advertising valuable to websites that rely on ad revenue.  Such pre-emptive privacy regulation would stunt the growth of revenue for the “Free” online content and services we’ve all come to take for granted.  During a time of economic recession, and as traditional media like newspapers struggle to make the transition from print to the Internet, it’s more important than ever that policymakers allow self-regulation to evolve.  Only by doing so can we expect continued innovation and creativity online. We must all remember:  There is no free lunch!

I’ll lead a panel discussion on July 10 on Capitol Hill about “Regulating Online Advertising: What Will it Mean for Consumers, Culture & Journalism?”  Please RSVP here.

by Berin Szoka & Adam Thierer

This morning, the House Energy & Commerce Committee will hold a hearing on “Behavioral Advertising: Industry Practices And Consumers’ Expectations.” If nothing else, it promises to be quite entertaining:  With full-time Google bashers Jeff Chester and Scott Cleland on the agenda, the likelihood that top Google officials will be burned in effigy appears high!

Chester, self-appointed spokesman for what one might call the People for the Ethical Treatment of Data (PETD) movement, is sure to rant and rave about the impending techno-apocalypse that will, like all his other Chicken-Little scenarios, befall us all if online advertisers were permitted to better tailor ads to consumers’ liking. After all, can you imagine the nightmare of less annoying ads that might actually convey more useful information to consumers? Isn’t serving up “untargeted” dumb banner ads for Viagra to young women and Victoria’s Secret ads to Catholic school kids the pinnacle of modern online advertising?  Gods forbid we actually make advertising more relevant and interest-based!  (Those Catholic school boys may appreciate the lingerie ads, but few will likely buy bras.)

Anyway, according to National Journal’s Tech Daily Dose, the hearing lineup also includes:

• Charles Curran, Executive Director, Network Advertising Initiative
• Christopher Kelly, Chief Privacy Officer, Facebook
• Edward Felten, Director, Center for IT Policy, Princeton University
• Anne Toth, Chief Privacy Officer & Vice President, Policy, Yahoo!
• Nicole Wong, Deputy General Counsel, Google

That’s an interesting group and we’re sure that they will say interesting things about the issue. Nonetheless, because four of them have a corporate affiliation that fact will inevitably be used by some critics to dismiss what they have to say about the sensibility of more targeted or interest-based forms of online advertising. So, we’d like to offer a few thoughts and pose a few questions to make sure that Committee members understand why, regardless of what it means for any particular online operator, targeting online advertising is very pro-consumer and essential to the future of online content, culture, and competition.  As Wall Street Journal technology columnist Walt Mossberg has noted, “Advertising is the mother’s milk of all the mass media.”  Much of the “free speech” we all cherish isn’t really free, but ad-supported!

Our Approach

We have previously set forth a framework for analyzing advertising policy issues in two PFF reports: “Online Advertising & User Privacy: Principles to Guide the Debate” and “Targeted Online Advertising: What’s the Harm & Where Are We Heading?” At root, our model depends heavily on two common-sense, and inter-related, principles:

1. We live in a world of trade-offs; and
2. There is no free lunch.

Their Approach

We are deeply concerned that too few people are talking about—or even understand the relevance of—those two principles in the debate over targeted online advertising. It seems that too many who wish to retard the further evolution of the advertising marketplace are living a lie based upon the antithesis of our model. Many privacy advocates seem to imagine that regulatory actions don’t have consequences and that Congress can simply mandate new privacy standards for the Internet without having any impact on the free flow of ideas supported by, and direct facilitated through, advertising.

Simply put, the privacy critics often imagine that their values are indicative of everyone’s values. Our blogging colleague Jim Harper of the Cato Institute has referred to this as “preference imposition” but we’ll use a simpler term: Elitism. In essence, privacy advocates seem to believe that:

1. People are too ignorant, busy or just plain stupid, and cannot be trusted to make wise decisions for themselves (or their children); and/or
2. Everyone shares the same values or concerns when it comes to privacy such that a national “baseline” regulatory standard (namely, mandatory “opt-in” regulations for data collection and use) should govern the entire online marketplace.

Let’s be clear: Such a mandate, and the thinking behind it, would greatly impoverish the future Internet economy. Too many people think of the Internet as a magic box that just keeps cranking out free goodies. But something powers that box of goodies: advertising.  More than anything else, it’s advertising that keeps the Internet “Free, Innovative & Open,” to borrow the slogan of our friends at CDT, which seems to flirt with joining the PETD movement, despite their well-earned reputation for pragmatic skepticism of government interference with the Internet.

