Three of the four largest ISPs (Internet service providers) in the U.S. said Thursday that they will adopt policies that require them to get meaningful permission from customers before tracking online activities.
Representatives of AT&T, Time Warner Cable and Verizon told a U.S. Senate committee that they currently do not engage in behavioral advertising that uses subscribers' Web activities to deliver contextual ads. If the ISPs decide to start behavioral advertising programs, they will give customers a detailed description of the ad program and ask for permission before tracking online activities, the companies said.
However, the ISPs also suggested that legislation is not now needed to protect customer privacy online. Despite a flurry of concern in recent months about some ISPs tracking subscriber activities, lawmakers should give ISPs and Web businesses time to develop a set of best practices for behavioral advertising and information collection, said Tom Tauke, Verizon's executive vice president for public affairs, policy and communications.
"At this juncture, we aren't prepared to endorse legislation," Tauke told the Senate Commerce, Science and Transportation Committee.
Verizon has recruited other ISPs and Web businesses to join a group focused on drafting best practices, Tauke said. That group should have some preliminary guidelines drafted by the end of the year, he said.
Representatives of all three large ISPs told lawmakers that their policies governing targeted advertising will be to require informed customer consent before tracking their activities and collecting their data. Since late last year, a handful of ISPs ran trials or signed up to use a subscriber tracking and targeted ad service from 2-year-old vendor NebuAd, and some privacy advocates protested, saying NebuAd's techniques, including deep packet inspection of Web traffic, could be illegal.
The NebuAd model required ISP customers to opt out of the online tracking. Earlier this month, NebuAd said it was delaying its ISP behavioral advertising program while Congress looks at the issue.
But even a simple click-yes-to-opt-in model isn't comprehensive enough, Tauke said at the Senate hearing. In many cases, Web users opt into something without reading the fine print, he said.
An opt-in approach needs to be conspicuous, lay out the options in detail and allow customers to opt out later if they chance their minds. he said. Subscribers "want to be in control of their online experience," Tauke added. "Most consumers, I suspect, are like me. We're trying to do something online, a screen pops up, we hit 'OK' or 'continue' and move on, not really aware of what we just opted into."
AT&T also supports a industry-developed standards, said Dorothy Attwood, the company's senior vice president for public policy and chief privacy officer. However, any government-developed rules should apply to Web sites and advertising firms, as well as ISPs, she said.
"Right now, there is behavioral targeting in the online environment, and it is by Web actors who don't have direct customers to answer to," she said. "The disadvantage [of a Web advertising model] is that your customer is your advertising industry, it's not our customers."
Customers will be confused if ISPs and Web sites have different privacy rules, Attwood added. "When the customer turns on a computer and goes to a Web page ... I can't do anything to protect that customer from being tracked by other entities who are not at this hearing," she said.
Senator Byron Dorgan, a North Dakota Democrat, noted there's already customer confusion about privacy protections online. A poll released Thursday by the Consumer Reports National Research Center, shows that 61 percent of respondents are confident that their online activities are private and not shared without permission, and another 57 percent incorrectly believe that companies must identify themselves and indicate why they are collecting data and whether they intend to share it with other organizations.
Forty-eight percent of those polled incorrectly believe their consent is required for companies to use the personal information they collect from online activities, Dorgan noted.
Dorgan asked the ISPs what information they now collect about their subscribers unrelated to targeted advertising. AT&T does collect "lots of information" for purposes such as improving service, Attwood said, but she didn't elaborate further.
While the ISPs and some committee Republicans called for ISPs to create their own privacy guidelines, Gigi Sohn, president of consumer advocacy group Public Knowledge, called herself "the skunk at the self-regulatory party."
The ISPs suggested competitive pressures will force them to stick to privacy best practices. Sohn disagreed. "The problem is, at least in broadband, that there isn't that much competition," she said. "The notion that there's going to be this competitive pressure -- I'm dubious."