In December, 2007, Federal Trade Commission staff issued proposed principles for online behavioral advertising. Last week, the Commission staff issued a report (approved by the Commission) that includes slightly revised principles for online behavioral advertising and some specific suggestions for companies engaged in these practices.
The principles are part of a self-regulatory program which, the FTC admits, is still a work in progress. And with a new administration in Washington, it's not clear if the FTC will continue to support a self-regulatory program or switch gears and encourage Congress to enact legislation in this area. Moreover, the principles are guidelines and do not affect the obligation of any company - whether or not its advertising is covered by the principles - to comply with all applicable state and federal law.
In preparing the revised principles, the FTC staff examined consumer expectations regarding behavioral advertising practices; whether such practices are transparent; the potential for consumer harm; and "the need to maintain vigorous competition in the online marketplace and avoid stifling innovation."
In general, the revised principles follow the earlier principles in suggesting that web sites:
- disclose their data collection practices tied to online behavioral advertising;
- disclose that consumers can opt-out of these practices and provide a mechanism for opting out;
- provide security for consumer data and retain it only as long as necessary;
- obtain affirmative express consent before using sensitive consumer data.
The most significant change in the revised principles is that they do not apply to "first party" advertising, i.e., behavioral advertising by and at a single website where no data is shared with third parties, or to "contextual advertising," i.e., where an ad is based on a consumer's current visit to a single web page or single search query and where no consumer data is retained beyond the immediate delivery of the ad or search result.
Below is a more detailed discussion of the FTC staff's report and revised principles.
Scope of the Principles
The report defines online behavioral advertising as "the tracking of a consumer's activities online over time - including the searches the consumer has conducted, the web pages visited, and the content viewed - in order to deliver advertising targeted to the individual consumer's interests."
The revised principles narrow their scope by clarifying that this definition "is not intended to include 'first party' advertising, where no data is shared with third parties." Examples of "first party" data collection and use include product recommendations, tailored content, shopping card services, fraud detection and security. The principles also do not apply to "contextual advertising," where an ad is based on a single visit to a web page or single search query. The FTC staff cautioned that it construes "contextual advertising" narrowly and that if data is retained for future use, the marketer is not engaging in contextual advertising.
The FTC staff declined to limit the scope of the principles by having them apply only to personally identifiable information (PII); instead, having determined that "the traditional notion of what constitutes PII versus non-PII is becoming less and less meaningful," the Commission staff suggested that the principles apply to "any data collected for online behavioral advertising that reasonably could be associated with a particular consumer or with a particular computer or device." Such data can include "clickstream data that, through reasonable efforts, could be combined with the consumer's website registration information; individual pieces of anonymous data combined into a profile sufficiently detailed that it could become identified with a particular person; and behavioral profiles that, while not associated with a particular consumer, are stored and used to deliver personalized advertising and content to a particular device."
The Four Principles
The revised principles are the same as those issued in 2007: (1) transparency and consumer control, (2) reasonable security and limited data retention for consumer data, (3) affirmative express consent for material changes to existing privacy promises, and (4) affirmative express consent to (or prohibition against) using sensitive data for behavioral advertising.
The revised first principle retains the same guidance: web sites should provide a clear, prominent, consumer-friendly disclosure that (1) data is being collected to provide advertising tailored to an individual's interests, and (2) consumers can choose whether or not to have their information collected for this purpose. Web sites should also provide consumers with a clear, easy to use method for opting-out.
The guidance relating to the second principal also remains the same: any company that collects and/or stores consumer data for behavioral advertising should provide reasonable security for that data and should retain data only as long as is necessary to fulfill a legitimate business or law enforcement need. The type of protections afforded consumer data should be based on the sensitivity of the data, the nature of the company's business operations, the types of risk a company faces, and the reasonable protections available to a company.
The fourth principle remains the same: companies should obtain affirmative, express consent before using sensitive data. Although the FTC declined to specifically define the term sensitive data, in the commentary the Commission staff stated that it includes financial data, data about children, health information, precise geographic location information, and Social Security numbers.
The report describes several developments that have taken place since the proposed principles were issued in 2007, such as revised guidelines released by the Network Advertising Initiative, Google's and Yahoo's announcements that they would retain data for shorter amounts of time, technological improvements that allow consumers to configure their browser so that browsing and searching histories are not saved, and industry educational programs to inform consumers about online tracking. However, the FTC staff thinks that industry needs to do more, especially in the area of enforcement. In the report, the FTC staff called upon industry to redouble its efforts in developing self-regulatory programs and to ensure that any such programs include meaningful enforcement mechanisms. The FTC staff stated that "self-regulation can work only if concerned industry members actively monitor compliance and ensure that violations have consequences." The FTC staff stated that it would continue to monitor the development of self-regulatory programs and conduct investigations, where appropriate, to determine if online behavioral advertising practices violate Section 5 of the FTC Act.
A copy of the FTC's report is available here: