6. The Privacy Challenge

Politicizing Internet Privacy

Elements of the marketing complex had been working for decades to legitimize and legalize commercial surveillance in many areas of social practice.4 When the web came along, the marketing complex shaped public policy to bring the development of the new interactive media into alignment with their business interests. There was precious little democratic debate over these issues. Privacy became one of the few entry points for organized civic participation in the broader commercialization of the internet. When DoubleClick and other ad networks began collecting web browsing data in 1996, they had the benefit of working under cover. Few people who used the web were aware of tracking technologies like HTTP cookies, and fewer still knew of their appropriation by digital advertising networks. There were no privacy policies or data disclosures of any significance; nor was there any legal expectation that companies would provide them. Web browsing software simply loaded cookies by default in a background process effectively hidden from users.

Public awareness of online data collection was stewarded in no small part by the efforts of a coalition of civil society groups that began to challenge surveillance advertising. Organizations including the Center for Media Education (CME), Electronic Privacy Information Center (EPIC), and Center for Democracy and Technology (CDT) formed what Colin Bennett calls a “privacy advocacy network” to generate publicity and policy proposals around internet privacy issues.5 CME was a tiny media reform organization whose mission was to “improve the quality of electronic media, especially on the behalf of children and families.”6 EPIC and CDT were privacy and civil liberties watchdogs, established to “focus public attention on emerging civil liberties issues” related to the internet. These groups took a leadership role in a broader advocacy network that worked against industry opposition to spur the federal government to act.7

The range of policy discussion during this period was largely confined to a neoliberal field that rarely questioned the validity of the market as the internet’s core organizing principle.8 Although public concern over internet data collection grew quickly, there were no mass protests or organized episodes of civil disobedience around these issues. Within these constraints, privacy activists practiced a form of Beltway activism that used the tools of mainstream politics and public opinion making. These included conducting research, writing reports, filing lawsuits, and bringing complaints to federal agencies like the Federal Trade Commission. Arguably, their most effective strategy was public relations. Privacy activists were quite successful in generating press coverage of their concerns and agenda, which helped force the first public conversation about internet privacy and data collection and prompted Congress to consider legislative action.

Founded by Kathryn Montgomery and Jeff Chester, CME was one of the first civil society organizations in the country to draw attention to internet privacy. Concerned about how data collection might affect children, CME began an investigation of the website Kids.com in 1995. The site was a popular destination for children, offering interactive games, sweepstakes, and contests. It was also a hidden surveillance operation. To access the site, users had to complete a lengthy registration questionnaire designed to capture personal information for marketing purposes. Children were asked to disclose their names, genders, media preferences, and even describe their “hopes and dreams” in order to populate profile databases that could be sold to marketers of cereal and soft drinks.9 These initial findings prompted CME to expand its study to include sites created by marketers such as Disney, Kellogg’s, and Pepsi. According to Chester, “children’s issues were a good starting point” for privacy activists because they were “harder to argue against” and presented better opportunities to attract much needed funding.10

As the CME worked on its investigation, journalists began to report on the use of cookies for online tracking. The San Jose Mercury News was among the first U.S. newspapers to break the story, running an article under the headline “Leading Web Browsers May Violate Privacy of Users’ Computers, Activities.”11 Continuing coverage by news organizations provided a publicity boost to privacy activists who were beginning to build more coherent advocacy networks around these issues.

The activists’ primary objective became persuading Congress to create “legally enforceable rights to information privacy.”12 Janlori Goldman of the CDT argued that information privacy should be treated as a basic right and that internet participation should not hinge on “trading your privacy for some kind of benefit.”13 EPIC made the case that consumers should have the option to retain total anonymity online while preserving the freedom to do what they wish, including engaging in business transactions.14 More generally, privacy activists criticized the lack of transparency in data collection practices, arguing that “average consumers did not know their activity was being tracked let alone how the information was being used.”15 They argued that consumers should be afforded access to and control over the information collected about them, including the right to opt out of data collection entirely.16

In the spring of 1996, CME released its findings in a report titled Web of Deception, which argued that marketers were invading children’s privacy through “solicitation of personal information, tracking of online computer use, and exploitation of vulnerable, young computer users through new unfair and deceptive forms of advertising.”17 CME called for an immediate end to the collection of children’s personal information and for clear separation between commercial messages and content directed to young audiences on the internet. The report generated stories in major newspapers at a time when there was little public knowledge about online marketing, let alone marketing geared to kids. Much of the prior attention given to children’s internet use was focused on “indecent” content.18 CME’s efforts helped place internet data collection on the civic advocacy agenda and initiated a public shaming of the companies involved. The negative publicity was enough that General Foods postponed the launch of its new website for children in order to steer clear of the news cycle.19

Looking to attract the attention of regulators in Washington, D.C., CME also filed a formal complaint against Kids.com with the Federal Trade Commission. The allegations in the complaint were not about data collection or privacy per se but rather that the site’s undisclosed surveillance constituted a deceptive business practice. Why not file a complaint about privacy directly? The simple answer is that the CME had no legal basis for doing so. Deceptive business practices fell under the jurisdiction of the FTC, but internet privacy did not. Nor did it fall under the purview of any federal agency, because the United States had no regulatory authority or legislative framework devoted to internet privacy issues. Kids.com and other companies were spying on children, but they were not breaking any internet privacy laws.

