Skip to main content

How Online Advertisers May Steal Your Personal Information: Recommendations for Protecting Consumers

Written by Adam Veness

The United States Senate Permanent Subcommittee on Investigations recently released a report outlining six findings concerning online advertising risks to consumers’ personal information and four recommendations on how to protect consumers from these hidden hazards.


1) Consumers risk exposure to malware through everyday activity.  Consumers can incur malware attacks by simply visiting even a mainstream website and without taking any action such as clicking an advertisement.  The complexity of online advertising makes it impossible for consumers to avoid advertising malware attacks or identify the source of the malware exposure and determine whether the ad network or host website could have prevented the attack.

2) The complexity of current online advertising practices impedes industry accountability for malware attacks.  The online advertising industry has grown in complexity to the point that each party can conceivably disclaim responsibility when malware is delivered to a user’s computer through an advertisement.  Due to the many layers of intermediaries through which online advertisements often travel before appearing in a user’s browser, the ad networks themselves rarely deliver the actual advertisement from their own servers and the owners of the host website visited by a user often does not know what advertisements will be shown on their site.

3) Self-regulatory bodies alone have not been adequate to ensure consumer security online.  Self-regulatory codes of conduct in online advertising do not fully address consumer security from malware.  Interestingly, self-regulatory efforts in online security to date have been dependent on online ad networks for funding and viability, which creates a potential conflict of interest in their dual roles as industry advocates and standard-setting bodies.

4) Visits to mainstream websites can expose consumers to hundreds of unknown and potentially dangerous third parties.  Even visiting a mainstream website exposes consumers to hundreds of third parties, and each of those third parties may be capable of collecting information on the consumer and may be a potential source of malware.

5) Consumer safeguards are currently inadequate to protect against online advertising abuses, including malware, invasive cookies, and inappropriate data collection.  Self-regulatory codes do not significantly address online advertising security and data collection protections are often limited in scope and underutilized.  Current FTC safeguards are insufficient to protect consumers from online advertising abuses, and cybercriminals are constantly finding new ways to evade existing security methods.

6) Current systems may not create sufficient incentives for online advertising participants to prevent consumer abuses.  Due to the difficulty in determining responsibility for malware attacks and inappropriate data collection through online advertisements, online advertising participants may not be fully incentivized to establish effective consumer safeguards against abuses.



To remedy the problems identified above, the Senate Subcommittee proposed four recommendations to tighten online advertising protocols and protect consumers.

1) Establish better practices and clearer rules to prevent online advertising abuses.  Currently, legal responsibility for damages caused through malvertising usually rests only with the fraudulent actor in question.  Since these actors are rarely caught and even less frequently able to pay damages, the harm caused is often borne by consumers.  Sophisticated commercials entities, large and small, should take steps to reduce system vulnerabilities in their advertising network, and if they fail to do so, then regulatory or legislative change may be needed to incentivize such entities to increase security for advertisements that run through their systems.

2) Strengthen security information exchanges within the online advertising industry to prevent abuses.  Online advertising companies are often hesitant to share information regarding security hazards because of fears they will be accused of violating federal antitrust laws by cooperating with competitors.  The Department of Justice and the FTC recently issued joint guidance suggesting that sharing of cyber threat-related information would not trigger antitrust liability and those agencies should clarify the extent to which online advertising participants may exchange information about security hazards.  If necessary, Congress should pass legislation that removes legal impediments to the sharing of actionable cyber-threat related information and create incentives for the voluntary sharing of such information.

3) Clarify specific prohibited practices in online advertising to prevent abuses and protect consumers.  Self-regulatory bodies should develop comprehensive security guidelines for preventing online advertising malware attacks.  In the absence of such self-regulation, the FTC should consider stepping in and issuing regulations to prohibit unfair and deceptive online advertising practices.  Greater specificity in prohibited or discouraged practices is needed before the overall security situation in online advertising can improve.

4) Develop additional “circuit breakers” to protect consumers.  Given the complexity of online advertising, more “circuit breakers” should be incorporated into the online advertising system to introduce checkpoints and ensure that malicious advertisements are caught at an earlier stage before transmission to consumers.



The Senate Subcommittee’s report sheds light on the serious concerns in online advertising due to little or no accountability for fraudulent actors and a lack of regulation in place to protect consumers against malicious online advertising.  The report further provides case studies of certain dangers in online advertising, and the full report can be accessed here.


Subscribe To Viewpoints


Cynthia J. Larose

Member / Co-Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.