Think Do Not Track Is Defined? Think Again

There was a time when the Network Advertising Initiative (NAI) was the only self-regulatory game in town.

Formed in 1999 to enforce self-imposed rules for online advertising, its visibility has been at a low ebb since heightened attention from the FTC and Congress sparked a new umbrella group, the Digital Advertising Alliance. The NAI is now just one member of a self-regulatory regime that includes the BBB, ANA, IAB, and others. Meawnwhile industry debate has shifted away from self-regulation to Do-Not-Track.

But the NAI is still doing its thing, enforcing what many (but certainly not all) would consider “tough enough” standards for ad tracking disclosure and opt-outs.
Its executive director, 42-year-old Marc Groman, is passionate about the privacy issue, having worked as Chief Privacy Officer for the FTC (under three different chairmen) and as counsel on the Energy and Commerce Committee in the U.S. House of Representatives.

This week Groman is in Amsterdam, attending an in-person meeting of the World Wide Web Consortium (W3C) working group charged with hashing out the tech specs for Do-Not-Track. He spoke with AdExchanger…

Before we get to the NAI and Do-Not-Track, what are your personal observations about the online privacy issue? Where are we at with it?

MARC GROMAN: As a general matter, I’ve been fairly pleased with where the FTC has been moving with privacy, and also generally pleased with where the current administration has gone with their Department of Commerce report.

I think that’s one of the points that I would highlight and compliment them on. What I’m pleased with is this focus on high‑level privacy principles that are technology neutral and business model neutral, that can adapt to rapidly evolving technology and business models. The focus, in the administration report and the privacy report and elsewhere, is on really important principles around notice, choice, transparency, data security, and pointing out how they need to be applied in a way that is flexible and scalable to accommodate different sectors of the economy and different technologies.

One of the other areas that I am really big on is privacy by design. I think that emphasis is incredibly important to this notion that wherever you sit in the ecosystem, whatever your business model is, or even if it’s not a business model if you’re the government or a nonprofit, is that as you develop a product or a service, you ought to consider privacy considerations from the inception of your program, analyze risk and then bake in the privacy protection from the beginning.

That emphasis is really important that it’s something that I’m trying to drive home with NAI and our members as well.

What is the NAI’s primary role at this point in its evolution?

Our primary role is to be a self‑regulatory body that develops and enforces really high standards for third parties in the online advertising ecosystem. We are first and foremost about self‑regulation. We have a code of conduct that has among the highest standards in the industry, obviously above any legal requirements that currently exist in the United States. We require our members to comply with those standards. We do compliance every year and we publish reports. We constantly update those standards. Throughout our core, it’s about self‑regulation with accountability, enforcement and compliance.

The Digital Advertising Alliance was created to lead the charge on self‑regulation, industry wide. Why do we need two bodies to do that?

We have different and complementary functions. One thing to recognize is who the NAI membership is. We are about 95 companies. All of our companies are third parties or intermediaries in the ecosystem. Whether they are networks, exchanges, demand‑side platforms, DMP’s, we are third parties. DAA, to its credit, covers a whole ecosystem. There are brands and advertisers and data brokers and ISPs and social networks and others. We have a specific focus on third parties. In our standards and the NAI code of conduct there is a delta there. There are places where we have higher standards for our own members.

The other piece I want to mention is the difference in the compliance program. NAI is not an attestation model of self‑regulation. In other words, you can’t write a check and then promise to comply with our code and become a member. Before you even become a member of NAI, you have to undergo a rather comprehensive and rigorous precertification review of your business. We send you a questionnaire. We read your privacy policy. We read your marketing materials. We ask you questions about how your business operates and make sure you develop an opt out script that works. It’s a fairly lengthy process to become a member.

Then, after that, every single year there is a mandatory compliance review that is actually more intensive than your precertification review that you have to do every year. We don’t wait for a consumer complaint. We don’t wait for a competitor complaint, although we respond to them. We are the only self‑regulatory body that has a mandatory annual review and a precertification review. I’m really proud of it. That’s one of the reasons why I was pretty excited to come to NAI.

Has that rigor helped the industry? Do legislators get it? Does the FTC get it? Do consumer privacy groups get it?

