Skip to main content

FTC Privacy Framework: Comments from the Retail/Promotion/Advertising Industry

Written by Stu Eaton

In our continuing effort to summarize the more than 400 comments posted in response to the FTC’s Privacy Framework, we have organized our summaries into the following five industry groups: Retail/Promotion/Advertising; Software/Technology; Telecommunications/Media; Privacy Advocates/Government; and Financial Services/General Business.

This week we reviewed the comments posted by companies and trade groups in the Retail, Promotion and Advertising sector.   Despite a large number of comments which covering a broad range of topics, the industry’s comments as a whole focused on the following eight issues of concern:

  • Continued use of self-regulation and education as the primary enforcement vehicle;
  • How online advertising benefits consumers and the economy;
  • Regulation of non-personally identifiable information;
  • Implementation of a “do not track” mechanism;
  • The lack of a flexible criteria for determining “commonly accepted” practices that do not require consent;
  • Continued use of “opt-out” as the preferred method of consent;
  • The FTC’s proposal that online marketers allow consumers to access and correct marketing data; and
  • The FTC’s proposal to limit data retention periods.

A detailed discussion of the industry comments for each of these topics is discussed after the jump.


In near uniformity, commenters called for continued self-regulation and education as the most effective means of protecting consumer privacy while fostering innovation.  Commenters argued that a legislatively-imposed privacy framework would seriously hinder innovation because it would be too inflexible to respond to the rapidly developing technological environment of online advertising.  Commenters warned the FTC against imposing requirements on their self regulatory programs, pointing out that such an approach would  inhibit the industry’s ability to respond to a rapidly-developing marketplace.  One commenter – the Electronic Retailing Association -- suggested the FTC provide “best practices” guidelines for self-regulation, which would allow industry to quickly adapt to an evolving market.

Three of the most prominent self-regulatory programs discussed in the comments include:

  • Self-Regulatory Guidelines for Ethical Business Practice (“Principles”): created by the Direct Marketing Association (“DMA”), the seven Principles call for education, provision of new choice mechanisms, data security, heightened protection for certain sensitive data, consent for certain material changes on online behavioral advertising data collection and use policies, and strong enforcement mechanisms.  On January 31, 2011, the DMA initiated its Accountability Program, which assists member companies with compliance but eventually intends to enforce actively monitor and enforce the Principles.
  • Council of Better Business Bureaus (“CBBB”) Accountability Program:  The CBBB’s Accountability program, with guidance from the National Advertising Review Council (“NARC”), monitors and initiates inquiries into industry compliance using software that monitors and analyzes online behavioral advertising activity and provides the CBBB with indicia of potential non-compliance requiring further investigation.  An online report form also provides interested entities with a means to report non-compliance.
  • Electronic Retailing Self Regulation Program:  this program, which regulates advertising and had been in place for years, is administered by the BBB and National Advertising Division.


Commenters also stressed that online advertising and marketing provides consumer benefits that would be jeopardized by regulation.  The comments pointed out that online advertising underwrites most of the Internet content, services and products that shape today’s popular Internet experience.   Consumers also appear to value “personalized” or behavioral advertising, as evidenced by the fact that they respond in far higher numbers to advertisements for products and services targeted to their interests.  Several comments also stressed the importance of online advertising to the U.S. economy.  For example, one group of advertisers cited a study showing that online retail and advertising services accounted for over $140 billion in retail sales for U.S. companies and directly or indirectly employed more than three million Americans in 2009.


Commenters were extremely concerned that, by applying the privacy framework to all consumer data that can reasonably be linked to a specific consumer, computer or other device, the FTC was proposing to expand the definition of  personally identifiable information (“PII”).   Online advertisers warned that regulation of non-personally identifiable information  (“non-PII”) that cannot ultimately be linked to a consumer, such as a computer I.P. address,  would seriously harm the online advertising industry because many companies’ entire business model centers on the distinction between PII and Non-PII.  Commenters also believe that regulating non-PII would eliminate the industry’s incentive to use anonymized data,  stifling the  industry’s efforts to develop de-identifying or anonymizing technologies that allow online data to be used safely now.

D.        DO NOT TRACK

Online advertising and retail commenters voiced strong opposition to implementation of a “do not track” mechanism.  The National Retail Association argued that any “do not track” mechanism would stifle the  information flows and technological innovation driving resurgent consumer retail spending.  The Promotion Marketing Association argued that implementation of “do not track” would increase the cost of advertising by reducing the availability of behavioral advertising as a valid marketing tool, harming both the consumer and industry members. Consumers would be left with less helpful information and online marketers would be restricted from using a tool – behavioral advertising – that has proven critical for reaching new customers.  Instead, commenters urged the commission provide newly-emergent self-regulatory programs time to take root before implementing any “do not track” mechanism.


Several commenters criticized the Privacy Framework for designating a list of “commonly accepted practices” that do not require consent without explaining why those particular practices were selected or offering any criteria that could be used to define such practices.  Because online advertising is characterized by rapidly evolving technology and consumer expectations, commenters felt a static list of “commonly accepted” practices would never keep pace with the industry.  A “list” methodology also does not account for industry differentiation:  what is commonplace in one industry may seem invasive in another.  For example, a data sharing practice that may seem commonplace for a publishing company may seem bothersome to users of a social networking service that is targeted towards a particular vertical.  While commenters agreed that choice is not necessary for many uses of data, they argued the “more appropriate, pro-innovative approach is to define where choice is appropriate, rather than where it is not appropriate.”

Advertisers also felt that third-party marketing should be included as a “commonly accepted practice.” For decades, third-party marketing has been the basis for prospect marketing and the identification of new customers – the lifeblood of business and the underpinning of our consumer economy. Without the use of third-party data, many new businesses that do not have an established customer base would not succeed.


Industry commenters applauded the FTC for recognizing that a meaningful opt-out mechanism may be more appropriate than opt-in, but cautioned that a choice mechanism that requires clear and conspicuous choice at the time of collection of information would not work in the online environment.  Requiring users to opt-out at the time of collection would interfere with consumers’ online experience and result in the loss of business because frustrated consumers would simply stop shopping.  Commenters felt the option to opt-out should be available via the website where the information is collected, rather than at the particular page or point where the consumer enters their information.

Online advertisers also felt that a requirement that users affirmatively consent to secondary uses of data where such use was not disclosed at the time of initial collection would stifle investment in future innovative uses of data.  If the FTC ultimately decides to regulate users of marketing data and other non-identifiable or non-sensitive data, commenters urged the FTC maintain the existing system of meaningful notice and the ability to opt-out. 


Although online advertisers support increased consumer education and transparency of data collection practices, they argued the record does not justify the imposing mandatory data access and correction standards for marketing data.  While marketing databases maintain information about individuals, marketers only seek to understand the general characteristics of the individuals to whom they are marketing.  And many marketing databases do not contain any individual information. Instead, marketing data is compiled at the geographic or household level, rather than at the personal level, and the data is estimated or presented in ranges.  Commenters also noted that the costs of implementing such a regime significantly outweigh the potential harm to the consumer, which amounts to the inconvenience of receiving an irrelevant offer.  Finally, the comments drew a clear line between marketing data, which does not need a correction mechanism, and highly sensitive data – such as a consumer credit reports – which they agree demands a robust access and correction regime.


Commenters generally supported the idea that data should only be retained for as long as there is a legitimate business purpose, but opposed any attempt to regulate specific retention times. It could be detrimental to businesses and consumers to prescribe specific retention periods. The reasons for a company to retain data, and for consumers to want a company to retain their data, are very fact-specific and commenters pointed out that their may be valid business reasons (such as a consumer request) for businesses to keep data for longer periods of time. Rather than prescribe specific retention periods, commenters recommend that the  industry and the FTC continue to promote sound data security practices so that all data, regardless of the period of time for which it is kept, remains secure.

Subscribe To Viewpoints


Cynthia J. Larose

Member / Co-Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.