NAI Releases ‘Web Bug’ Guidelines

The Network Advertising Initiative (NAI), a coalition of online ad network operators and ad servers, Tuesday released guidelines for how Web sites and marketers should use “Web bugs” or “Web beacons,” small graphics files used to track user activity on a Web site.

The standards mostly mandate the industry’s preferred opt-out approach, instead of privacy advocates’ opt-in approach for user data. The Federal Trade Commission (FTC) issued a staff opinion supporting the standards, and NAI signed up TRUSTe to incorporate them in its seal of approval program.

The guidelines call for the deployer of Web bugs (or “Web beacons,” in NAI parlance) to give clear notice they are being used, through a link to the site’s privacy policy or notice of their use. The guidelines state the user should know if personally identifiable information is being collected. If the information will be shared with third parties, users are to have the chance to opt out of the transfer.

If a Web beacon transfers sensitive information — generally defined as health, financial, sexual, or political data — to a third party, it must then get users to opt-in.

“We hope these guidelines will standardize this technology in the marketplace, so businesses feel more comfortable and consumers feel more comfortable with this technology being used,” said Trevor Hughes, NAI’s executive director.

Web bugs have a variety of uses. Web publishers use them to track site traffic, unique visitors, and personalization features. Also, ad technology companies use Web bugs to track the performance of Web and e-mail ad campaigns.

Web bugs have caused controversy because of their data collection uses in marketing, and because of their use by spammers to record whether an e-mail has been opened, thereby verifying that an address is valid. Microsoft’s upcoming release of its Outlook e-mail client reportedly plans to address this issue, because the program would, by default, prevent Web beacons from loading in the preview pane.

Hughes said the guidelines make a clear distinction between an agent, a technology provider using Web bugs to serve a Web site, and a third party, which would use Web bugs to collect information for other purposes, such as marketing.

“If the service provider has no secondary use for the data, we determined that’s basically the same as the Web site doing it themselves,” Hughes said.

The Cleveland-based NAI is an online advertising industry consortium whose membership includes ad servers like Atlas DMT, 24/7 Real Media, and DoubleClick, as well as the companies such as the US Postal Service, Verizon, Microsoft, and others.

In the works for over a year, the NAI guidelines are meant to address how the dilemma of how online advertising delivers effective advertising while respecting consumers’ rights to privacy. Web bugs, as invisible files, are not apparent to the user, but can be crucial to a marketers tracking response patterns to online promotions and publishers seeking to compile visitor traffic patterns.

“Web beacons are a small, but critical technology,” said Hughes.

As part of its efforts to gain widespread consumer acceptance of Web bugs, the NAI brought its guidelines to the FTC for review. The FTC, which in May 2001 sided with the industry’s opt-out approach to online privacy, issued a staff opinion calling the guidelines helpful.

“We think these are a useful self-regulatory effort to guide the development of Web beacons,” said Bethany Matz, an FTC spokeswoman. ” In general, we like to encourage self-regulatory efforts.”

In addition, the NAI signed on TRUSTe to incorporate the Web bugs best practices into its network of 1,500 certified Web sites. The guidelines will begin as a recommended best practice, but the group said it would move to incorporate the guidelines into requirements for TRUSTe members. The Better Business Bureau Online also endorsed the guidelines.

“With the release of the guidelines, we believe that industry is making progress in building trust with consumers by creating transparency and accountability,” said Fran Maier, TRUSTe’s executive director.

Hughes said the endorsements of TRUSTe and Better Business Bureau was a big help for getting the standards accepted quickly.

“It means we don’t rebuild a compliance program,” he said.

Richard Smith, the Privacy Foundation’s chief technical officer, said the guidelines were a step in the right direction.

“It’s better than nothing,” he said. “It’s good to see they’re recognizing that they need to talk about this issue.”

Smith said he was disappointed the NAI did not take a simpler approach, such as making the Web bugs visible for users to click on to find out what they’re tracking.

The NAI hopes the standards can quell the furor unleashed by privacy groups in years past over privacy concerns, including the use of cookies to track Internet behavior. DoubleClick was long the target of investigations and lawsuits relating to its privacy practices. Recently, Avenue A settled all the privacy-related federal and state class action lawsuits levied against the company.

“It really puts a burden on companies to understand what’s happening on their Web sites,” Hughes said. “When they say OK [to deploying Web bugs], they have to also understand that there’s a requirement now to add something to their privacy policy about that Web beacon and what it’s doing.”

News Around the Web