Tech companies have built businesses around offering users “free” services in exchange for collecting extensive user data that they then monetize, primarily through behavioral advertising. Users do not pay a monetary fee for using these services, but this expansive data collection comes with privacy intrusions. This business model may increase efficiency and profit, but the perils of behavioral advertising are obvious and commonplace: Users are paying with their privacy.

Federal privacy legislation could disrupt these privacy-intrusive business models and incentivize companies to come up with new models that protect and respect users’ privacy. Efforts to pass this type of legislation began in the wake of several privacy scandals, as policymakers realized how individuals can be harmed by behavioral advertising and other problematic data practices. As the ongoing debate highlights, legislation could effectively outlaw certain revenue sources by banning online behavioral advertising or precluding companies from charging users for exercising their right to privacy.

Behavioral advertising is one of the most dominant online business models, and it has enabled a new mode of online marketing that capitalizes on data to target ads toward users in unprecedented ways. While the behavioral advertising business model provides some benefits, it also encourages extensive and intrusive data collection that threatens privacy.

Although consumers do not pay any monetary fees, ad-supported products and services are not free. Behaviorally targeted advertising relies on non-consensual data collection at a massive scale, which requires users to pay with their privacy. Individuals face further harm from potential data breaches, unanticipated secondary uses of their data, and an increase in behaviorally targeted advertising that users find “creepy” and “annoying.”

For many years, online businesses have largely operated under the assumption that the behavioral advertising business model is superior to the contextual advertising business model, but this belief is not necessarily true. Privacy-protective online business models exist, allowing companies to make a profit without monetizing user data to sell targeted ads. Contextual advertising business models—in which ads are served solely based on a website’s content rather than detailed behavioral profiles of individual users—are profitable. Further, if legislation were to curtail behavioral advertising, it could spur the development of privacy-protecting business models, including those based on contextual advertising.

On the other hand, privacy legislation with laborious compliance requirements could hurt online businesses that lack relevant expertise and adequate resources. This consideration is not to suggest, however, that small businesses should be exempt from privacy protections—small businesses can intrude on privacy just as much as large companies can. The key variable is not the size of the business, but the amount of personal data the business collects and how it uses that data.

Further, legislation can prevent companies from charging users a higher price to protect their privacy, which is not strictly a good or bad policy. Privacy should not be a luxury good, but prohibiting companies from charging a subscription fee when a user opts out of behavioral advertising could theoretically hinder a company’s viability. Additionally, any legislation with pay-for-privacy protections will have to address enforcement issues, particularly those presented by the existing language in the California Consumer Protection Act.

The issues discussed in this report do not have clear answers, but are important for Congress to consider as it debates comprehensive privacy legislation.

The internet has flourished alongside the behavioral advertising business model, in which businesses collect extensive data about internet users and leverage that data to sell targeted ads. In exchange, these businesses offer users a “free” service that users pay for with their data, rather than with money. While the business model has fostered the free flow of information and created opportunities for online companies to increase efficiency and profit, the perils of behavioral advertising are becoming more obvious, and the consequences more commonplace.

The current push for federal privacy legislation can potentially disrupt existing business models and incentivize the creation of new models that better protect users’ privacy. In an effort to protect individual privacy in the aftermath of the Facebook/Cambridge Analytica scandal, policymakers are now discussing how to hold companies accountable for privacy intrusions. One aspect of the ongoing debate considers legislation that could effectively outlaw certain revenue sources, including banning behavioral advertising or precluding companies from charging users for exercising their right to privacy.

This report builds on an event held at New America’s Open Technology Institute on July 16, 2019, during which we asked speakers, among other things, “What online business models should Congress deem off-limits?” Nathalie Maréchal, senior research analyst at Ranking Digital Rights, delivered opening remarks, while Natasha Duarte, policy analyst at the Center for Democracy & Technology, moderated the panel consisting of Megan Gray, general counsel and policy advocate at DuckDuckGo; Keir Lamont, policy counsel at Computer & Communications Industry Association; Gabrielle Rejouis, law fellow at the Georgetown Center on Privacy and Technology; and Lee Tien, senior staff attorney and Adams Chair for Internet Rights at the Electronic Frontier Foundation. The speakers discussed various aspects of this question, including the prevalence of behavioral advertising, the harms that this business model can cause, how legislation could promote privacy-protective business models, concerns related to overly-prescriptive privacy legislation, and the pros and cons of pay-for-privacy regimes.

Behavioral advertising is one of the most dominant online business models, and it has enabled a new mode of advertising that capitalizes on data to target users in unprecedented ways. As discussed by Maréchal in her opening remarks, behavioral advertising emerged in the late 1990s, when companies sought to monetize their products and services through what has since become known as surveillance capitalism.¹ As Google became an increasingly popular search engine, it began tracking users’ online activities by collecting data on what they were typing into the search field, what they clicked on before and after searching for different terms, how much time they spent visiting the pages they clicked on, and more. After decades of accruing data, Google has leveraged its data trove and built a sophisticated behavioral advertising apparatus that predicts user behavior and identifies what ads individuals are most likely to click on.

Behavioral advertising spread throughout Silicon Valley and beyond, with far-reaching implications outside the tech sector. Namely, it has disrupted journalism by taking away critical revenue. As Maréchal has written, behavioral advertising

stole journalism's lunch money and used it to sustain platforms whose driving logic isn't to educate, to inform, or to hold the powerful to account, but to keep people engaged. This logic of engagement is motivated by the twin needs to collect more data and show more ads, and manifests itself in algorithms that value popularity over quality.²

To offset this loss of revenue, some news outlets are implementing behavioral advertising on their own sites. The New York Times, ESPN, and USA Today now deliver targeted ads based on users’ moods.³ The Washington Post developed an ad targeting tool that collects user data, and then uses machine learning to “match that data to its existing audience data pools, which it has accumulated over the last four years, to create assumptions on what that news user’s consumption intent will be.”⁴

Behavioral advertising does provide some benefits. As Maréchal explained, to most observers, the business model may seem like a win-win for companies and consumers. Behavioral advertising allows consumers to access online services, typically without paying a monetary fee. In exchange, companies gain a steady revenue stream through automated advertising exchanges, allowing them to focus on developing new products and services. Advertisers benefit from increased efficiency and innovation that enables them to optimize their ad investment strategy. Advertising networks, in turn, are able to charge more for each ad placement. Consumers also benefit from the free flow of information and potentially from efficiency gains, as they are in theory more likely to see relevant ads; they may even accept the associated trade-off in privacy.⁵

Despite its potential benefits, the behavioral advertising business model encourages extensive and intrusive data collection that threatens consumer privacy. Behavioral advertising is driven by clicks and visibility—companies want more people to click and visit certain pages, and the data informs which pages ads are placed on to drive these clicks. Under this business model, there is a clear competitive advantage to having more data. Companies have incentives to collect data, even if they do not need it, in the hopes that it will be useful someday. This practice has led to serious privacy harms.

Though the behavioral advertising business model may provide some benefits to consumers, it is a myth that the ad-supported products and services are entirely “free”—users pay by giving up their privacy and submitting themselves to potential privacy harm. As Maréchal said, “The cornerstone of this business model is non-consensual data collection at a massive scale. That, in and of itself, is a privacy violation, and it’s really a testament to how embedded these business models are into our society, and how readily we’ve accepted Silicon Valley’s narrative that many people don’t see that as a harm.”⁶ And as Rejouis pointed out, “the exchange isn’t mutual. [Companies are using] algorithms [to collect] data in undetected ways,” using proxies to infer information about users that they do not directly provide companies.⁷ Gray added that the large tech companies

need that data more for their current business models than they need to show you the ad. Because … [that] data is then used to maybe not show you an ad, but to show so many millions of other people an ad, and every pipeline they can get to feed into the big data machine that helps them determine what is going to be the most manipulative content to show you so that you click on the ad.⁸

Thus, the true price of these services is exposure to increased privacy risks.

The behavioral advertising business model contributes to a number of additional harms. First, any collected data is vulnerable to breaches if the company stores it, and as mentioned above, companies often collect a lot of data even when it is not necessary. One Gartner executive disclosed that over 70 percent of data collected and retained by companies remains “dark,” or unused, but nonetheless is kept for the possibility that they might eventually be able to monetize it.⁹ The data that companies collect can be stolen, and these breaches can lead to significant consumer harms, particularly if the data is financial or health related.¹⁰

Second, the non-consensual, secondary use of data for purposes beyond those for which it was collected can harm users. While OTI’s prior panel on civil rights and privacy addressed secondary use of data with regard to discrimination,¹¹ it remains an issue in other areas as well, including when companies sell data to data brokers, which then sell it to other organizations that use that data to inform decisions about employment or credit. For instance, in Spokeo, Inc. v. Robins, plaintiff Thomas Robins argued that his employment prospects had been harmed by data broker Spokeo’s listing of factually inaccurate information. Spokeo’s database misrepresented Robins by stating that he “was in his 50s, … married, … employed in a professional or technical field, and … has children” and “that he has a graduate degree, that his economic health is ‘Very Strong[,]’ and that his wealth level [is in] the ‘Top 10%.’”¹² This inaccurate data made Robins seem “overqualified for jobs he might have gained, expectant of a higher salary than employers would be willing to pay, and less mobile because of family responsibilities.”¹³ Any potential employer consulting the Spokeo database on Robins would have had incorrect information about him, which could have led the potential employer to unfairly reject his application. Thus, by encouraging vast data collection (whether accurate or not), the behavioral advertising business model creates further risks of unanticipated and potentially harmful secondary uses.

Third, even the appearance of companies tracking and following users around the internet can be viewed as harmful. In fact, “[a] wide variety of studies show that people find online ads intrusive, [and] annoying. … These unsolicited, even somewhat aggressive (and occasionally offensive) ads are unwanted interruptions.”¹⁴ Other surveys have shown that people find behavioral advertising “too aggressive” and “creepy.”¹⁵ Consumers may even be more likely to engage with ads if the advertiser is not using “creepy” tactics.¹⁶ These descriptors show that users experience a privacy harm even if they cannot identify it with precision. Much like in the physical world, consumers want and expect a certain amount of privacy, yet behavioral advertising violates those expectations.

For many years, online businesses have largely operated under the assumption that the behavioral advertising business model is superior to the contextual advertising business model,¹⁷ but this belief is not necessarily true. Privacy-protective online business models exist in which companies do not need to rely on behaviorally targeted ads to be profitable. For instance, companies can employ and have employed contextual advertising—displaying ads based on the content of the website instead of the behavior of the user—to fund their business.¹⁸

Contextual advertising business models are still profitable. DuckDuckGo has successfully employed a contextual advertising business model for over a decade. If a company switched from a behavioral advertising model to contextual one, Gray said, “They would still be hugely profitable. They may not be obscenely profitable … but they would still be able to do their moonshots, and have all their businesses.”¹⁹ In fact, there is reason to be skeptical that behavioral advertising is more profitable—a recent survey found that 45 percent of publishing executives saw no notable benefit from behavioral ads, and 23 percent said they actually led to a decline in revenue.²⁰ Further, an increased reliance on contextual advertising may even improve competition, because, as the CEO of DuckDuckGo recently wrote, “[W]hen contextual advertising regains prominence, more companies will be able to compete against Facebook’s and Google’s ad networks because they won’t need huge troves of personal data to do so.”²¹

45 percent of publishing executives saw no notable benefit from behavioral ads.

Additionally, legislation that curtails the behavioral advertising business model could spur innovation around privacy-protecting business models. As Gray stated, contextual ads have suffered from a lack of innovation. “We’ve had contextual online ads … since 1998 and nobody has spent any time trying to innovate,” she argued.²² Much of the innovation has gone specifically into matching people to ads based on their behavior rather than the context of the current website, such as showing an ad for various cleaning products when users searched for vacuums. “It would be wonderful to see folks … try to focus more on advertising innovation that is healthier for us as a society,” Gray argued.

Even without affecting business models, legislation could promote innovation. As Lamont detailed,

You can also imagine several ways that federal law could promote competition and promote innovation on privacy practices. I think we should pursue those in federal privacy legislation. One is transparency—the law should require that companies be upfront about what data they collect, how they process it, under what circumstances it could be transferred to a third party. That would allow consumers to think about what is the business model of the company that I’m signing up for to do business with and potentially switch. Another way to make that more probable and to promote competition on privacy-preserving interests and values is … data portability, where consumers would have an easier time moving the existing information and transferring between different services.²³

Adopting these approaches may be helpful—and OTI supports creating a right to data portability²⁴—but users may desire more protections than transparency and portability.²⁵

As discussions around a new privacy law in the United States continue, policymakers will likely have to confront the fact that some privacy protections may limit or even prohibit the ability of companies to rely on the behavioral advertising business model. While there are preliminary reports that the General Data Protection Regulation (GDPR), the EU law on data protection and privacy implemented in May 2018, is benefiting EU-based companies—through shorter average delays in product sales to customers caused by privacy concerns,²⁶ for instance—policymakers should consider both the costs and benefits of legislation that may eliminate certain business models.

In particular, if a law is overly prescriptive, it may cause significant disruption online. Lamont specifically cautioned that

ill-drafted or ill-considered privacy law could negatively impact innovation. You can imagine a privacy law that is so prescriptive that small, innovative, disruptive players would have a more difficult time entering the market. You could imagine a privacy law where the standards are so ill-defined, or enforcement is so out of proportion to the risk of harm that it would chill businesses from pursuing new and innovative uses of data.²⁷

Privacy legislation with laborious compliance requirements could hurt businesses that lack the required expertise and adequate resources. While large companies may be better positioned to accommodate these costs, small businesses are at a disadvantage and may find them particularly burdensome. Small businesses are also less likely than large companies to have legal departments or attorneys on-staff to help with compliance or navigating lawsuits.

Studies examining the impact of the GDPR on the European economy also claim that privacy legislation may negatively impact small businesses. A recent study suggested that the GDPR has had a negative effect on small and nascent technology ventures.²⁸ By comparing the differences in technology-venture related funding between pre- and post-GDPR periods in the EU and U.S., the authors found that EU technology firms experienced, on average, declines in the double-digital percentages relative to their U.S. counterparts.²⁹ The authors then assumed that, if there are fewer new ventures and less capital per venture after the GDPR went into effect, fewer jobs could also result given that business start-ups often create jobs.³⁰ On the other hand, one potential reason for a reduction in venture capital to EU startups is that businesses that were likely to violate privacy rights did not receive funding. Despite these preliminary findings, the long-term effects of the GDPR remain to be seen.

Nonetheless, small businesses are just as likely to engage in privacy intrusions as large companies are. Tien pointed out that

we … traditionally associate innovation with smaller start-ups. We also tend to assume that smaller companies can’t do as much harm in the first place, and yet one of the truths about the app economy is that you can have a very popular app and collect an enormous amount of data. If you are careless with that data, you have a data breach. You might actually have a greater threat of greater security problems and privacy breach issue … associated with very small players.³¹

It is important to recognize that from a privacy perspective, the key variable is not the size of the business, but the amount of personal data the business collects and how it uses that data.

Preventing companies from charging users a higher price to protect their privacy is not clearly a good or bad policy. As a general matter, privacy should not be a luxury good; people should be able to protect their privacy regardless of their income level. And some pay-for-privacy regimes effectively coerce users—especially low-income consumers—into giving up their privacy if the discount is so disproportionate that users essentially have no choice. For example, AT&T at one point offered broadband customers an option to participate in an “Internet Preferences” program that would have tracked their online activity, and provided them the lowest available rate if they had enrolled.³² Alternatively, customers could have elected to pay an additional $29 per month for standalone broadband access that did not track their online activity.³³ As Duarte pointed out, pay-for-privacy models can be coercive to users “who may not feel like they can make the tradeoff in cost, and pay a higher price or forgo a discount.”³⁴

People should be able to protect their privacy regardless of their income level.

However, prohibiting companies from charging a subscription fee when a user opts out of behavioral tracking could hurt a company’s viability. If a user decides to opt out of being tracked, the company would not generate behaviorally targeted ad revenue from that user. If the company cannot charge a subscription fee to make up for that lack of revenue, then it is effectively forced to provide a truly free service. If enough users opt out of being tracked, and the company could not charge fees, the business may not succeed for lack of revenue. While users may not be concerned about this threat for big tech companies and social media giants, prohibiting both tracking and subscription fees could threaten news organizations that rely on behavioral advertising and third-party tracking.³⁵

Even if legislation includes a ban on pay-for-privacy regimes, it might be difficult to enforce. The California Consumer Protection Act (CCPA), for instance, includes a provision precluding pay-for-privacy regimes, but with certain exceptions. The CCPA allows companies to charge consumers different prices or offer different levels of service if the difference is “reasonably related to the value provided to the consumer by the consumer’s data.”³⁶ The CCPA also allows companies to offer financial incentives—including compensation to consumers for collecting, selling, or deleting their personal information—under a notice-and-consent approach if the programs are not “unjust, unreasonable, coercive, or usurious in nature.”³⁷ However, as Tien pointed out,

we don’t have any good metrics for [those standards] right now, and there isn’t even a good theoretical metric for how you do that. In many of these areas, we’re watching innovations in the law that are going to be followed by innovations in enforcement and compliance, where folks like the California [Attorney General] are going to have to figure out how they are going to exercise their enforcement discretion and compliance in terms of judging something as coercive or not.³⁸

In the near future, the California Attorney General will have to determine how to enforce this provision, and other privacy enforcers should pay attention.

Behaviorally targeted advertising, one of the most dominant online business models, could be scaled back by new federal privacy legislation. This outcome may be a good policy from a consumer privacy perspective, as companies would be less likely to rely on business models that incentivize the collection of data at a massive scale. However, it may also have some detrimental effects, such as increasing compliance costs, particularly for smaller companies, or discouraging innovative uses of data. These issues do not have clear answers, but are important for Congress to consider as it works to develop privacy legislation that protects individuals.