Highlights of the FTC's Self-Regulatory Principles for Online Behavioral Advertising
Earlier this year the Federal Trade Commission released an FTC Staff Report entitled "Self-Regulatory Principles for Online Behavioral Advertising" (the "Report"). The Report arose after over a year of public comments and debate by both marketers and consumer privacy advocates. The Principles allow for a self-regulatory approach that purportedly strikes a balance between marketing innovation and consumer benefits, and protecting consumer privacy. The following is a summary of some of the key points of the report on the Principles. What is online behavioral advertising? The Report defines online behavior advertising as: the tracking of a consumer's online activities over time - including the searches the consumer has conducted, the web pages visited, and the content viewed - in order to deliver advertising targeted to the individual consumer's interests. For example, "cookies" are often used by some companies to track the websites that users visit while browsing the Internet. A user purchasing a plane ticket to New York on a website might have an advertisement for a New York hotel presented to him on a different website after making the purchase. The information collected for online behavior advertising may not involve personally identifiable information (e.g. name, address, account numbers, etc.), but rather often includes information that associates users with a particular computer or device (e.g. IP address). The FTC, however, makes a distinction between certain types of behavioral advertising, including "first party" behavior advertising and contextual advertising. First party behavior advertising is the tracking of consumer activities by and at a single website with no sharing of the behavior data with a third party. Contextual advertising is advertising based on a consumer's current visit to a single web page or a single search query that involves no retention of consumer data beyond that necessary for the immediate delivery of the ad or search result .In general, the FTC believes that these types of advertising are less invasive and that the Principles should not apply to these practices. What are the principles for online behavioral advertising? The proposed Principles include four governing concepts: (1) Transparency and consumer control: Every website where data is collected for behavioral advertising should provide a clear, concise, consumer-friendly, and prominent statement that (1) data about consumers' activities online is being collected at the site for use in providing advertising about products and services tailored to individual consumers' interests, and (2) consumers can choose whether or not to have their information collected for such purpose. The website should also provide consumers with a clear, easy-to-use, and accessible method for exercising this option. Where the data collection occurs outside the traditional website context, companies should develop alternative methods of disclosure and consumer choice that meet the standards described above (i.e., clear, prominent, easy-to-use, etc.) (2) Reasonable security, and limited data retention, for consumer data: Any company that collects and/or stores consumer data for behavioral advertising should provide reasonable security for that data. Consistent with data security laws and the FTC's data security enforcement actions, such protections should be based on the sensitivity of the data, the nature of a company's business operations, the types of risks a company faces, and the reasonable protections available to a company. Companies should also retain data only as long as is necessary to fulfill a legitimate business or law enforcement need. (3) Affirmative express consent for material changes to existing privacy promises: As the FTC has made clear in its enforcement and outreach efforts, a company must keep any promises that it makes with respect to how it will handle or protect consumer data, even if it decides to change its policies at a later date. Therefore, before a company can use previously collected data in a manner materially different from promises the company made when it collected the data, it should obtain affirmative express consent from affected consumers. This principle would apply in a corporate merger situation to the extent that the merger creates material changes in the way the companies collect, use, and share data. The FTC noted, however, that the material change principle is limited to changes that are both material and retroactive. Depending upon a company's initial privacy promises, a material change could include, for example: (i) using data for different purposes than described at the time of collection, or (ii) sharing data with third parties, contrary to promises made at the time of collection. A retroactive change is a change in a company's policies or practices that a company applies to previously collected data. (4) Affirmative express consent to (or prohibition against) using sensitive data for behavioral advertising: Companies should collect sensitive data for behavioral advertising only after they obtain affirmative express consent from the consumer to receive such advertising. What is "affirmative express consent"? While the report does not define affirmative express consent or specify the mechanism for obtaining such consent, most commentators agree that this standard amounts to an "opt-in" requirement for material changes (see the third principle) and use of sensitive information for behavior advertising. In other words, there must be some sort of affirmative action take to obtain consent (e.g. pre-checked boxes that need to be unchecked are not likely to work). What should companies do to address these new principles? First, companies must determine whether they actually engage in online behavior advertising. Many companies may track their customer's behavior within the company's own website or serve adds based on keyword searches, both of which appear to be exempt from the principles. If a company does engage in online behavior advertising it should review its privacy policy to determine how (and if) those practices are described to consumers, and whether appropriate notice is provided or consent obtained. It may be necessary to update those privacy policies or modify practices to fall in line with the stated principles. Significantly, the Report indicates that the FTC will continue to be heavily involved in this area, including potentially, regulatory actions:
During the next year, Commission staff will evaluate the development of self-regulatory programs and the extent to which they serve the essential goals set out in the Principles; conduct investigations, where appropriate, of practices in the industry to determine if they violate Section 5 of the FTC Act or other laws; meet with companies, consumer groups, trade associations, and other stakeholders to keep pace with changes; and look for opportunities to use the Commission's research tools to study developments in this area.