Apart from the Fourth Amendment’s restrictions on illegal search and seizure, the most significant U.S. privacy legislation is the Privacy Act of 1974, which created guidelines for federal agencies’ collection and use of personally identifiable information. Private sector entities are governed by a patchwork of narrower state and federal regulations that pertain to certain categories of information (e.g., educational or medical records) while leaving out others (e.g., behavioral profiling data). The general approach to privacy policy making in the United States has been “reactive rather than anticipatory, incremental rather than comprehensive, and fragmented rather than coherent,” argues Colin Bennett. “There may be a lot of laws, but there is not much protection.”20

Filling this void, the FTC became a somewhat misfit adjudicator of disputes between privacy activists and proponents of industry self-regulation. In June 1996, the FTC convened the first of what became a string of workshops at which a mix of industry, advocacy, and government representatives came together to discuss emerging issues in internet privacy.21 In alignment with President Clinton’s laissez-faire agenda for internet commercialization, the FTC adopted what the CME’s Kathryn Montgomery called a “softball approach to prodding industry” to take privacy matters into its own hands.22 In Generation Digital, Montgomery reports that the FTC chairman, Robert Pitofsky, opened the first privacy workshop by assuring the room that his agency was “not here to lay the groundwork for any government rules, guidelines, or otherwise.”23

Nevertheless, workshop participants spent some time outlining a set of fair information practices that centered on the principles of notice and choice.24 These guidelines drew on decades of precedent around intragovernmental privacy regulations.25 The basic premise was that companies should uniformly disclose their data practices so that consumers could make informed choices about how their information was collected and used. The question became, how should such principles be applied? Industry’s position was that fair information practices were best implemented through a system of self-regulation, voluntary guidelines, or accreditations that would ensure “consumer empowerment” while giving companies the freedom to innovate and drive economic growth. Civil liberties advocates argued that such a system would fail without a foundation of legally enforceable internet privacy rights.

The contours of the debate were summarized by an FTC staff report that recapped the 1996 workshop:

Industry representatives and trade associations took the position that it would be both inappropriate and counterproductive to mandate particular privacy protections. According to these participants, regulation would stifle the creativity and innovation that have marked the development of interactive media to date, could infringe important First Amendment rights, and might force marketers off the internet entirely. Government should step back, it was argued, and permit industry to develop privacy protection models. Privacy advocates argued that the technologies demonstrated during the Workshop are not a substitute for an enforceable code of fair information practices, and that they are not likely to flourish without government enforcement of privacy rights.26

In making these arguments, industry representatives drew from what Chris Hoofnagle has described as the “denialist deck of cards,” a series of “rhetorical techniques and predictable tactics” used by opponents of regulation to “erect barriers to debate and consideration of any type of reform, regardless of the facts.”27 Denialist talking points frame government action as not merely unnecessary but also as uniformly harmful to both social welfare and individual autonomy. Cycling through the rhetorical deck of cards, industry representatives argued that it was foolish to regulate the internet as it was still developing and that competition would naturally fix any problems that might arise. Trade association representatives claimed that the rapid advancement of internet technologies eliminated any need for privacy regulations.28 They contended that any company that failed to respect consumers’ privacy preferences would be punished by market forces. Others argued that government regulation was inherently harmful to innovation and risked slowing down the economy. As the president of the Direct Marketing Association put it, regulation would “easily disrupt the development of a very useful tool for consumers, and, indeed, a useful tool for business, which is going to have a significant impact on the United States and on global economies.”29

The FTC agreed with industry arguments that self-regulation was the best option to address privacy concerns and that the private sector simply needed more time to formulate self-regulatory mechanisms. One such measure was a proposed privacy seal program called TRUSTe, wherein participating sites would display privacy badges verified by a third-party accreditor to indicate their data collection practices. Microsoft, Netscape, and others signed on to support the creation of a different system called the Open Profiling Standard (OPS), a web browser technology meant to enable “users to give their consent before their personal information is handed off to a website.”30 The OPS idea was part of a wider proposal called the Platform for Privacy Preferences (P3P), backed by a large group of tech companies, including AOL and IBM. The creator of the web himself, Tim Berners-Lee, traveled to Washington, D.C., to showcase a prototype of the P3P technology. The Clinton administration installed an early version of the system on the White House website as a show of good faith.31 Still in a rough stage of development, the technology did not actually do much. But the message of political support was clear.

