Group: Online ad networks mostly comply with privacy rules

Despite concerns from some privacy groups and U.S. lawmakers about behavioral advertising, most large advertising networks generally comply with a set of privacy and data-handling standards adopted by the Network Advertising Initiative a year ago, the NAI said in a report released Wednesday.

The NAI's first annual audit of its members privacy and data-handling practices found "no compliance deficiencies" in most areas of the group's guidelines. The group's 38 members had appropriate mechanisms in place for Web users to opt out of targeted advertising, they complied with rules for the collection and use of personal data, and they had reasonable security measures in place to protect the data, NAI's report said.

"For self-regulation to be effective, there has to be a thorough and ongoing compliance process," Charles Curran, NAI's executive director, said in a statement. "The 2009 review shows that NAI members take consumer transparency and choice for online behavioral advertising very seriously, and are committed to meeting the requirements of the NAI Code. More importantly, this review shows how a strong self-regulatory program can help companies continuously improve their privacy standards by adopting best practices from across the industry."

NAI members encountered a couple of compliance problems, however. Ten NAI members did not disclose the length of their data retention periods for data used in behavioral advertising, as required in the guidelines. In addition, several members had weak programs to encourage their online partners to give customers notice and choice about behavioral advertising, the report said.

The NAI "found that the evaluated members largely lack robust programs for enforcing contractual notice requirements, or for otherwise ensuring that notice is present where data is collected or used for behavioral advertising," the report said. "NAI staff believes that member companies must take additional steps to help implement Web site publication of notice and choice mechanisms."

The 10 members that were not disclosing their data retention periods have either come into compliance or plan to do so shortly, the NAI said. NAI will work with member companies to develop a "comprehensive partner notice implementation plan" in the coming months, the report said.

The report comes after several privacy groups and U.S. lawmakers raised concerns over the past two years about online ad networks tracking Web users in order to deliver personalized advertising. Privacy groups such as the Center for Democracy and Technology (CDT) have called on the U.S. Congress to pass privacy legislation that would regulate how businesses use personal information.

NAI, whose members include Google, Yahoo and, should be praised for doing a compliance report after skipping it for several years, said Ari Schwartz, vice president and chief operating officer CDT. However, the group should consider using a third party to audit compliance of its privacy guidelines, instead of having NAI staff do the audits, he said.

In addition, while NAI members appear to be following most of the guidelines, some of the privacy safeguards are "weak," including the data retention standard, he said. "There's no maximum for data retention -- they just have to state what their data retention policy is," Schwartz added.

The NAI report doesn't lessen the need for new privacy laws, Schwartz said. Several online advertising networks are not members of NAI, and the recent public pressure has led to the NAI updating 8-year-old guidelines last year and issuing a compliance report for the first time in several years, although the group had promised regular reports, he said.

"It seems that when there's regulatory pressure, they actually do comply with what they said they were going to do," he said. "We certainly wouldn't want to see any regulatory pressure lifted."

More from IDG: