Publications

Privacy and Security / Communications Alert: FTC Releases Staff Report Announcing Self-Regulatory Principles for Online Behavioral Advertising



3/2/2009

The Federal Trade Commission (FTC) has released a staff report setting self-regulatory principles for companies engaged in online behavioral advertising. The principles are designed to enable online advertisers to avoid or address practices that raise genuine privacy concerns without interfering with or stifling innovation online. The FTC issued the staff report after it conducted a town-hall meeting, published a draft set of principles, and obtained public comment on the draft principles.

The staff report defines online advertising and announces four principles:

  1. transparency and consumer control;
  2. reasonable security and limited data retention;
  3. material changes to privacy policies; and
  4. affirmative express consent before using sensitive data.

The staff report does not address secondary uses of tracking online behavior.

Online Advertising Definition Excludes “First Party” and Contextual Advertising

The staff report defines online behavioral advertising as the tracking of a consumer’s online activities over time—including the searches a consumer has conducted, the Web pages visited, and the content viewed—to deliver advertising targeted to the individual consumer’s interests. It excludes “first party” advertising, where no data is shared with third parties, and contextual advertising, where an ad is based on a single visit to a Web page or single search query. The staff report, however, does not limit the scope of customer data subject to the principles to only personally identifiable information, claiming that whether data could be reasonably associated with an individual “will depend on the factual circumstances and available technologies.”

Principles

Transparency and Consumer Control

Advertisers that collect information for online behavioral advertising should provide meaningful disclosures that allow consumers to choose if they want to permit the practice. Every Web site where data is collected that “reasonably could be associated with a particular consumer or with a particular computer or device” and used for behavioral advertising should provide a “clear, concise, consumer-friendly, and prominent” statement indicating that:

  • data about consumers’ activities online is being collected at the site to facilitate advertising about products and services tailored to individual consumers’ interests; and
  • consumers can choose whether or not to have their information collected for such purpose.

Such Web sites are directed to provide consumers with a clear, easy-to-use, and accessible method for declining to participate in behavioral advertising, but the staff report does not specify if the consent should be opt-in or opt-out. If the data collection occurs outside the traditional Web site context, companies should develop alternative methods for disclosure and consumer choice.

Reasonable Security and Limited Data Retention

Companies should provide reasonable data security measures so that behavioral data does not fall into the wrong hands, and should retain data only as long as necessary for legitimate business or law enforcement needs. Any company that collects or stores consumer data for behavioral advertising should provide reasonable security for that data. These protections should be based on the sensitivity of the data, the nature of a company’s business operations, the types of risks a company faces, and the reasonable protections available to a company. Data retention should be as brief as possible and tailored to a legitimate business or law enforcement need.

Affirmative Express Consent for Material Changes to Privacy Promises

The FTC’s enforcement and outreach efforts make clear that a company must keep the promises it makes with respect to how it will handle or protect consumer data, even if it decides to change its policies at a later date. Before a company can use previously collected data in a manner materially different from promises the company made when it collected the data, it should obtain affirmative express consent from affected consumers. The staff report indicates that this principle would apply to a corporate merger situation if the merger creates material changes in the manner that the companies collect, use, and share data.

Affirmative Express Consent to Use Sensitive Data

Companies should obtain affirmative express consent from consumers before they use sensitive data for behavioral advertising. Examples of sensitive data include financial data, data about children, health information, precise geographic location information and Social Security numbers.

Further Regulation Possible without Meaningful Self-Regulation

While the principles are designed to serve as the basis for industry self-regulatory efforts to address privacy issues, two FTC commissioners signaled that ignoring the principles could bring a heavier regulatory approach to online advertising. Commissioner Jon Leibowitz issued a concurring statement to ensure that the staff report’s endorsement of self-regulation “is viewed neither as a regulatory retreat by the Agency nor an imprimatur for current business practice.” He went on to warn that “data security has been too lax, privacy policies too incomprehensible, and consumer tools for opting out of targeted advertising too confounding” and that the principles represent “the last clear chance to show that self-regulation can—and will—effectively protect consumers’ privacy in a dynamic online marketplace.” Commissioner Pamela Jones Harbour noted “behavioral advertising represents just one aspect of a multifaceted privacy conundrum surrounding data collection and use” and voiced her preference for a more comprehensive approach to privacy.

The staff report emphasizes that it is merely the “next step in an ongoing process,” and that the FTC expects industry to take the lead in developing standards to implement the principles. The FTC has indicated it will continue to monitor the marketplace so that it can protect consumers. This will include evaluating the development of self-regulatory programs, conducting investigations, meeting with stakeholders and studying developments in online behavioral advertising.

For assistance in this area, please contact one of the attorneys listed below or any member of your Mintz Levin client service team.

Cynthia J. Larose, CIPP
(617) 348-1732
CLarose@mintz.com

Howard J. Symons
(202) 434-7305
HJSymons@mintz.com

Christopher J. Harvie
(202) 434-7377
CJHarvie@mintz.com

Harvey Saferstein
(310) 586-3203
HSaferstein@mintz.com

Publications Search

Archive

Accomplished Clients Accomplished Clients