Last November, Facebook launched an advertising service called Beacon that shared information about users' online activity—such as buying movie tickets online—with other Facebook members. The social networking Web site, however, neglected to ask its users if they wanted data about other sites they visited as well as the things they bought online automatically posted to their profile pages. Worse, that information went to users that the members had designated as friends.

The benefit to advertisers was clear: highly targeted marketing based on past behavior. But Facebook users hated the invasion of privacy. More than 50,000 of them signed an online petition protesting the program. The site responded by allowing users to opt out of the service, giving them control over what information could be shared. Company founder Mark Zuckerberg also issued an apology.

Too little, too late—a group of plaintiffs on August 12 sued Facebook and several other companies, including Blockbuster, Fandango, Overstock.com and Hotwire.com, in U.S. District Court in San Jose, Calif., accusing the social networking site and its partners of violating both the federal 1986 Electronic Communications Privacy Act and 1986 Computer Fraud and Abuse Act, along with California's Consumer Legal Remedies Act and its Computer Crime Laws.

A small victory for online privacy, but in the age of Facebook and MySpace this is unlikely to be the last skirmish between advertisers—who will spend $1.4 billion this year to reach social network users, according to eMarketer, Inc., an online marketing research firm in New York City—and users who want their privacy. The information on those sites is just too valuable.

"Understanding user behavior is very valuable to a marketer," says Cameron Olthuis, founder of Factive Media [[http://factivemedia.com/]], an online marketing consulting firm in Carlsbad, Calif. "Take Facebook, for example, you can run ads now that target users based on information in their profiles." MySpace's HyperTargeting advertising software lets advertisers target their wares based on information users put in their profiles. One half of all ad buys on MySpace now use HyperTargeting.

Users "feel like there is a sense of control because they can control their privacy preferences," says Larry Ponemon, founder and chairman of information management firm Ponemon Institute, LLC, in Traverse City, Mich., but that is not necessarily the case. Congress is concerned: Earlier this month, the House Committee on Energy and Commerce asked Yahoo and more than 30 other leading Internet firms to provide more information about the online browsing data they collect from consumers and explain how the information is used to create targeted advertising messages. Yahoo responded by announcing the company will allow users to refuse targeted advertising on Yahoo-branded Web sites. Google, Inc., meanwhile, has acknowledged it is using Internet browser tracking technology that allows the company to accurately monitor Web-surfing behavior. For example, it can provide ads on Google.com in response to search queries entered by its users.

And users may not really get that. "I don’t know that people understand that their browsing experience within an online session is tracked or how much content is served to them based on behavior tracking as well," says Fran Maier, CEO of TRUSTe, a San Francisco privacy advocacy group.* "The consumer, without knowing the limits of that tracking, can easily come to the point of being concerned that too much is being tracked, that it is being tracked individually, that it's insidious and creepy."

According to a 2008 TRUSTe study, 71 percent of consumers are aware that their browsing information may be collected by a third party for advertising purposes. But 57 percent say they are not comfortable with advertisers using that browsing history to serve relevant ads, even when that information cannot be tied to their names or any other personal information.

What's being done to protect privacy? For one, TRUSTe evaluates Web sites and offers its Web Privacy Seal (Ponemon Institute has one, for example), E-Mail Privacy Seal and Trusted Download programs to help consumers and businesses identify trustworthy online organizations. Criteria for getting one of these stamps of approval include whether Web users have control over who accesses information about them and if they have the opportunity to keep a site from selling their information to advertisers.

Not everyone believes data collection from social networking sites poses a risk. In general, the information collected and the way it is used by legitimate companies is anonymous, says eMarketer senior analyst David Hallerman. "Most behavioral tracking is accomplished by cookies that identify what the person using the browser is clicking on," he says. "But it doesn’t have any of personally identifiable information (such as the person's Social Security number or home address)." Hallerman believes that because the privacy issue has become public, marketers will adopt self-regulation to give consumers the option to opt out. If not, government regulations may be instituted to protect consumer interests.

Ponemon is not convinced that self-regulation will be enough. The Internet is not a free market, he says, because people cannot work and live now without connectivity to the Internet. This gives Web users ample opportunity to leave bits of information about themselves wherever they browse. "Once the information is in the hands of the advertiser," he says, "there's nothing you can do to suppress it."

* (Sept. 17, 2008) The original version of this article identified TRUSTe as a nonprofit, but the organization has received venture capital funding.