Online behavioral advertising, also known as targeted advertising, is reportedly more than twice as effective in converting users to buyers as traditional online ads, and generates twice as much revenue per ad. The benefits to advertisers from targeted advertising are clear, but consumers also receive benefits, including greater shopping efficiency and more targeted information about desirable products and services. However, targeted advertising raises privacy concerns – and new legislation in California, along with increased regulatory enforcement and class action litigation elsewhere in the country, make it imperative that companies take these concerns seriously.
In California, a recently enacted amendment to the California Online Privacy Protection Act requires companies to include information about how they respond to “Do Not Track” signals, as well as other new information about their collection and use of personally identifiable information (PII). The amendment, which was signed by the California governor on September 27, 2013, establishes a de facto disclosure standard for online tracking. Companies will have to update their privacy policy to conspicuously disclose how they deal with, and respond to, Web browser Do Not Track (DNT) signals, or other mechanisms regarding the collection of personal information about an individual consumer’s online activities over time and across third-party Web sites or online services, to the extent the operator engages in that collection. In addition to this DNT notice obligation, the law also requires Web site and online service operators to “[d]isclose whether other parties” collect PII regarding a consumer’s “online activities over time and across different Web sites when a consumer uses the operator’s Web site or service.”
The new law prescribes that operators can satisfy this disclosure requirement by “providing a clear and conspicuous hyperlink” in their privacy policies that links to an online location containing a description “of any program or protocol the operator follows that offers the consumer” the choice to opt-out of internet tracking. Because the new law does not prohibit tracking, it has been described as a transparency proposal, and not a DNT proposal.
The legislative analysis of the law states that its purpose is to “increase consumer awareness of the practice of online tracking by websites and online services, such as mobile apps [and] will allow consumers to learn from a website’s privacy policy whether or not that website honors a Do Not Track signal [which] will allow the consumer to make an informed decision about their use of the website or service.” Although, as the California Attorney General noted, all major browser companies offer DNT browser headers giving consumers a choice not to be tracked, “[t]here is, however, no legal requirement for sites to honor the headers.” Thus, because Web sites are free to disregard such DNT selections by consumers, consumers would not know whether or not their selection is honored unless the Web site provides them with such notice. The new law mandates providing users with the requisite notice.
Companies will be deemed to be in violation of the proposed law if they fail to add the disclosure provisions to their privacy policies. Companies that do not clearly explain these practices will receive a warning and be given 30 days to comply with the requirements. Lawsuits arising from claimed violations of this amendment, along with other requirements of the law, can be brought by the California Attorney General or private litigants.
California has some of the strictest privacy laws in the country, and more often than not sets the privacy standards around the country. But these issues are not limited to California. Elsewhere in the U.S., the plaintiffs’ bar has already stepped up class action activity based on behavioral tracking. Commencing in late 2010, the plaintiffs’ bar filed a series of behavioral tracking cases against cable companies providing internet services, and other putative class action complaints were filed thereafter against online retailers and financial institutions. More recently, in June 2013, the Seventh Circuit Court of Appeals in Harris v. comScore allowed the largest class action case in history, with potentially millions of class members, to proceed against an online data research company in a behavioral tracking case. Regulatory enforcement regarding behavioral tracking has also increased. Last year, for example, the FTC issued a record $22.5 million civil penalty against Google for tracking in contravention of privacy settings set by users using Safari.
The message is clear. Every company that engages in behavioral tracking – whether by means of a Web site, online service, or mobile app – and whether or not that organization is based in California, should review its privacy, data collection and data tracking policies, and should consider updating them in order to stay ahead of these legislative, regulatory and litigation trends.