FTC Sounds Off on Online Behavioral Advertising Privacy Issues

The Federal Trade Commission (FTC) has upped the ante in the effort to regulate consumer privacy in the online behavioral advertising space.

Not that you would guess it from the title of the FTC’s latest guidelines, which are billed as industry “self-regulatory principles for online behavioral advertising.”  However, at the very end of the FTC’s 49-page staff report is an ominous portent:  in the next year the agency will investigate industry practices and may bring enforcement actions against businesses for unfair or deceptive acts or practices and violations of other laws.  Over the past decade the FTC has brought numerous legal and administrative actions in the name of online privacy, resulting in costly cease and desist orders, fines and injunctions against online businesses for failing to disclose their privacy practices clearly, deviating from their posted privacy practices, or lacking reasonable consumer data protection measures.  Therefore, it would be a mistake to view the new online behavioral advertising principles as voluntary.

Online behavioral advertising is the practice of targeting ads to individual consumers based on data collected about their web activity, such as searches conducted, web pages visited and content viewed.  The FTC has been interested in this area for years because of the presumed invisibility of the data collection to consumers.  Also, with the increasing amount and richness of data collected by numerous sites and service providers for online advertising purposes, the potential for fraud or other harm to consumers if information falls into the wrong hands, or is merged to produce or elicit more sensitive data, grows exponentially.

In November 2007, the FTC held a two-day Town Hall meeting to discuss online behavioral advertising in a public forum.  Following that event, the FTC released for public comment draft self-regulatory principles to address privacy concerns.  Over the next few months, the FTC received over 60 comments from the online advertising industry, academics and privacy advocates, among others.  On February 12, 2009, the FTC issued revised principles which it intends to serve as the framework for industry self-regulation going forward.  The principles are summarized below, along with some practical compliance tips.  The FTC staff report can be read in its entirety here (pdf).

What Is Not Covered?

The FTC’s new online behavioral advertising principles do NOT apply to first party advertising, where the site displaying the targeted ad is the same one that collected the data and where no data is shared with third parties.  A service provider performing internal functions for the site would not count as a third party, but if the site participates in an advertising network which collects data at the site for behavioral advertising, this is considered third-party sharing.  The principles also do NOT apply to contextual advertising, where an ad is immediately displayed based on a single visit to a web page or a single search query, rather than the tracking of a consumer’s online activities over time.  (With that said, first party and contextual advertising are still governed by the FTC’s general requirements concerning privacy and data security as mentioned above.)

Not Just PII

The principles apply not only to personally identifiable information (PII), such as name, e-mail address and Social Security number, but also to data that could reasonably be associated with a particular consumer or computer or other device.  Such data includes clickstream data that could be combined with a consumer’s website registration information; individual pieces of anonymous data combined into a detailed profile that is identifiable with a particular person; and behavioral profiles that are not associated with a particular consumer, but are stored and used to deliver personalized advertising and content to a particular device.

Principle #1:  Transparency and Consumer Control

Every site where data is collected for behavioral advertising should provide a “clear, concise, consumer-friendly and prominent” notice that (1) data is being collected at the site for use in providing advertising tailored to consumers’ individual interests, and (2) consumers can choose whether or not to allow this.  The site must also provide a “clear, easy-to-use, and accessible method” for exercising this option (i.e., an opt-out).  Ironically, the FTC believes that the information and features described above should NOT appear, or appear solely, in the site’s privacy policy, since these policies may not be an effective way to communicate with consumers.  Although not required, the FTC speaks approvingly of adding a pop-up box (“why did I get this ad?”) or similar disclosure in close proximity to the ad, with a link to the section of the site’s privacy policy discussing targeted advertising.

Finally, where data collection for online behavioral advertising occurs outside of the standard website context, such as through ISP’s, Web 2.0 or mobile devices, the same principles of disclosure and consumer choice will apply, so alternative methods must be developed to satisfy these principles.

Principle #2:  Reasonable Security, and Limited Data Retention, for Consumer Data

Companies collecting or storing data for online behavioral advertising must provide reasonable security.  Reasonableness is determined in light of the sensitivity of the data, the nature of business operations, the types of risk a company faces, and the protections available to it.  Companies should also retain data only as long as necessary to fulfill a legitimate business or law enforcement need.  Limited retention is key, since the FTC is eager to bring enforcement actions against companies which experience data breaches and are found to be storing consumer information for years after their relationship with the affected consumers has ended.  The FTC has also sanctioned companies which carelessly disposed of sensitive personal information, such as by tossing it into a dumpster.  If you follow negligent practices like these, you will not be able to get off the hook by playing the victim.

Principle #3:  Affirmative Express Consent for Material Changes to Existing Privacy Promises

This requirement is extremely significant because it covers not only disclosures about online behavioral advertising, but any privacy policy or notice.  If a company materially changes its privacy practices, it must obtain “affirmative express consent” (i.e., opt-in) from consumers before it may use previously collected information under the new practices.  “Material” changes are those that are likely to affect a consumer’s conduct or decisions with respect to a product or service.  Among other things, the FTC considers different uses for data collected or different types of sharing with third parties to be material changes.

As for what constitutes “affirmative express consent,” the standard privacy policy language providing that any use of the site after a modified policy is posted constitutes acceptance of the new policy clearly no longer works for previously collected data.  Instead, users must be required to take some action to consent.  According to the FTC, use of a pre-checked box indicating consent to the privacy changes is not valid consent, nor is some sort of choice mechanism “buried deep” in a lengthy privacy policy or uniform licensing agreement.  (So, yes, an extra click really is required.)

Prospective changes to a privacy policy (applying to information collected after the new policy is posted) are not covered by the affirmative express consent requirement, although the FTC mentions a need to alert repeat site visitors to the changes, such as by a prominent notice on a landing page.

Principle #4:  Affirmative Express Consent to Using Sensitive Data for Behavioral Advertising

Companies should collect “sensitive data” for behavioral advertising only after consumers opt in to receive such advertising.  Although the FTC has not provided a comprehensive definition of sensitive data, it includes financial data, data about children, health information, precise geographic location information, and Social Security numbers.  The FTC has also raised for further consideration whether certain categories of data exist that are so sensitive they should never be used for behavioral advertising.

Regulate Thyself or Else

The main take-away here is not to be fooled by the ingratiating “self-regulatory” moniker that appears dozens of times throughout the FTC staff report.  The principles discussed above are, or will soon be, industry best practices.  Outliers should be wary.  Companies collecting data for online behavioral advertising are strongly encouraged to consult their e-commerce counsel to determine whether the FTC’s principles apply to them and, if so, how to comply without jeopardizing a valuable channel for content and revenue.

——————
Andrew Baer is the founder of Baer Business Law, LLC, a Philadelphia firm focusing on e-commerce, business and technology law.