The regulatory advocates complain that giving consumers the right to opt-out of data collection and use isn’t meaningful because very few consumers will exercise the opt-out.  Again, they presume that this must be because users just don’t know what’s good for them because of course if they really understood what was being done with “their data,” they would never choose to just “give it away” for a few scraps from the advertisers’ table.  It never occurs to them that (i) many, perhaps most, users just don’t care and that (ii) that their “ignorance” about the all specific details of “how the sausage is made” (online data collection and use practices for targeting advertising) may be completely rational.

But just as importantly, would-be privacy regulatory don’t seem to understand—or perhaps simply don’t care—that what’s true of opt-out is also true of opt-in:  in practice, few people will bother doing either.  In a world of perfect information and infinite time, of course, there would be no difference in outcomes with the two different rules.  But in the real world with real constraints on time, knowledge and everything else, mandating opt-in would make all the difference in the world by severely limiting the ability of advertisers to target advertising.

The Ignored Trade-offs

We’ve been assembling evidence on the real-world costs of restricting targeted advertising. Here are just a few data points we’ve seen to give you a sense of what’s at stake:

• Relevance to Users: The best evidence that users prefer seeing more relevant ads is their increased likeliness to actually click on an ad—instead of just ignoring it or trying to block it. The most recent study of this issue concluded that Click-Through Rates (CTR) can be improved by as much as 670% by using basic behavioral targeting as compared to simple contextual targeting—0r even more than 1000% using more sophisticated targeting. Conversion rates (the percentage of clicks that actually result in a sale) also strongly indicate that consumers find ads more interesting, and in one 2005 study, were estimated to increase up to 3000% with behavioral targeting.
• Macro: More Revenue to Fund All Services & Content: eMarketer (in June 2008) estimated that U.S. spending on behavioral targeting would grow from $.775 billion in 2008 to $4.4 billion in 2012—representing fully a quarter of display ad spending.  The total amount of money at stake is huge:  U.S. online ad revenues totaled $23.5 billion in 2008.
• Micro: More Revenue for Individual Publishers: Estimates on the increased profitability of behavioral targeting range as high as 1200% (eMarketer).

While these examples illustrate the broad outlines of the trade-offs ignored by privacy regulatory advocates, the key dilemma to understand is this: If, under an opt-in regime, publishers would be able to target advertising for webpages based on the keywords contained within those pages, and not on other content the user has looked at, the value of most Internet content will depend not on how many eyeballs it attracts but primarily on the economic value of the keywords that are directly associated with it. Pages with keywords related to products and services will fetch a fine price because advertisers will be able to make money off ads on those pages ( e.g., a site for digital camera reviews). But content with little commercial value will generate little revenue. Indeed, this is perhaps the single greatest problem faced by journalism sites. Who wants to advertise on a story about North Korea? How many users are going to be interested in taking a honeymoon in the DMZ?

But if such websites could target advertising to users’ user’s likely interests based on an anonymous profile of their interests created by collecting data about their browsing “behavior,” web content becomes valuable because of the audience it attracts, not just because the content itself serves as a rough proxy for a user’s interests. This democratization of Internet advertising revenue is essential for sustaining the future of journalism in particular, but also for “free” culture more generally.

As we noted in our response to the FTC’s proposed self-regulatory guidelines on data collection for advertising:

Depending on how regulation is structured, therefore, it is possible that new privacy mandates would severely curtail the overall quantity of content and services offered—and greatly limit the ability of new providers to enter the market with innovative offerings. Alternatively, or perhaps additionally, companies would change the character of their offerings and water-down sophisticated services that cater to consumer demand; in other words, the quality of service would deteriorate. Bottom line: Something must give because there is no free lunch. Regulation is a giant game of economic whack-a-mole: Attempting to control one of the primary variables of price, quantity, or quality inevitably results in non-optimal adjustments in the other two variables. The absence of price as a variable in this context means there is one less variable for the government to control in the first place. Simply stated, stifling the evolution of the online advertising marketplace will likely result in fewer free online services and less content, less high-quality online services and content, or some combination of both… We stand at an important crossroads in the debate over the online marketplace and the future of a “free and open” Internet. Many of those who celebrate that goal focus on concepts like “net neutrality” at the distribution layer, but what really keeps the Internet so “free and open” is the economic engine of online advertising at the applications and content layers. If misguided government regulation chokes off the Internet’s growth or evolution, we would be killing the goose that laid the golden eggs…. These observations are even more relevant to the online marketplace, where advertising has been shown to be the only business model with any real staying power. Walled gardens, pay-per-view, micropayments, and subscription-based business models are all languishing. Consequently, the overall health of the Internet economy and the aggregate amount of information and speech that can be supported online are fundamentally tied up with the question of whether we allow the online advertising marketplace to evolve in an efficient, dynamic fashion. Heavy-handed privacy regulation (or co-regulation) could, therefore, become the equivalent of a disastrous industrial policy for the Internet that chokes off the resources needed to fuel e-commerce and online free speech going forward.

Our Challenge to the Advocates of Privacy Regulation

For these reasons, we have repeatedly issued the following three-part challenge in our previous work to those who advocate the regulation of online advertising:

1. Identify the harm or market failure that requires government intervention.
2. Prove that there is no less restrictive alternative to regulation.
3. Explain how the benefits of regulation outweigh its costs.

We’re still waiting…

We’ve also made it clear that there is an alternative to the pre-emptive, one-size-fits-all regulation demanded by the regulatory advocates:  We’ve proposed a “layered approach” based on user education, user empowerment, self-regulation and FTC enforcement of privacy policies.  Our goal is as follows:

The ideal state of affairs would be to create a system of tools and data disclosure practices that would empower each user to implement their personal privacy preferences while also recognizing the freedom of those who rely on advertising revenues to “condition the use of their products and services on disclosure of information”—not to mention the viewing of ads! Self-regulatory efforts can be refined, especially through technological innovation to better satisfy the concerns of policymakers, privacy advocates, and average consumers. For example, if websites and ad networks participating in a self-regulatory framework supplemented their current “natural language” privacy policies with equivalent “machine-readable” code [ e.g., P3p], that data could be “read” by browser tools that would implement pre-specified user preferences by blocking the collection of information depending on whether the privacy policies of certain websites or ad networks met the user’s preferences about data-use. Such robust and granular disclosure, if implemented for behavioral advertising, would exceed the wildest dreams of those who argue that users currently do not read privacy policies—without disrupting the browsing experience or cluttering websites. But this system would only work if users had to make real choices about “pay*ing+ for ‘free’ content and services by disclosing their personal information.”

A Final Word About Advertising

On some level, this debate isn’t about user privacy at all, but about the alleged evils of advertising as inherently manipulative.  Jeff Chester straddles both camps.  His rantings about the use of “neuromarketing” boil down to the same simple idea that the Neo-Marxists have been pushing for decades:  Since people are stupid, ignorant and/or lazy (see above), they’re easy to control and trick with shiny objects, pretty faces, memorable slogans, and catchy jingles. No better response to this argument has ever been made than was offered in this 1959 magazine ad by the ad firm Young & Rubicam (emphasis added for Chester’s benefit):

There is no chestnut more overworked than the critical whinny: “Advertising sells people things they don’t need.” We, as one agency, plead guilty. Advertising does sell people things they don’t need. Things like television sets, automobiles, catsup, mattresses, cosmetics, ranges, refrigerators, and so on and on. People don’t really need these things. People don’t really need art, music, literature, newspapers, historians. wheels, calendars, philosophy, or, for that matter, critics of advertising, either. All people really need is a cave, a piece of meat and, possibly, a fire. The complex thing we call civilization is made up of luxuries. An eminent philosopher of our time has written that great art is superior to lesser art in the degree that it is “life-enhancing.” Perhaps something of the same thing can be claimed for the products that are sold through advertising. They enhance life, to whatever degree they can.

I’ve already laid out my own reactions to Google’s roll-out of an “interest based advertising” (IBA) program here.  In a nutshell, I applauded Google setting a new “gold standard” in user empowerment by providing:

• Notice in their IBA-targeted ads of who’s paying for the ad and the fact that Google is serving it; and 
• A link to a powerful “Ad Preference Manager” that allows users to:
  • See and modify the “digital dossier” (to use the fearmonger’s term) of interests associated with the cookie on their computer; and 
  • Opt-out of tracking for IBA purposes.    

