Suit: McDonald's, Microsoft, CBS mine data from web ads


A class action suit filed in NY Federal Court says the three companies have used their Internet ads as a cover for data-mining, to identify the websites people visit, invading people’s privacy, misappropriating their personal info and interfering with the operations of their computers. Lead plaintiff Sonal Bose, of NYC, included unknown “does” 1-50 as defendants. Bose says they acted in concert with Interclick, company that specializes in behavior advertising, tracking  individual consumers to collect info about their web-browsing activities, which it compiled in individual profiles and analysis to determine which ads to display to which consumers. Interclick was not named as a defendant.

Many websites work with third-party ad networks, which collect information about a person or an IP address from numerous websites, create a profile and target ads based on that profile. The suit says Interclick continually updates its database of consumer profiles with information acquired from and about consumers in its online advertising campaigns, “mining consumers’ web browser histories for entries of particular relevance to defendants’ respective, customized advertising campaigns,” the complaint states.

She claims McDonald’s committed its offenses, including violations of computer privacy laws, through its online World Cup-theme game in the summer of 2010. She said CBS did it in an online ad campaign for its “online fantasy sports platform” before the 2010 Major League Baseball season began; Mazda did it in ads for its summer sales and 2010 models, and Microsoft did it during a 7-month ad campaign for its Windows Smartphone, according to the complaint.

“Interclick augmented its profile database with individual-level information it acquired from defendants in the process of optimizing and measuring the success of advertising campaigns. For example, defendants and Interclick cooperated to identify [which] consumers are ‘hand raisers’ who clicked on an advertisement to visit the advertiser’s website, register to enter the advertisers’ sweepstakes or play online games, or make purchases.

“Interclick’s profiles are stored and analyzed in a data warehouse designed to allow Interclick to mine and correlate the large volumes of highly granular consumers data it acquires.”

Now Interclick’s privacy policy states to the contrary: “Interclick is dedicated to ensuring a relevant advertising experience for all users while adhering to the most stringent privacy requirements. We are committed to openly communicating our privacy policies and educating users on the fundamentals of targeted online advertising. To that end, we have a number of privacy policies and controls in place. Interclick assures consumer privacy, notice and control with the following policies and procedures:

•Never collects nor receives personally identifiable information
•We provide consumer opt-out, allowing consumers to opt-out of all interclick data use
•We only use standard browser cookies to store information – no Flash cookies or other Locally Stored Objects (LSO) used.
•We adhere to stringent industry standards as a member of the NAI since 2008.
restriction on data collection and use
•All anonymous user level data erased after 90 days
•No Personally Identifiable Information is ever collected”

The suit claims Interclick has “maintained consumer profiles since June 2007,” and that it “significantly increased its data warehousing and analysis capabilities in early 2010. Interclick has stated that it ‘organizes and valuates billions of data points daily to construct the most responsive digital audiences for major digital marketers.'”

It also claims that the defendants and Interclick “used browser history sniffing to identify defendants’ competitors with whom consumers communicated,” and that “all the consumer information Interclick acquired while executing an ad campaign for any one defendant was merged into Interclick’s consumer profile database and subsequently used for behavioral targeting on behalf of all defendants.”

The whole issue could be in the crosshairs of the next Congress: The House Energy and Commerce committee is home to a privacy bill introduced earlier this year, and to lawmakers an interest in online behavioral advertising and related online privacy issues including do-not-track.

The Internet Advertising Bureau (IAB) guidelines in place include wording such as:
All companies that gather and store information for interactive advertising purposes should explain their practices in a consumer-friendly manner…In the online environment, consumers visiting a particular Web site should be provided meaningful notice of the types of individual information collected for interactive advertising purposes, the technologies employed to collect such information, and how such information is used, including that other companies operate on the site and may collect such information…Consumers should be given information about the choices they have concerning the collection and use of information for interactive advertising purposes. Businesses collecting or using information about individual consumers for interactive advertising purposes should provide choice, where appropriate, to that individual. Consumers also should receive relevant education regarding cross-industry opportunities to opt out of the collection or use of individual information or other methods to exercise choice…Any company that maintains information for purposes of interactive advertising should provide reasonable security for that data. Such protections should be based on the sensitivity of the data, the nature of a company’s business operations, the types of risks a company faces, and the reasonable protections available to a company. Companies should require that business partners who collect or use such data on the company’s behalf also adopt appropriate information security procedures.”

Bose seeks statutory and class damages for computer fraud and abuse, violations of the Electronic Communications Privacy Act, violations of state business law, trespass to personal property, breach of implied contract, and tortious interference with contract.

The suit also wants all its personal data collected in this way deleted, wants the defendants enjoined from doing it again, disgorgement of ill-gotten gains, and notice and a choice about whether they want their data mined. It is represented by David Stampley with KamberLaw, reported Courthouse News Service.

RBR-TVBR observation: This is done pretty much everywhere, from dozens of companies when you go to a website. As we noted, there are some industry privacy guidelines in place, via orgs like the IAB. These guidelines are set to help avoid government intervention from agencies like the FTC. The gray zone is the level of how individual the level of data is mined and wheter or not the consumer is informed of how the data will be used. Every time you visit a website, cookies provide internet software loads of info about you. The only thing we see here as an issue is precedent. If the case winds up against Mickey D’s, CBS and Microsoft, it could change a lot of things.