Ads With Eyes
February 2nd, 2009 by Harley Geiger
Digital advertising displays with the ability to collect information about consumers are proliferating in stores, airports and public places. It is time for the companies involved to pay attention to privacy.
The digital signage industry is aggressively pushing for ways to track consumers. By using facial recognition cameras and other devices, the industry seeks to measure viewership and to tailor ad content to consumers’ profiles. Tens of millions of people have already been exposed. But in its eagerness to learn about its audience, the digital signage industry is deploying invasive technologies without adequate privacy protections. Only a few of the companies even have published privacy policies and those that exist are pretty bare-bones. Currently, none of the digital signage trade associations has published privacy policies related to tracking technology.
(What is digital signage? Please see my earlier post, Digital Wallpaper.)
Digital signage companies are tracking consumers in a number of ways. The most common method may be itsy-bitsy cameras hidden in the signs that record the age, race, and gender of passersby. Other companies use Bluetooth or radio frequency identification (RFID) tags. Some are also using consumers’ mobile phones to trigger ads; the signage system can then deliver coupons to the phones. All of these technologies have the potential to identify individual consumers and gather personal data about them, without giving consumers any choice in the matter.
To their credit, some digital signage firms have privacy policies published on their websites, such as TruMedia and Quividi. According to their policies, these companies do not personally identify shoppers or store any of the images they pick up through their facial recognition cameras. It is worth noting, though, that Quividi’s demo video clearly features stored images of shoppers.
Most other digital signage firms currently say nothing about consumer privacy or what they do with the data they collect. One such example is Studio IMC, whose signs hang in Times Square and are equipped with facial recognition cameras. Another example is BlueFire Digital, which combines digital signage with Bluetooth and mobile marketing, but has no publicly available privacy policy.
Likewise, the digital signage trade associations, like OVAB, DSA, and POPAI, tout the usefulness of such tracking technology because it has the potential to increase the industry’s profits. But none of the associations currently appear to recommend privacy safeguards to vendors that track consumers.
That should change. Digital signage firms should adopt and publish privacy policies based on Fair Information Practices that specify what information they collect, on whom, and to what uses it is put. The policies should be updated whenever a firm’s practices change. The policies should also include provisions that allow consumers to opt-in to digital signage marketing that uses the more intrusive tracking methods, such as mobile phones and RFID.
But a privacy policy alone is not enough if consumers don’t know what a particular digital sign is doing. Consumers ought to be notified when billboards and signs are recording information or images about them. Digital signage vendors should include a notice on signs equipped with tracking technology, such as “Audience reaction is being recorded by TruMedia.â€?
Part of the reason why there are no privacy standards for digital signage is because the U.S., unlike many other nations, has no general consumer privacy law. Instead, our legal system has been dealing with privacy sector-by-sector, technology-by-technology. That may change this year if Congress heeds CDT’s call for comprehensive baseline federal privacy legislation.
However, just because there is no law on the books doesn’t mean that the digital signage industry can ignore privacy. Sooner or later, legislators will awaken to the issues posed by digital signage. Without delay, the industry should commit to responsible stewardship of consumers’ information. It will be less difficult and expensive to build in privacy protections now than in the future, after companies are heavily invested in the systems and ubiquitous intrusive marketing provokes a consumer backlash. Now is the time for digital signage firms and trade associations to develop privacy standards.
This entry was posted on Monday, February 2nd, 2009 at 6:04 pm and is filed under CDT, Consumer Privacy. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
February 4th, 2009 at 5:55 pm
Harley,
Great Article! I completely expect to see this as a US Federal Trade Commission issue shortly. They attack companies for privacy agreement violations under deceptive trade practices, recently announced Digital Rights Management interest, and are rumored to begin examination of End User License Agreements, those pesky things you click on when you install software.
As you pointed out, the US takes an industry by industry approach to privacy. The EU is probably the largest “nation” that sees a citizen’s privacy as a fundamental right – however, even one of our European correspondents believe privacy rights are eroding (http://blog.cippguide.org/2008/10/30/thoughts-about-ip/).
For people interested in a more in-depth treatment of the sectoral privacy policies of the US (such as HIPPA, GLBA, SOX, etc..), the Congressionally assigned duties of the FTC and the alternate tact of privacy as a fundamental right, please take a look at the International Association of Privacy Professionals and their Certified Information Privacy Professional product.
Best of luck, and keep up the education!
JC
February 5th, 2009 at 2:43 pm
One of the big problems I find with privacy is few people understand it. Many people think if a website has a privacy policy, that site will keep their information private – and thus they almost never read the policy. Recent studies show people will give out information for small gifts like a pen or even nothing at all. Privacy itself is misunderstood by the public.
http://www.theregister.co.uk/2003/04/18/office_workers_give_away_passwords/
http://www.tgdaily.com/content/view/21550/118/
February 9th, 2009 at 11:42 am
Hello and thanks for the comments.
Michael, I completely agree with you that too many people equate the mere existence of a privacy statement with strong privacy practices.
Unfortunately, the purposefully dense language of privacy policies exacerbates apathy and remains inaccessible to the most vulnerable consumers.
While I am a big fan of privacy education and consumer literacy, I believe such efforts will only do so much.
This is actually one of the most difficult problems with privacy protection regimes based solely on consumer notice and consent.
Such issues illustrate the need for comprehensive consumer privacy legislation — so that strong safeguards will apply regardless of whether consumers read the privacy statements.
But either way, you’re right, consumers should still examine such policies before submitting sensitive information.
Even if consumers don’t read them, however, it is definitely worthwhile for companies to develop and publish privacy policies.
Some people will read and analyze them, including consumer protection and education groups like CDT.
Companies are also required to adhere to their published policies under Section 5 of the FTC Act.
Most importantly, publishing a strong privacy policy would demonstrate a commitment on behalf of the company to the safekeeping of sensitive information.
Part of the point of such a policy is to spur companies to develop safeguards that reduce the risk of a data breach.
In the case of digital signage privacy, demonstrating this commitment will become increasingly important as the industry seeks to proliferate digital signs with tracking technology.
Without such a commitment, the industry will find it more difficult to gain public acceptance, which ultimately will reflect poorly upon the advertisers themselves.
While publishing a privacy statement is not the same thing as maintaining strong privacy practices, it is a crucial first step.
Thanks for the comments, Michael and Jon-Michael!
Sincerely,
Harley Lorenz Geiger
CDT
June 19th, 2009 at 12:48 pm
GREAT post. I could not agree more. I wrote about this in my student note and have blogged on the origins of billboards with eyes (and ears) over at the Stanford Center for Internet and Society. So glad that CDT is taking on this important dimension to outdoor advertising and would love to be a part of the dialogue.
http://cyberlaw.stanford.edu/node/5775 (Coming Soon: Smell, Touch, and Dead People)
http://cyberlaw.stanford.edu/node/6144 (The True Danger of the Internet: What Occurs To Us)
July 15th, 2009 at 1:53 pm
[...] long this information is stored and what is done with it after ads are targeted and aired. CDT has written before about the privacy concerns associated with these new technologies and how such devices have [...]