But as I predicted, despite these pro-privacy features (and despite the fact that other major companies such as Yahoo! and Microsoft already have IBA programs), a number of privacy advocacy organizations are attacking Google for daring to enter the IBA (or “online behavioral advertising”) business at all.   I’ll have much more to say about the criticism of Google’s new Ad Preference Manager soon, especially coming from Marc Rotenberg of EPIC (a “disaster“) and Jeff Chester of CDD—precisely the sort of the “paroxysms of privacy hysteria” I predicted.  

But first, the criticism from Ari Schwartz of the Center for Democracy & Technology requires a response today.  At its best, CDT plays a vital role in calling corporations to continually raise the bar on privacy.  My own think tank, the Progress & Freedom Foundation, works closely with CDT on many issues, such as advocating user empowerment through technological means as a constitutionally “less restrictive” way of protecting children than government censorship.

 Here’s what Ari had to say:

[T]he opt-out is based on a failed premise. The truth of the matter is that the industry needs to work together to move beyond the discredited cookie opt-out model….  Google claims to have improved upon the old model by creating a plug-in for users to keep their opt-out cookie while deleting the rest of their cookies. While as a technical matter that may be true, without an industry-wide solution these plug-in options just serve to confuse users about what they need to do to protect themselves. If this plug-in approach catches on, will users need to download a plug-in from every network advertiser and every analytics company to stop the tracking? That model just isn’t sustainable.

Ari is setting up a straw man when he suggests that users are going to have to download a separate plug-in for every ad network.  The obvious solution, as Ari points out, is an industry-wide plug-in. But if it’s so obvious, why can’t CDT just write it themselves?  Indeed, why didn’t they write it years ago?

These aren’t rhetorical questions.  I  really  want to know what would be required to create a plug-in that does what Google’s plug-in does for every other ad network’s opt-out cookie in the Opt-out tool developed by the Network Advertising Initiative (NAI):  Maintain “persistent” user choice by checking to see whether a user has deleted whatever their opt-out cookies and, if so, restoring those cookies.  

CDT will probably insist that, if it’s really so easy to create such an industry-wide plug-in, NAI should have done so years ago.  Maybe so.  Perhaps if the industry had moved faster to innovate in privacy protection, they would be in a stronger position right now politically.  Of course, if the industry moves slowly in this regard, maybe that’s because they’ve got their hands full trying to keep advertising, the economic engine that funds the Internet’s “free” content and services, working-a reality Ari ignores.  Or perhaps it wouldn’t matter:  It seems that no matter what industry might do, it’s just not good enough for Ari.  Under the banner of “Keeping the Internet Open, Innovative and Free,” Ari is in fact leading CDT in a full-on attack on the Internet, pushing for regulation that will make the Internet:

• Less “Open” to competition among service providers and the diversity of voices and choices produced by online content creators who depend on advertising;
• Less “Innovative” in terms of new content, new services, new online personalization technologies, and new advertising business models that could broaden the base of economic support for the entire Internet; and
• Less “Free” both in political terms—“free” from government regulation and controls—and in financial terms—“free” to users because advertisers foot the bill.

CDT ignores these very real costs to crippling online advertising, which will ultimately be borne by the very consumers whom CDT claims to be protecting.  This is precisely why Adam Thierer and I have argued so strongly for a layered approach (and here at page 7) to privacy concerns about online advertising that combines self-regulation and tough FTC enforcement of privacy policies with a recognition that only by empowering individual users to make their own choices can we balance inherently subjective concerns about privacy with the need to fund the Internet’s future:

We stand at an important crossroads in the debate over the online marketplace and the future of a “free and open” Internet.  Many of those who celebrate that goal focus on concepts like “net neutrality” at the distribution layer, but what really keeps the Internet so “free and open” is the economic engine of online advertising at the applications and content layers.  If misguided government regulation chokes off the Internet’s growth or evolution, we would be killing the goose that laid the golden eggs. 

Back to the plug-in…  CDT argues that the opt-out cookie system is flawed in respects other than ensuring the persistence of user opt-outs.  We can debate that question.  But I’d just like to get a clear answer once and for all about why CDT hasn’t already developed this plug-in themselves.

Here‘s the NAI opt-out, Ari, and here‘s the code for Google’s plug-in—it’s open source! How much easier could Google have made this for you?  Quit yapping and start coding! 