I am concerned that they don’t get it to the extent that I would like them to. There is a really unbelievable benefit to compliance and to self‑regulation. I’ve been stunned at some of the things I have observed, since I came into NAI, through our compliance program and precertification review. There is no member of NAI, who has not had to make a change to become a member. We have had at least two companies in the past year actually terminate a line of business, because we said it wasn’t compatible with the code and they wanted to be a member. That kind of compliance adds a tremendous value to the ecosystem.

But we haven’t done as well as we should in really conveying that and making sure that people understand what the value of self‑regulation is. I’ll be first to say that self‑regulation without teeth, without enforcement and accountability and compliance doesn’t add value. But, when you’ve got that kind of accountability and enforcement procedures, it really helps.

What is your assessment of the process within the W3C and the Tracking Protection Working Group, which is overseeing the tech specs for Do-Not-Track? 

One of my concerns overall is that the debate around what has been dubbed or termed “Do not track” is very complex. It really is much more complicated than some people would like everyone to believe. When people attempt to oversimplify what a Do-Not-Track mechanism is or what it means, that is really problematic for everybody. That’s a real concern I have. The term itself is confusing. What it ultimately will mean is confusing. How it will be implemented, if at all, by different browsers who have a tremendous amount of input here, is concerning to a lot of people. So there are certainly questions about privacy.

But there are really other important issues that need to be addressed as well around what would be lost from a Do-Not-Track mechanism, what competitive issues it raises, what we think the World Wide Web will look like in a post Do-Not-Track world, if this is implemented improperly. I am genuinely concerned that all of those issues are not being adequately addressed and considered as this train moves forward at a very rapid pace.

Do you think there is still time to shift this debate, redefine Do-Not-Track, go back to the drawing board?

Your question about redefining Do-Not-Track suggests that it’s been defined already. I think I would challenge that. Sure, maybe it’s been defined in the media or maybe some people have a vision for it, but if you examine where the Tracking Protection Working Group currently is after well over a year, really fundamental issues remain. There’s no definition of “tracking.” There’s no decisions on what conduct or collection can or cannot exist afterwards. There’s really open questions about what the user interface might look like.

This is what I mean when I say it’s a very complicated issue with some very serious decisions yet to be made. Certainly it’s true that the browsers have made decisions to implement a DNT “1” signal, but absent a more broad agreement on what that should mean and how it should operate we still have a ways to go to define what “Do not track” is or will be.

As browsers including Internet Explorer turn DNT on by default, is it the obligation of a website or an ad network to honor that setting? That seems to be the really big sticking point at the moment.

That is a very serious issue. I’m somebody who really believes there are legitimate questions about online privacy and about harms that can come from certain conduct online. I’m concerned that the Do-Not-Track [proposal] that is currently on the table or being contemplated, a) really doesn’t address most of them and, b) if it is implemented in a way that is default “on,” there are some unintended consequences from that. It sets up some perverse incentives in the marketplace that I wish would be discussed a little bit more.

Where should that discussion happen?

There are a number of venues for it to happen. Certainly the industry itself has a role to play there in helping to define how it should happen. I think self‑regulation has done a fairly good job so far. But, it’s a journey, not a destination. We are still working on improving a wide range of practices, making sure the opt-out mechanisms work, the icon is good and that consumers have real choice. We were hoping to work with all the browsers to create a new mechanism that could involve a browser‑based choice mechanism. That may still be possible. But it’s a conversation that needs to happen in multiple venues.

Most importantly, the question is who should be part of that conversation? I think that a lot of players who will be most impacted just have not been at the table yet, particularly small publishers and small businesses. This isn’t even on their radar and yet they’re likely to be the ones most impacted.

It’s the oversimplification that has really, really troubled me. The notion that you can spit out this three-word mantra. It sounds so appealing, and yet when you get down into the details of how would this be implemented, what would it mean, Do-Not-Track doesn’t mean stopping collection. Everyone has conceded collection can’t stop. It’s how the web functions. Since we all know that data collection can’t stop, what’s on the table is off the table.

First parties won’t be touched, so to the extent that you’re providing all your data to a very large first party, which could have multiple affiliates, that collection continues. Collection with search and other things all continues. So what’s the consumer really going to understand about this new mechanism? Will they believe things are stopping that aren’t?

Enjoying this content?

Sign up to be an AdExchanger Member today and get unlimited access to articles like this, plus proprietary data and research, conference discounts, on-demand access to event content, and more!

Join Today!