This morning, the Senate Homeland Security and Governmental Affairs Committee’s Permanent Subcommittee on Investigations (PSI) held a hearing entitled, “Online Advertising and Hidden Hazards to Consumer Security and Data Privacy.” The hearing came on the heels of report by the same name, released by the PSI committee staff yesterday.
The report – resulting from a year-long investigation into the online advertising ecosystem – is a bit of an odd read. It warns against “dangerous third parties,” and “invasive cookies,” and calls for “circuit breakers” to protect consumers. It goes on to say that the online advertising industry is complex and hard to understand. “In such an environment,” the report reads, “determining responsible parties when things go wrong can be difficult. What is clear, however, is that the one party who is least capable of monitoring and regulating advertising—the consumer—is the party who currently bears the full brunt of the losses when the system fails.”
Yikes. It’s as though the entire Internet – that complicated series of tubes – is devoid of self-regulation. Good thing that reality is a much prettier picture.
In reality, the DMA played an integral role in the creation of the Digital Advertising Alliance (DAA), a self-regulatory entity formed to develop to administer and promote responsible and comprehensive self-regulatory principles for online data collection and use. Today, the DAA program has expanded to cover the collection and use of Multi-Site Data across non-Affiliate sites over time, as well as to provide guidance for data collection in mobile environments. Unlike legislation, which is static and runs the risk of codifying practices that may become out-of-date even before a bill turns into law, industry self-regulation is nimble by its very nature and thus better suited to provide protections in cutting-edge, fast-evolving areas like online advertising.
Since DAA’s inception in 2008, DMA has served as one of two accountability programs responsible for enforcing the self-regulatory codes created by the DAA, which are incorporated into DMA’s Guidelines for Ethical Business Practice. As stated in its July 2013 ethics compliance report, DMA received over 300 complaints about online behavioral advertising (OBA) from March 2012 to June 2013. DMA’s Ethics Operating Committee reviews such complaints. Members that do not comply with Committee requests face DMA censure, suspension, or expulsion. Organizations, regardless of membership status that do not cooperate and that may also reflect potentially illegal activity are referred to law enforcement. The Committee meets approximately eight weeks apart to review potential cases and to make its recommendations on appropriate actions for DMA in the particular matter. Consumers can file a complaint with the DMA if they believe that a practice or ad may have violated the Self-Regulatory Principles for Online Behavioral Advertising.
DAA’s Executive Director Lou Mastria had an opportunity to set the record straight as witness at today’s PSI hearing, which focused similarly on consumer security and data privacy in the online advertising industry. His testimony on the substantial progress of the DAA Self-Regulatory Program in providing consumers transparency and choice. “The DAA is a model example of how interested stakeholders can collaborate to provide flexible, market-driven solutions to complex privacy issues,” he stated. He went on to note that the DAA “provides consumer-friendly privacy standards in a way that also ensures the continued vibrancy of the Internet and our nation’s place as the global leader in the data-driven economy.”
Over the course of two hours, the bipartisan group of senators questioned claims in the report, as well as those made by several witnesses testifying before the Subcommittee.
In his opening statement, Senator Levin noted that, “The Subcommittee’s report […] highlights the hundreds of third parties that may have access to a consumer’s browser information with every webpage they visit.” He continued, saying “as consumers use the internet, profiles are being created based on what they read, what movies they watch, what music they listen to, on and on. Consumers need more effective choices as to what information generated by their activities on the internet is shared and sold to others.”
From the start of the hearing, Senator McCain lashed out at witnesses from Google and Yahoo, saying that companies don’t take issues like “malvertising” seriously. “Consumers who venture into the online world should not have to know more than cyber criminals about technology and the Internet in order to stay safe,” McCain stated in his opening remarks. “Instead, sophisticated online advertising companies like Google and Yahoo, whose representatives are here with us today, have a responsibility to help protect consumers from the potentially harmful effects of the advertisements they deliver. Deciding who should bear responsibility when an advertisement harms a consumer can be a technical and difficult question. But, it can’t continue to be the case that the consumer alone pays the price when he visits a mainstream website, doesn’t even click on anything, but still has his computer infected with malware delivered through an advertisement.”
Overall, though, the hearing proved a triumph for online advertisers – and for self-regulation.
During the question and answer period following the first panel, Senator Johnson questioned whether government regulators are agile enough to monitor online advertisers better than Web giants such as Google and Yahoo, which have a financial incentive to keep consumers safe online and employ hundreds of security professionals.
Senator McCaskill questioned whether “malvertising” is really such a big problem, noting it may account for less than 1% of all online infections. She stated that efforts to combat the practice would be better spent on educating consumers about regularly updating their software and other best practices.
During her testimony, the Federal Trade Commission’s (FTC) Maneesha Mithal said that the FTC supports continued industry self-regulation in the online environment. She outlined several additional steps to protect consumers with regard to online advertising, recommending more widespread consumer education about how consumers can protect their computers against malware; and reiterating the FTC’s support for enactment of a strong federal data security and breach notification law.
For more than forty years, DMA has promulgated and enforced robust and effective Guidelines for Ethical Business Practice, which guide marketers in the responsible collection and use of data for marketing purposes across all channels – including, in recent years, the entire online adverting ecosystem. DMA continues to believe that self-regulation is the appropriate approach to address complex, dynamic data policy issues in an era of fast-changing technology and evolving consumer preferences.