Despite the general disarray of industry self-regulation efforts, the FTC announced after a second round of workshops in 1997 that the commission would “give new industry initiatives more time to take effect.”32 The statement coincided with the Clinton administration’s release of its Framework for Global Electronic Commerce, which strongly articulated that the private sector would lead internet development—a process that was already well under way.

Spy Kids

The political winds began to shift when the FTC issued a ruling in support of CME’s complaint against Kids.com. The FTC found that the site’s data collection practices were deceptive, but it effectively dismissed the issue after the company pledged to disclose its surveillance practices in a privacy policy of some kind. The case highlighted what was becoming increasingly clear to observers: The internet advertising industry was not implementing meaningful self-regulation, even at the basic level of providing notice of data collection practices. In June 1998, the FTC released the results of an in-house study on the state of online privacy. Its examination of over 1,400 websites showed that while the majority (85 percent) of sites collected consumer information, few (14 percent) provided any notice whatsoever of such practices, and fewer still (2 percent) provided comprehensive privacy policies.33 About half of sites directed at children disclosed their data collection practices, though less than 10 percent provided means for parental control over the collection and use of information from children.

The FTC study revealed that while industry leaders had been publicly trumpeting their commitment to privacy, the majority of commercial websites continued to collect consumer data with little regard for privacy concerns. Reporting to Congress, the FTC explained that though it had encouraged industry to address privacy through self-regulation, “the vast majority of online businesses have yet to adopt even the most fundamental fair information practices.”34 Underlining this point, the FTC brought charges against the popular home page community GeoCities for “misrepresent[ing] the purposes for which it was collecting personal information from children and adults.”35 In other words, roughly two years after CME filed its initial complaint about Kids.com, GeoCities, one of the largest websites in the world, was caught doing the exact same thing: lying to its users about consumer surveillance.

In what became a milestone for privacy activists and a warning shot across the bow of industry, the FTC attenuated its support for self-regulation and recommended that Congress pursue legislation to facilitate parental control over the collection and use of children’s personal information online.36 Shortly thereafter, Congress began to look into children’s advertising and internet privacy more generally. Drawing on a staple argument from the denialist deck of cards, Advertising Age called proposed limits on children’s advertising “a chilly prospect for responsible marketers who value the ability to innovate and experiment in this medium, free of detailed do’s and don’ts,” and warned that such restrictions would “stifle promising experiments” in internet advertising.37

Meanwhile, high-level trade negotiations between the United States and the European Union introduced an important international dynamic that further bolstered the case for congressional action on children’s privacy. Although the White House officially supported industry self-regulation, a new E.U. data protection directive began to weigh heavily on the Clinton administration’s approach to domestic privacy policy. As privacy activists organized at home, the White House was negotiating with the E.U. over the harmonization of international standards for data collection and privacy protection. In 1995, the E.U. enacted a Data Protection Directive containing a series of regulatory measures set to take effect in October 1998. Among the directive’s stipulations were guidelines for E.U. member states that disallowed “data transfer” to countries that failed to provide an “adequate level of protection” for consumer information.38 As it stood, the freewheeling internet advertising sector in the United States was far from meeting these impending requirements.

Looming in the not so distant future, the E.U. directive posed a hazard to intercontinental trade, which put stress on the Clinton administration’s heretofore hands-off approach to advertising regulation. Specifically, the directive threatened to impede billions of dollars’ worth of trade involving “personal information,” a market that had long operated with few regulatory constraints.39 To deal with this problem, Clinton deployed the Department of Commerce and the FTC to steward the development of more robust industry self-regulation in order to appease E.U. officials concerned about U.S. data practices. The Clinton administration’s tentative support of legislation for children’s internet privacy amid their otherwise staunch defense of self-regulation seemed to be a political accommodation meant to deflate the pressure stemming from the E.U. trade talks. As Montgomery notes, “By focusing on children, the government was able to demonstrate that it was taking decisive action to protect online privacy, while also buying additional time for industry to get its act together.”40

Anticipating that Congress would not fully commit to legislation without buy-in from at least some of the powerful corporations in the children’s media sector, privacy activists astutely partnered with the National PTA and other children’s welfare groups to lobby Disney and other media companies directly.41 Shortly thereafter, many in the marketing complex decided to cut their losses and work to shape the law that was likely coming.

