The Federal Trade Commission’s Online Behavioral Advertising Inquiry
This article, written by Lydia A. Jones, was originally published in the
Media Law Resource Center's, Practically Pocket-Sized Internet Law Treatise.
Lydia A. Jones, Esq.
Internet & E-Commerce Team Leader
Adams and Reese LLP
Music Row Office
901 18th Avenue South
Nashville, TN 37212
lydia.jones@arlaw.com
Introduction
In December 2007, the Federal Trade Commission (“FTC”) released a set of proposed principles to guide the development of industry self-regulation of online behavioral advertising (“OBA”) and in July 2008, the FTC provided testimony to U.S. Senate Committee on Commerce, Science, and Transportation regarding these proposed principles. In publishing these proposed principles, the FTC acknowledged that while behavioral advertising may provide benefits to consumers, including in the form of free content and personalized advertising, it also noted that the practice of OBA is largely invisible and unknown to consumers thereby giving rise to several consumer and individual privacy concerns, including spyware protocol, data security, identity theft and spam.
OBA is the tracking of a consumer’s activities online, including: (i) the searches conducted; (ii) the Web pages visited; and (iii) the content viewed, in order to deliver advertising targeted to that individual’s purported interests. The typical types of technology used to track online consumer behavior include cookies and Web beacons (also known as Web bugs, clear Graphics Interchange Formats (GIF), Web tags or pixel tags). And the types of targeted advertising include the familiar banner ads served up on a web page being viewed by the consumer or traditional unsolicited email marketing communications sent directly to the consumer’s inbox.
The proposed principles appear to have a two-fold purpose. First, they are clearly an attempt by the FTC to promote industry self-regulation, rather than legally mandated regulation, of the online practice of tracking and collecting customer data, and then using that data to serve up targeted online ads or transmit email messages. Second, the proposed principles are designed to provide consumers with an understanding of, and perhaps control over, the privacy of their online behavior and indelible footprints they may unwittingly be leaving behind, as well as the volume and content of unsolicited email messages landing in their perhaps already over-filled inboxes.
The proposed principles published by the FTC, along with the purported rationales, are as follows:
To address the need for greater transparency and consumer control regarding privacy issues raised by behavioral advertising, the FTC staff proposed:
- Every Web site where data is collected for behavioral advertising should provide a clear, consumer-friendly, and prominent statement that data is being collected to provide ads targeted to the consumer and give consumers the ability to choose whether or not to have their information collected for such purpose.
To address the concern that data collected for behavioral advertising may find its way into the hands of criminals or other wrongdoers, and concerns about the length of time companies are retaining consumer data, the FTC staff proposed:
- Any company that collects or stores consumer data for behavioral advertising should provide reasonable security for that data and should retain data only as long as is necessary to fulfill a legitimate business or law enforcement need.
To address the concern that companies may not keep their privacy promises when they change their privacy policies, FTC staff proposed:
- Companies should obtain affirmative express consent from affected consumers before using data in a manner materially different from promises the company made when it collected the data.
To address the concern that sensitive data – medical information or children’s activities online, for example – may be used in behavioral advertising, FTC staff proposed:
- Companies should only collect sensitive data for behavioral advertising if they obtain affirmative express consent from the consumer to receive such advertising.
- FTC staff also seeks comment on what constitutes “sensitive data” and whether the use of sensitive data should be prohibited, rather than subject to consumer choice.
[See http://www.ftc.gov/opa/2007/12/principles.shtm]
Compliance Issues and Concerns
Assuming your client’s business is U.S. based and collecting data from U.S. customers, a privacy policy in compliance with the FTC’s proposed principles may contain provisions such as:
Unless you tell us otherwise, non-sensitive data (e.g., not medical data, not data from children) will be collected and stored for a commercially reasonable time and in a commercially reasonable manner for use in connection with targeted advertisements served directly to you as you visit certain web pages, and in connection with targeted email messages that may be sent to your email account.
If we decide to use your data in a manner materially different than stated here or as stated when we collected the data from your online activity , we will obtain your express consent before using your data in that different way.
Either we will not collect, store or use sensitive data, or if we do, we will obtain your express consent before collecting and/or using it for targeted ads or email messages.
At first blush, such provisions appear reasonable and balanced. And from a customer standpoint, the message is clear that the company web site wants to serve up advertisements and send emails, but it also cares about privacy.
From a practical standpoint, however, U.S. companies will be ill served if they post such a notice, and do not design and implement internal controls to actually comply with its own stated policy. Will they expend the resources on technology to track the “opt outs”? Will the marketing channels monitor where express consent for collection is, and, is not, provided? And will there by sufficient coordination among all business channels to create and maintain a database that can be used effectively, yet be limited by and consistent with the customer’s preferences?
To date, there is no legal mandate to have or post a privacy policy. The FTC has, of course, enforcement powers under Section 5 of the Federal Trade Commission Act to prosecute and penalize companies for violating the terms of their stated privacy policies. So while the FTC has merely proposed these principles for behavioral advertising, U.S. companies should be mindful that once a decision to self-regulate through a posted privacy policy is made, that company is then subject to the enforcement oversight of the FTC for violations of its data collection practices.
Other Considerations
Practitioners advising Internet companies on these issues should be mindful of a few additional considerations. For those interested in learning about the industry response to the FTC’s proposed principles, for example, may wish to view the comments at http://www.ftc.gov/os/comments/behavioraladprinciples/index.shtm. And for an update on the FTC’s most recent activity on this topic, practitioners may wish to review the FTC’s testimony to U.S. Senate Committee on Commerce, Science, and Transportation given in July 2008. This testimony stated in part that "the issues surrounding this practice are complex ... the business models are diverse and constantly evolving, and ... behavioral advertising may provide benefits to consumers even as it raises concerns about consumer privacy." According to the testimony, "the Commission is cautiously optimistic that the privacy concerns raised by behavioral advertising can be addressed by industry self-regulation," which "affords the flexibility that is needed as business models continue to evolve." The testimony noted, however, that the FTC will continue to monitor the marketplace closely so it can take appropriate action as circumstances warrant. And finally, practitioners should always check for parallel U.S. state law legislation, including California for example, as well as European Union rules and guidance on issues of or relating to behavioral advertising.
|
