The DMA Offers Recommendations While Participating at FTC-Department of Commerce Workshop on Online Profiling

WASHINGTON, Nov. 7 -- Companies should notify visitors to their Web sites of third-party ad servers that collect information as a result of individuals' interaction with the Web sites. The Web sites should identify the ad servers and provide a means for the individual to contact the ad server. The Direct Marketing Association (The DMA) will make these recommendations while participating in a public workshop on online profiling that is being co-hosted by the Federal Trade Commission and the U.S. Department of Commerce on November 8.

"Individuals using the Internet need to be notified when data about them are being collected, whether it is personally identifiable or more generic navigational data," said Jerry Cerasale, senior vice president, government affairs, The DMA.

There were three different parties involved in ad-serving technologies being discussed in the profiling workshop: (1) the Web site; (2) the third-party ad server (the company that services a banner ad on a Web site); and (3) the advertiser. The relationship and use of individual information by these parties is the focus of The DMA's testimony.

"With regard to online ad serving technologies, all parties involved, the Website, the advertisers and the ad server, need to provide effective privacy notices that will give individuals a clear understanding of what type of information is being collected and what it is being used for. They should also gives them the option to opt out of personally identifiable information exchanges," Cerasale said.

"The use of third-party ad servers and navigational data is beneficial to the individual's Internet experience, by enabling customization and personalization of the Internet experience," Cerasale said. "Nevertheless, it is important that such data be collected with the individual's knowledge and choice." To help address these issues, The DMA will make the following recommendations at the workshop:

-- Web sites should provide notice to consumers of all third-party ad servers that collect information as a result of an individual's interaction with their sites.

-- Notice should be included in the Web site's posted privacy policy and include a hyperlink to the posted privacy policy of the third-party ad server.

-- Consistent with The DMA's Privacy Promise, Web sites that collect personally identifiable information should provide notice of the transfer of information to third parties and provide an ability to opt out of such transfers.

-- Individuals should have the opportunity to opt out of the transfer of the personally identifiable information from the Web site to the third-party ad server.

-- Third-party ad servers should provide individuals with notice of the types of information that they collect from Web sites on which they serve ads.

-- Third-party ad servers should provide notice of the types of information that they collect as a result of an individual's interaction with the Web site.

-- If navigational data are to be used in an identifiable manner by the ad server, that should be disclosed. If they are not, but may be used in the future, that possibility should be disclosed as well.

-- Where a third-party ad server collects personally identifiable information as a result of an individual's interaction at the Web site, the third-party ad server needs to provide individuals with an opt-out for the collection and use of this information.

-- Opt-out of the collection of non-personally identifiable information should not be required. Third-party ad servers may offer such an opt-out as a good business practice for their industry sector; however, this should not become an industry-mandated practice.