These developments enabled the bipartisan passage of the Children’s Online Privacy Protection Act (COPPA) in late 1998. The law created standards for the collection and use of children’s data to be enforced by the FTC, and specifically required that websites obtain parental consent before collecting personal information from children under the age of thirteen. However, the law’s opt-in provisions were undermined by vague language and poorly designed enforcement mechanisms. COPPA was a laudable activism effort but produced weak policy to support its stated goals of protecting children’s privacy, to say nothing of adults. Privacy activists who initially supported the legislation have since criticized its implementation. The CME’s Montgomery, who worked with the FTC to draft language for COPPA, has acknowledged that the bill contains loopholes and places an excessive burden on parents to maintain a haphazard system of privacy protection.42

Although the efficacy of COPPA’s privacy protections are questionable, the bill’s passage nevertheless produced a strong secondary effect of spurring the marketing complex to defensive action. Broader privacy legislation no longer seemed outside the realm of possibility. “It’s a massive mistake to ignore Washington,” said one industry consultant.43 Wary of congressional action, the marketing complex began to view the threat of formal privacy rules as “a top barrier to the continued growth of e-commerce.”44 Companies and trade associations formed new partnerships to coordinate self-regulatory efforts and lobby government officials. Among the most prominent was the Online Privacy Alliance (OPA), a coalition of eighty-six organizations formed with the express purpose of securing industry self-regulation on internet data issues. The OPA’s membership extended beyond the internet advertising industry proper to include the marketing complex at large. Reproducing its member list in full illustrates the breadth of companies and trade associations that found cause to rally around unrestrained internet data collection:45

• 3Com
• Acxiom
• AdForce
• America Online
• American Advertising Federation
• American Electronics Association
• American Institute of Certified Public Accountants
• Ameritech
• Apple Computer
• Association of Online Professionals
• AT&T
• Bank of America
• Bell Atlantic
• Bell South
• Business Software Alliance
• Coalition for Advertising Supported Information and Entertainment (CASIE)
• Centraal Corporation
• Cisco
• CommTouch Software
• Compaq
• Computer Systems Policy Project
• Council of Growing Companies
• Dell
• Direct Marketing Association
• Disney
• DoubleClick Inc.
• Dun & Bradstreet
• Eastman Kodak
• eBay
• EDS
• EDventure Holdings
• E-LOAN
• Engage Technologies (CMGI)
• Equifax
• Ernst and Young
• European-American Business Council
• Experian
• Fast Forward/Interactive Advertising Bureau
• Ford
• Gateway
• GeoCities
• Hewlett-Packard
• IBM
• Individual Reference Services Group
• Information Technology Association of America
• Information Technology Industry Council
• INSUREtrust.com
• InsWeb Corporation
• Intel
• Interactive Digital Software Association
• Interactive Travel Services Association
• Internet Alliance
• Intuit
• KPMG
• Lexis-Nexis
• MatchLogic
• MCI WorldCom
• Microsoft
• MindSpring Enterprises Inc.
• Motion Picture Association of America
• National Foundation for Consumer Credit
• NCR
• Nestlé
• Netscape
• NORTEL
• Northpole.com
• Novell
• Oracle
• Preview Travel
• PricewaterhouseCoopers
• PrivaSeek
• Procter & Gamble
• Rights Exchange
• Software & Information Industry Association
• Sun Microsystems
• Time Warner
• Unilever
• The United States Chamber of Commerce
• The United States Council for International Business
• Viacom
• ViewCall Canada
• Virtual Vineyards
• WebConnect
• Women.com Networks
• Xerox
• Yahoo

The OPA achieved some success in propagating basic privacy disclosures among major websites and ad platforms. It helped that OPA members Microsoft and IBM, each among the net’s largest advertisers, announced they would no longer advertise on any site that failed to give notice of data collection practices. Along these lines, the Direct Marketing Association instituted a rule requiring its members to create privacy policies.46 Microsoft even developed a web-based “privacy wizard” tool to autogenerate privacy policies for website administrators. As a result of these nudges, more publishers and marketers began to disclose their data collection practices for the first time, but such information was often hard to find and written in impenetrable jargon. As one former FTC commissioner noted, “As a general rule, privacy policies are confusing, perhaps deliberately so.”47 Thus the internet privacy policy was born—not as a means to empower consumers but as a coordinated attempt to deflect the threat of enforceable data collection regulations.

Internet advertising companies, heretofore underrepresented in Washington, formed a trade association of their own called the Networking Advertising Initiative (NAI). Members included leading ad networks DoubleClick, 24/7 Media, and CMGI. The NAI intended to formalize a universal opt-out mechanism, whereby consumers could choose to withdraw from commercial data collection systems.48 Together with the OPA, the NAI became a fixture among the private sector coalition dedicated to keeping substantive privacy legislation at bay.

