Behavioral targeting is the practice of selecting and presenting advertising to Internet users based on their presumed interests as deduced from "clickstream" data recording the websites they visit and the webpages they view. Online advertising practices in general, and behavioral targeting in particular, remain the subject of policy debate. The Federal Trade Commission (FTC), which in November 2007 hosted a "town hall" meeting to study the subject, is expected to issue its findings and proposed next steps soon.

Issues in Play

As our December 2007 Privacy In Focus article on the FTC event (www.wileyrein.com/ftc_town_hall) reported, consumer advocates have expressed concern over the perceived lack of knowledge, notice and awareness of how advertisers may use personal information in online marketing. Proponents noted that unlike offline companies these advertisers publish their privacy policies online, and they emphasize the importance of higher valued targeted advertising in supporting the widespread availability of desirable free Internet content.

In the year since, the issue has continued to simmer. Federal policymakers have continued to express concerns about how advertisers use personal information of Internet users to target advertising, and also about the extent to which users are aware of the practice. The new Congress likely will take a renewed interest in online advertising practices. To spur matters along, consumer groups recently filed a complaint with the FTC seeking a wide-ranging inquiry into online mobile advertising practices (see the related story in this issue).

A large gulf exists between the marketing industry and consumer advocates. At the heart of the issue is a concern that users of Internet services are not sufficiently aware of the data collection practices that may occur on websites or of the use of those data in selecting and delivering advertising. A related issue reflects a belief among some that a person's online browsing tendencies are not only "private" but may also constitute "property" that should be legally protectable in some way—because, in short, "they" are using "my" information to make money.

The Updated NAI Code

In December, the Network Advertising Initiative (NAI) weighed in by issuing an updated version of its Self-Regulatory Code of Conduct for Online Behavioral Advertising. The NAI consists of companies providing online advertising services. The updated guidelines build on an earlier set of guidelines issued in 2001, which constituted an attempt to establish "best principles" for the conduct of network advertisers. Even more recently, four more marketing groups—the American Association of Advertising Agencies, the Association of National Advertisers, the Direct Marketing Association and the Interactive Advertising Bureau—announced in January that they were discussing self-regulatory proposals based on the FTC's proposed principles, but no details yet have been announced.

The 2008 principles in part respond to new forms of Internet services and advertising models unknown in 2001 and to the emergence of new business models, and also undoubtedly reflect some sensitivity to the ongoing debate over targeting.

The revised NAI guidelines are intended to apply in situations in which data are collected across more than one Internet domain owned or operated by different companies, where those data are used to categorize likely consumer interests for use in selecting and presenting online advertising. The NAI approach emphasizes "clear and conspicuous" notice as to both the NAI members' practices and the need for those to be made known on the websites within their advertising networks. They also describe the situations in which consumers are to be given a choice as to whether data may be collected, and whether that choice should require an affirmative ("opt-in") or negative ("opt-out") act.

Code Adherents' Duties

NAI's new guidelines require member companies to take several actions to improve the notice provided to website users. First, NAI member companies collectively are to maintain an NAI website that serves as a "centralized portal" offering explanations of online behavioral advertising; the companies' compliance with the NAI principles, and consumer education.

Second, each member company shall "clearly and conspicuously" post a notice on its website that describes its data collection, transfer and use practices. The notice should include a description of the types of data collected by the company, how the data is used, whether the data is transferred to third parties and the extent to which personally identifiable information (PII) will be merged with non-personally identifiable information. Members should also provide an easy method to opt-in or opt-out with respect to such data use. Finally, the member should clearly disclose how long it will retain data.

Few consumers, however, visit the websites of NAI member companies, because these companies provide their advertising services across websites operated by others. For this reason, some have expressed concern that the notices are rarely viewed. To address this criticism, each NAI member company must require each website on which it provides advertising services to post a clear and conspicuous notice disclosing that the advertising is occurring, the types of data being collected and how the data is used, and providing a conspicuous link to the NAI member company's "opt-in" or "opt-out" choice mechanism. In addition, NAI members are, by contract, to require that any third parties to which they provided PII for online advertising adhere to the NAI code.

"Opt-in" or "Opt-out"

Perhaps most importantly, the NAI principles attempt to define when an "opt-in" or "opt-out" choice should be made available to consumers. They do so through a definition of PII. PII includes a name, address, telephone number, email address, financial account number, government-issued identifier and (broadly) any other data used to identify, contact or "precisely locate" a person.

Where non-PII is collected across multiple unaffiliated websites and used to categorize uses for advertising purposes, the NAI principles call for "opt-out" choice. This is the original paradigm of network advertising. The theory is that privacy interests warrant only an "opt-out" approach because no PII is used or collected.

In contrast, where PII is to be merged with non-PII on a going-forward basis for online advertising purposes, more "robust" notice is to be provided at the point at which data are collected. However, "opt-out" choice must be offered, because no personal information has been collected, and the consumer can prevent the use of identifiable information from the outset.

However, in the reverse situation—in which PII is to be merged with previously collected non-PII—the NAI principles call for "opt-in" consent at the time the PII is collected. "Opt-in" consent is required in all cases when sensitive information is collected (including Social Security Numbers, financial and insurance account numbers, "precise" real-time location and health information).

Finally, NAI members shall provide reasonable access to PII while providing reasonable security for that data, and retain data only for so long as there is a legitimate business need or as required by law.

Enforcement is a matter of self-regulation, although companies that represent that they comply with the NAI principles may be subject to enforcement actions by the FTC or state authorities if those representations are found to be false or deceptive.