Since CDT doesn’t seem up to the task, we’ve already modified the Google plug-in to preserve another ad network’s opt-out cookie (download our beta plug-in here) and are currently working to expand the plug-in to work for multiple cookies—which is simply a matter of coding.  We’d welcome help from anyone with experience in writing Firefox plug-ins. 

NAI could (and probably should) do this, themselves.  But if CDT wants to start being philosophically consistent about empowering consumers across in the board —on privacy issues as well as child protection issues—writing this plug-in themselves is a great way to shame the rest of the advertising industry into picking up where Google left off.   I suspect CDT’s failure to do so thus far reflects a crass political calculation that anything they does to empower users to manage their own privacy through technical solutions simply undermines their arguments that only government can protect users—thus weakening their push for regulation.  So much for CDT’s declared mission of “seek[ing] practical solutions to enhance privacy!”

Google’s new “Interest Based Advertising” (IBA) program represents the company’s first foray into what is generally called “Online Behavioral Advertising” (OBA):  In order to deliver more relevant advertising, Google will begin tailoring ads delivered through AdSense on the Google Content Network (GCN) and YouTube.com (but not Google.com).  This tailoring will be based on a profile of each user’s interests created by tracking their browsing activity across sites that use AdSense-but not search queries or other user information.  Until now, (i) AdSense has delivered essentially “contextual” advertising by choosing which ad to display on a page based on an algorithmic analysis of keywords on that page; and (ii) Google has tracked users’ browsing only for analytics purposes-to limit the number of times a user sees a particular ad (to prevent overexposure) and to allow sequencing of ads in campaigns where one ad must follow another. 

Google is sure to be attacked for crossing a “line in the sand” drawn by some privacy advocates between contextual and behavioral advertising-even though Google’s closest competitor, Yahoo!, already offers a similar program, and the concept in general is hardly new.  Google’s position as the leading search engine and third party ad-delivery network will no doubt cause paroxysms of privacy hysteria among those who consider targeted advertising inherently invasive, unfair or manipulative.

But those whose first priority is advancing consumer privacy, not advancing a political or regulatory agenda, should applaud Google for excluding sensitive categories and for putting the new Ad Preference Manager at the core of the company’s new IBA program.  The Ad Preference Manager sets a new “gold standard” for implementing the principles of Notice and Choice, which have formed the core of both OBA industry self-regulation and the various regulatory proposals made in recent years.  Indeed, Google has done precisely what Adam Thierer and I have called for:  giving consumers more granular control over their own privacy preferences by developing better tools.

How Google’s Ad Preference Manager Works

For years, debates about how OBA should be regulated (whether by industry or by government) have revolved around two key questions: 

• Notice: How should consumers best be informed about the data that’s being collected about them, how it’s being used, by whom, and so on?
• Choice: How should consumers be given the ability to opt-out of tracking for OBA purposes?

While there are significant philosophical disagreements about some aspects of these debates-such as whether the default should be opt-in or opt-out-much of the debate has come down to questions of implementation that may seem trivial or easily-solved to lay people:  Where should notice be provided?  If notice is provided in ads themselves, what should the link say and how big should it be?  By what technological means should users be able to opt-out of tracking?  Google has provided an elegantly simple solution to these questions. 

Google provides “notice” to users in two ways:

• In the ads.  In the bottom left corner of each AdSense ad on sites in the GCN, users will see the URL for the advertiser’s website.  This is already the case for all text ads, but not for display ads.  In the bottom right corner of both display and text ads, users will see an “Ads by Google” link.  Thus, the ad itself provides the user notice of (i) who’s paying for the ad and (ii) who’s serving it. 
• In the Ad Preference Manager.  If the user clicks the “Ads by Google” link, they will see which of the ~20 categories and ~600 subcategories have been associated with the tracking cookie in their browser.  Thus, Google provides notice to the user of what’s in their so-called “digital dossier.”

Google provides “choice” to the user in two ways:

• Editing categories.  The Ad Preference manager not only shows the profile that has been algorithmically assembled of their likely interests, but it lets them decide for themselves which categories they’re really interested in.  If a user finds that they have been placed in the “Automotive > Motorcycles” category but actually owns a SUV, they could select “Automotive > Trucks & SUVs”-or no Automotive category at all.  
• A persistent opt-out.  Users can decide to opt-out completely from having their data collected for IBA purposes.  That choice will be respected in the future, and will therefore be “persistent.”

The Persistent Opt-Out Plug-in

For roughly a decade, the OBA industry has operated under a self-regulatory scheme developed by the Network Advertising Initiative (NAI).  NAI lets users opt-out of receiving ads based on OBA targeting.  But privacy advocates have objected on three grounds:

First, privacy advocates argue that it’s currently too hard for users to find the NAI opt-out tool since users don’t know which ad network is serving which ads and there’s no obvious way to get from an ad to the opt-out option.  Google moots this argument by making its opt-out easily accessible to anyone who clicks on the “Ads by Google” link that appears beneath every IBA-targeted ad.

Second and most importantly, privacy advocates decry NAI’s opt-out because it isn’t “persistent”- i.e., it requires the placement of a special “opt-out cookie” on the user’s computer, which may be inadvertently deleted when users delete all their cookies.  Indeed, many users do precisely that on a regular basis through either their browser or antivirus software-thus erasing their own opt-out choice.  Google moots this argument too:  While Google’s opt-out also relies on a special opt-out cookie, Google has created an easily installed plug-in for the two most common Web browsers, Internet Explorer and Firefox, that ensures that the opt-out cookie is automatically recreated even if a user deletes their cookies.  For the Chrome and Safari Web browsers (which do not support plug-ins), Google has outlined a simple procedure whereby users can achieve the same result.

Third, many critics worry that any cookie-based opt-out mechanism still involves sending data to ad networks that the ad networks could use to track users-despite promises in their privacy policies not to do so.  Even though the FTC can enforce such policies, it may be difficult for users to determine what the ad networks are doing with the data they receive from users that have opted out of tracking.  Although Google’s system seems to be no different in this regard from how other NAI member companies handle opt outs, truly privacy-sensitive users could easily address this concern by configuring their Web browser to not send any data to these networks and/or not allow any persistent cookies, as we’ve discussed in our Privacy Solutions Series.   

A Superior Solution to a “Do-Not-Track” Registry

The privacy advocates who lambaste the inadequacies of the NAI opt-out system have demanded the creation of a government-run “Do-Not-Track” registry loosely modeled on-but very different in practice from-the FTC’s Do-Not-Call registry, by which over 170 million Americans have opted out of receiving telemarketing calls.  Google’s Ad Preference Manager provides a better system.

First, it proves that the “persistency” problem can be solved.  In fact, since Google’s plug-in is open source, these privacy advocates may be able to use it to create a browser plug-in that works for opt-out cookies from other NAI member companies.  Indeed, given how simple Google’s plug-in is, one wonders why they didn’t do this when NAI’s Opt-Out Tool was first made available.  Perhaps the technologists at these organizations have spent a little too much time developing elaborate regulatory solutions and too little time focusing on empowering users.  Or perhaps these organizations simply decided that creating such a tool would undercut their argument that only government intervention could protect users’ privacy.  Ironically, some of the organizations pushing Do-Not-Track have joined us in emphasizing the effectiveness of user empowerment tools in other contexts-such as online child protection, where parental control software offers a more effective alternative to government regulation of Internet content that also does less to restrict constitutionally protected speech.  Even more ironically, their Do-Not-Track proposal specifically calls for the development of browser-based tools to implement the government-maintained Do-Not-Track database.  In an era when anyone can write a browser plug-in that can achieve wild popularity (such as the roughly 43 million downloads of the Firefox plug-ins AdBlock Plus and NoScript), these advocacy organizations have little excuse for not practicing what they preach. 

Second, Google has set a new standard in both Notice-by including a link to the opt-out in every ad-and Choice-by respecting user’s opt-out preferences.  Other ad networks now face intense pressure to catch up with, or outpace, Google by implementing the same kind of Notice and Choice.  Indeed, NAI will now be expected to improve its own opt-out system with a browser plug-in capable of preserving opt-out preferences for all of its members’ ad networks.  To the extent that this plug-in might work better with cooperation from the ad networks, that cooperation should now be more forthcoming than ever. 

Third, if these privacy advocates’ real objection to any cookie-based opt-out system-whether the NAI opt-out tool or Google’s plug-in-is uncertainty as to whether opt-out preferences would really be respected by ad networks that continue to collect tracking data (as discussed above), who better than Google to lead the market in setting higher standards for privacy protection?  Ultimately, these standards will be, and should be, enforced by the FTC under its existing authority to punish unfair and deceptive trade practices.

What This Episode Says About Google

Some privacy advocates will argue that Google is just too big-and therefore too “scary”-to be allowed to engage in OBA, and may try to paint Google’s entry in the OBA marketplace as a net loss to privacy, notwithstanding the extremely pro-privacy way in which Google has implemented its “IBA” service.  But if this incident demonstrates anything about Google, it’s the following:

First, it’s no accident that Google is now leading the pack of third party ad networks by developing innovative solutions that respect consumer privacy.  Unlike most third party ad networks, Google is directly focused on the demands of consumers:  In addition to the ad network they acquired from DoubleClick, of course, Google offers consumers a wide array of other online services (search, email, maps, etc.).  Because these services (and their competitors) are all free, Google has to compete in what economists call “non-price terms”-such as privacy.  So, Google has a lot to lose by alienating its users and a lot to gain by being seen as a leader in privacy protection.  Would an independent DoubleClick have taken so much care to address privacy concerns?  As the developer of a competing search engine once said about the Internet search industry, ”you earn your right to be in business every day, page view after page view, click after click.”  

Second, it’s no accident that Google was a late-comer to the OBA market, lagging behind Yahoo! in particular.  The most likely reason Google has taken its time in rolling out an OBA product is that Google is subject to a unique level of scrutiny by privacy advocates by virtue of its size.  Being the “big kid on the block,” Google has to be especially careful not to appear to be “Big Brother.”  This reputational check on Google should allay some concerns about Google’s size.

Third, this episode also demonstrates the advantages of having a player like Google large enough to be able to singlehandedly set a new paradigm in privacy protection.  Google risks alienating some advertisers and publishers with its bold empowerment of users, but was willing to take those risks because of its incentives as a consumer-facing company and able to do so because of its leadership in the marketplace.  Uncomfortable as this reality may be for those who fret about antitrust issues and indeed for Google itself, the simple reality is that sometimes it takes “big dogs” to make self-regulatory systems truly effective.  For example, the video game industry’s highly effective content rating system has worked because the titans in that field were big enough to push through a tough system and keep it working.  Similarly, Microsoft has led the way for years in empowering users by offering in Internet Explorer the most sophisticated cookie management tools available in any browser, as we’ve discussed.  In a nutshell, privacy leadership requires scale. 

Conclusion

Google’s Ad Preference Manager, with its persistent opt-out plug-in, offers precisely the kind of robust opt-out that privacy advocates have always demanded.  Google deserves a rousing “Amen!” from privacy advocates.  But those who respond to this program by insisting that “more needs to be done on how to educate people and tell them how to opt out,” are right in two senses.  First, Google has shown other ad networks how to do more to empower users.  I am confident that they will rise to that challenge by continuing to refine self-regulation through technological innovation.  Second, this is by no means the last word in privacy protection from Google, which operates in the midst of continually-evolving privacy standards.  I expect Google and competing ad networks will continue to innovate in developing technologies that empower users to manage their own privacy-and that this competitive “race to the top” will improve online privacy protection in a broader sense beyond just advertising by putting pressure on other online service providers to improve their privacy practices and policies.

But I fear that too many privacy advocates will instead see this as just another reason for the government to intervene-perhaps because of fear of Google engaging in OBA or  because they think the government, not Google, should be developing privacy solutions.  Or perhaps they think Google’s system shows that a system of government-mandated solutions really could work.  To the contrary, Google’s approach is precisely the kind of innovation that would be discouraged by pre-emptive government regulation.  Worse, those who would freeze privacy protection in place would also freeze in place much of the Internet itself, precluding development of new business models that would compete with Google, allaying concerns about competition and benefiting consumers.  Why preclude broadband providers, for example, from figuring out how to deploy ad-targeting technologies in a manner that does as much to empower users with better privacy controls as Google has-especially when this could create a new source of funding for “free” content and services and even discounts on broadband? 

I hope instead that the effectiveness of Google’s approach will shift the policy debate about protecting user privacy back to an emphasis on the layered approach Adam Thierer and I have outlined, supplementing consumer education, industry self-regulation, existing state privacy tort laws, and  FTC enforcement of corporate privacy policies with increasingly powerful technological “self-help” tools that allow privacy-wary consumers to take privacy into their own hands.