Worlds Collide

The years of privacy activism leading up to the passage of COPPA produced a political struggle that tested the Clinton administration’s commitment to self-regulation. COPPA seemed to put a stalemate in place, as did the Commerce Department’s ongoing negotiations to carve out a “safe harbor” agreement to exempt U.S. companies from E.U. data oversight.49 Then DoubleClick, hot off its recent IPO, announced its intention to merge with the data broker Abacus Direct. The deal was singularly important in that it represented the most sweeping attempt to date to link online profile information with personally identifiable information culled from everyday off-line consumption. Privacy activists were stridently opposed to merging online and off-line data and organized a campaign to block the merger.50 Their efforts reinvigorated the privacy debate after COPPA and prompted a formal FTC investigation into DoubleClick’s data collection practices. By generating news coverage, activists raised surveillance advertising to a new level of publicity and helped to clarify the limits of self-regulation, especially around the lack of enforcement mechanisms to ensure that companies actually followed their own privacy guidelines.

Already among the largest internet advertising platforms, DoubleClick was leveraging dot-com bubble finance capital for rapid expansion. Abacus, which maintained records on the spending habits of some 90 percent of U.S. households, was an attractive prospect for acquisition.51 Although DoubleClick’s 120 million consumer profiles were ostensibly anonymous, Abacus’ 88 million profiles contained personally identifiable information such as names and addresses. As the Wall Street Journal explained: “If you’ve bought anything from a large department store or a catalog lately, Abacus probably has your name and address, what you bought, and how much you spent.”52 With the two of these data troves combined, DoubleClick would possess incredibly granular information about consumer behavior, both online and off.

Beyond the sheer magnitude of the data stockpile that would result from the merger, privacy activists presciently worried that DoubleClick’s move to combine anonymous online data with identifiable off-line data would become standard industry practice. Representatives from a collation of advocacy groups including CME, EPIC, and Junk Busters wrote an open letter to DoubleClick and Abacus executives, copying key members of Congress from both parties. The letter argued that the merger would “fundamentally change the internet from an anonymous space to one where consumers are silently identified.”53 Activists made similar pleas to the companies’ shareholders and encouraged them to vote the merger down. DoubleClick responded by saying that not only was it against company policy to merge such information but also it was technically impossible to do so.54 The technical anonymity of consumer profiles had become a standard rhetorical shield used by online data gatherers to deflect privacy-related criticism. As DoubleClick CEO Kevin O’Connor liked to say, “We can’t invade anyone’s privacy because we don’t know who you are.”55

Despite privacy advocates’ efforts to discredit the merger, Wall Street loved the idea. Both companies’ stock prices rose on news of the deal, which was successfully completed in late November 1999. The dot-com bubble was in a full-blown frenzy at this point, spiking DoubleClick’s market capitalization to nearly $9 billion. A few months later, privacy activists’ fears were validated as DoubleClick quietly modified its privacy policy, removing its pledge to keep consumer profiles anonymous. The change indirectly revealed DoubleClick’s plans to merge Abacus’ data with its own in order to build profiles that would include “name and address; retail, catalog and online purchase history; and demographic data.”56

Press investigations indicated that DoubleClick had in fact begun working to combine the data almost immediately after the merger was finalized, a feat company executives had previously described as impossible.57 Highlighting the limits of trade association-led self-regulation, DoubleClick and Abacus were both members of the OPA and Direct Marketing Association, organizations that nominally opposed such practices. Privacy activists filed a complaint with the FTC alleging that DoubleClick’s merger of the online and off-line databases would violate prior assurances of anonymity and therefore constituted a deceptive business practice. As in previous FTC investigations, the complaint did not involve the legality of data collection or merging because there were no laws regulating those activities. Activists also organized a public letter-writing campaign to oppose the data merging. The CDT created an email application that enabled individuals to send complaints to DoubleClick and its business partners. Within three weeks, some 25,000 people had sent messages to DoubleClick, while “several thousand” had written to its marketer and publisher clients.58

The public relations fallout proved substantial. The Washington Post called DoubleClick “one of the most vilified companies in the online world,” and USA Today reported that it had become “the media’s poster boy for bad behavior on the web.”59 Responding to EPIC’s complaint, the FTC opened a formal investigation into the matter, while a number of states’ attorneys general initiated inquiries of their own.60 Additionally, DoubleClick had been implicated in several civil lawsuits over its data collection practices.61 Perhaps most damaging was the slippage of the company’s stock price in a financial market that had already begun to show signs of impending collapse.62

At first DoubleClick dug in its heels, hiring a former congressional staffer as its new director of public policy and government affairs—that is, its “lead lobbyist.”63 The company also stepped up its own public relations efforts, announcing a consumer education campaign that included full-page advertisements in the New York Times, as well as 50 million banner impressions directing internet users to a newly created website, PrivacyChoices.org.64 DoubleClick attempted to qualify the scope of its data collection, saying it did not use “highly sensitive information for profiling such as health information, detailed financial information, information of a sexual nature, and information on children.”65 It also maintained that it would “not link personally identifiable information about a user to online behavior without first giving that user notice and the choice not to participate.”66

The rhetoric of notice and choice—of consumer empowerment—was a familiar refrain among defenders of online profiling. But in practice, DoubleClick’s implementation of these ideals was far less empowering than the company claimed. DoubleClick’s default practice was to link online profile data with off-line personally identifiable information whenever possible.67 Further, DoubleClick essentially off-loaded the burden of disclosing its data collection practices to its massive network of publisher and marketer affiliates and clients. As a company executive explained, “Any site that we work with that provides us with personally identifiable information . . . must provide the user with the notice and choice.”68 The problem was that DoubleClick did not actually hold its network partners accountable for following its guidelines. As EPIC noted in its FTC complaint, AltaVista (DoubleClick’s largest client) obliquely disclosed passing information to third parties but made no specific mention of DoubleClick. Most web users were unaware that by “surfing the site of one of its affiliates, they had entered into an agreement to provide DoubleClick with their personal data.”69 Jason Catlett of the advocacy organization Junk Busters summarized the situation like this: “Thousands of sites are ratting on you, so as soon as one gives you away, you’re exposed on all of them. If you don’t like Yahoo’s privacy policy, you don’t have to use its site. But it’s very difficult for consumers to avoid DoubleClick because most don’t know when it is collecting information.”70

DoubleClick made much of the fact that it provided an opt-out tool on its own website, noting that 50,000 people had elected to opt out of its tracking system.71 Again, the catch was that the average web user was unaware of DoubleClick’s existence, let alone its opt-out mechanism. As a third-party ad platform, DoubleClick’s sprawling internet presence was largely behind the scenes. The company’s access to consumers was mediated through web publishers and marketers, who were then responsible for disclosing DoubleClick’s data practices. Fifty thousand people may have opted out of DoubleClick’s profiling apparatus, but the company maintained a database of 120 million behavioral profiles.72 The opt-outs were a drop in an ocean of surveillance.

A turning point came in March 2000, just as the dot-com bubble began to burst. DoubleClick had been battered in the media for months, and its stock price was falling fast.73 Throwing a white flag, the company announced it would suspend its data merging program. CEO Kevin O’Connor left his position, saying that the plan to combine online and off-line data was a mistake “in the absence of government and industry standards.”74 The conflict surrounding the DoubleClick/Abacus merger subjected the growing surveillance advertising industry to its first bout of public scrutiny and forced one of its most powerful companies to halt its plans for expansion. Privacy activists had momentum, but the marketing complex was now on red alert.

Rich Lobby, Poor Regulation

A few months after DoubleClick walked back its data merging program, privacy activists achieved what appeared to be yet another important victory. After four years of waiting for industry to implement self-regulatory privacy protections on its own accord, the Federal Trade Commission reversed its opposition to federal privacy legislation. Frustrated by industry inaction and spurred on by activists, the commissioners recommended in a 3–2 vote that Congress “enact legislation that, in conjunction with continuing self-regulatory programs, will ensure adequate protection of consumer privacy online.”75 True to form, Chairman Pitofsky tempered the recommendation with a caveat that self-regulation had not failed entirely, “but in certain respects, it looks as if self-regulation would be more successful if there was some backup legislation.”76

Due in no small part to the actions of activists, online privacy issues had “gone off the Richter scale in terms of public sensitivity.”77 One survey of internet users found that 87 percent of respondents were “somewhat or very concerned about threats to their privacy online.”78 With elections looming, the White House and both parties in Congress increased their focus on internet data collection. House Democrats convened a privacy task force, while the Senate created a bipartisan congressional privacy caucus.79 “This year’s campaign slogan could be: It’s online privacy, stupid,” wrote BusinessWeek.80 Suddenly, legislators seemed eager to at least appear to be interested in getting a privacy law on the books. According to one account, “More than one hundred privacy bills had been introduced in the legislatures of 41 states.”81 At the national level, Congress held committee hearings on the subject, and several members began working on federal privacy bills.

Most congressional proposals hewed closely to the FTC’s long-standing recommendations around the fair information practices of notice and choice. For example, Senator John McCain of Arizona introduced a bill that required companies to provide “conspicuous notice” of their data practices.82 But other lawmakers went beyond the notice and choice framework. Democrats in both houses introduced plans containing a particular measure that some privacy activists had been requesting for years, but that industry universally reviled: an opt-in mandate for personal data collection. As summarized by the Wall Street Journal: “Beneath all the fuss about cookies and databases, the debate about internet privacy comes down to two very different approaches. In privacy jargon, the first is known as opt-in. Marketers agree not to collect or use personal data unless you affirm that you want to participate in their programs. Opt-out takes the opposite tack, assuming you want to participate unless the site hears otherwise.”83

Most legislative proposals such as Senator McCain’s were opt out. They required companies to post privacy policies but left data collection as the default practice from which consumers could opt out. The opposite was true for the Consumer Privacy Protection Act proposed by Senator Fritz Hollings of South Carolina.84 This act was one of several opt-in bills that would have required all websites and ad platforms to obtain “affirmative consent in advance from consumers” before personal data could be collected or shared.85 “Any bill that does not have the opt-in is just whistling Dixie,” said Hollings at a committee hearing.86 Though limited to data categorized as “personally identifying,” these opt-in proposals nevertheless represented a significant legal challenge to the surveillance advertising status quo.

As Congress considered these opposing approaches, the New York Times reported of a “nervousness among internet marketers about the public relations and regulatory minefields” that lay ahead.87 Marketers and ad platforms understood that a requirement to obtain affirmative consent in advance of data collection would severely impede the surveillance advertising economy they had been building, which relied on hidden data collection as the default setting. Shuffling again through the denialist deck of cards, industry groups foretold of apocalyptic consequences for economic growth and technological innovation should an opt-in framework be adopted. According to the Association of National Advertisers, “The whole question of target marketing [was] at risk.”88 Trade press editorial pages featured vitriolic defenses of data collection that accused privacy activists and government regulators of neo-Luddism. As Thornton May, a consultant and “corporate futurist,” wrote in Advertising Age:

Congratulations, interactive marketers: You have been anointed the new villains of the digital age. Like the chemical polluters of the 1960s, the napalm makers of the ’70s, the oil companies of the ’80s, and the HMOs of the ’90s, interactive marketers are on the cusp of some very bad press. . . . These cyber-left-behinds, data privacy tree-huggers, and self-appointed guardians of digital rights for the bit-challenged, privacy-violated hoi polloi have targeted interactive marketers as the “digital satans” of the wired world. Privacy is their rallying cry. . . . Unless you mobilize a counteroffensive today . . . we will be forever branded the bad boys on the digital block.89

Mr. May was preaching to the choir. The marketing complex needed no convincing to ratchet up its lobbying and public relations efforts. The most powerful internet companies, including DoubleClick, Amazon, eBay, Yahoo, and Excite, “planted their corporate flags in the nation’s capital,” establishing “government affairs” offices to coordinate a unified industry response.90 As one government relations practitioner noted, “Washington is no longer this great East Coast bogeyman, a place where you can trot out your CEO once or twice a year. Internet companies must include a policy component in their business model.”91 “If the industry moves aggressively,” said an executive at CMGI’s Engage, “there is still a shot to forestall legislation.”92

DoubleClick hired New York City’s former consumer affairs commissioner to serve in a newly created chief privacy officer role and assembled an external advisory board led by a former New York attorney general to consult on privacy issues.93 Other internet marketers followed suit. Whatever their operative functions, the creation of these positions were highly symbolic, “as indicated by the fact that they worked more closely with internal marketing and public relations departments than management and operations.”94 Separately, trade groups floated the idea of launching a $25 million strategic communications campaign to pacify the public on privacy issues.95 As critical scholars including Inger Stole and Molly Niesen have shown, public relations efforts such as these have a long history in media policy.96 In this instance, aggressive industry campaigning simply overwhelmed the meager resources available to privacy activists.

In a classic example of Washington’s revolving door, OPA hired as its director Christine Varney, a former FTC commissioner involved in the agency’s early examinations of online privacy.97 Under Varney’s leadership, the OPA became a powerful voice for framing privacy self-regulation in terms of consumer empowerment. Varney testified twice on behalf of the OPA at congressional hearings, advancing a position that was uniformly against legislative action, opposed to giving the FTC increased authority to police privacy violations, and in full support of industry self-regulation.98 The following quote from Varney’s testimony before the Senate Committee on Commerce, Science, and Transportation in May 2000 is exemplary of broader industry arguments:

What we do not need are sweeping regulations governing the collection and use of data [or] the conditions and methods under which that data use can be consented to . . . Whatever solutions Congress, industry, and consumers come to that will make privacy choices on the internet ubiquitous, the solutions must be technology neutral, market driven, and hospitable to the online [business] environment.99

Congress held no fewer than ten hearings on online privacy issues between 1998 and 2000. Responding to public concern and privacy activism, legislators introduced dozens of bills containing varying degrees of consumer data protections. Nevertheless, the only bill to make it out of committee, let alone be passed into law, was the Children’s Online Privacy Protection Act (COPPA). The marketing complex was successful not only in defeating opt-in measures but also in preventing any privacy legislation outside of the narrowly targeted COPPA. Despite widespread public support for online privacy, federal legislation remained, as one observer noted, “a political football.”100 As Chris Hoofnagle notes, privacy activists waged an “uphill battle, as it is easier to defeat legislation than pass it.”101

Facing an industry lobbying counteroffensive, legislation that contained opt-in provisions proved too far outside the neoliberal political consensus. Beyond the fact that, as White House advisor Ira Magaziner put it, “it is hard to underestimate the power of some of the groups who were lobbying for opt-out,” the U.S. economy had been overtaken by the dot-com financial bubble.102 Actions that were perceived as threats to economic growth, even if dubiously constructed as such, were seen as politically untenable. Privacy activists were not just fighting against DoubleClick and other surveillance advertisers but also their clients and customers—effectively the full force of business enterprise. Moreover, both houses of Congress were controlled by the Republican Party, which was on the whole even more supportive of government deregulation and laissez-faire policies than neoliberal Democrats. As one journalist put it, “If you believe these [privacy] bills will pass, I have a can’t-miss dot-com to sell you.”103

By 2001, the issue of internet privacy had been substantively dropped by all branches of federal government. After George W. Bush’s contested presidential victory in 2000, the already limited political capital of privacy activists dried up completely. The FTC abandoned its investigation into DoubleClick’s data collection practices without saying whether or not deception or other violations had occurred. Many of the civil suits against the company were dropped as well. The “internet privacy debate is dead,” declared InternetWeek.104

Privacy activists achieved certain successes, including stewarding the passage of the COPPA, pressuring DoubleClick to halt its plans to merge online and off-line data, and laboriously convincing the Federal Trade Commission to switch its stance from supporting industry self-regulation to recommending federal privacy legislation. Yet despite these victories, the marketing complex won the war. COPPA’s passage was significant because it was the country’s first internet privacy law, but its protections were limited. The DoubleClick/Abacus merger was completed as intended, expanding the company’s market power and profiling capacities. Its plan to merge online and off-line data was postponed, but not for long. Most importantly, Congress never acted on the recommendations from activists and the FTC for federal internet privacy legislation, a “negative policy” silence that served as continuing support for a deeply flawed regime of industry self-regulation.105

In the absence of government privacy guidelines, commercial entities remained free to conduct surreptitious consumer surveillance on an increasing scale. Under the auspices of industry self-regulation, the “fair information principles” of notice and choice were implemented in such a way that they served the exact opposite purposes for which they were designed. As Joseph Turow argues, rather than providing genuine notice, privacy policies “let users know as little as possible about data collection activities, in as polite but complex a fashion as possible so that they wouldn’t understand what was going on but could feel good about them.”106

As I have argued in this book, disparate actors within the marketing complex broadly conceived came together to construct an advertising-supported internet. Smaller rivalries aside, these companies had a shared interest in creating the largest possible social canvas for surveillance advertising and sought to shape the development of the new internet medium accordingly. Activists’ calls to rein in data collection obstructed these goals and needed to be neutralized. It was essential that unrestrained data collection be encoded into the legal structure of the developing internet, no matter that a growing number of people thought that they needed more—not less—privacy online.

The disappointing outcome of the privacy activists’ challenge to surveillance advertising in the late 1990s reflected the extent to which the range of political debate had already been circumscribed in the preceding years. Discussion was largely restricted to issues of transparency, narrow notions of user empowerment, and the specific character of the data being collected. The controversy at the heart of the DoubleClick/Abacus merger was whether companies could combine anonymous online profile data with personally identifiable information obtained from off-line sources. These are legitimate issues, but they sidestep more foundational questions about the costs and benefits of pervasive internet surveillance. To what extent should companies be permitted to monitor people’s behavior? What are the social costs of unrestrained surveillance? Who benefits from this system and who is harmed? To a significant degree, fundamental structural questions like these had already been pushed aside when the Clinton administration and lawmakers hitched their political wagons to unfettered internet commercialization at the beginning of the decade. From this baseline, the U.S. government approached privacy not as a public policy goal in its own right but as a means to an end. The real privacy policy objective was normalizing surveillance, making it palatable enough so that the internet’s commercialization could proceed unabated. Mission accomplished.