Click for a summary of the U.S. Senate Commerce Committee's July 9, 2008 hearing on this topic.

Background

Advertising is the backbone of the internet and at the core of most digital monetization models. This is particularly true for social networking sites. The ability to efficiently deliver and target advertising to users is becoming increasingly critical to the success of web sites that depend on advertising for their monetization models. While web sites such as MySpace and Facebook increasingly captivate the imaginations (and eyeballs) of consumers, difficulties have erupted in recent months when social networking sites introduce targeted advertising into the slate of services provided to users.

For example, Google’s recent announcement that it is contemplating the use of user search queries to target advertising (in contrast to the company’s prior public position that it would not use cookies to target advertising) has electrified the blogosphere. Similarly, the inauguration of Facebook’s Beacon program last fall (that broadcast a user’s purchases to their network of friends, using a little understood “opt-out” procedure) caused over 50,000 Facebook users to sign a petition calling for elimination of the program and spawned two class action lawsuits for alleged privacy violations. More consumer reactions should be anticipated as an increasing number of online companies have announced intentions to expand “ehavioral” advertising. For example, AOL recently acquired behavioral targeting firm Tacoda, and Microsoft has similarly reported plans to target ads beyond its own network.

In late June 2008, the Department of Justice announced a formal probe into the antitrust and privacy implications of behavioral advertising deals, reportedly intending to use the Yahoo – Google proposed advertising as one of its prospective case studies.

What is behavorial or “ehaviorial” advertising exactly and why is it at the center of a current debate between advertisers and privacy advocates? Ehavioral advertising has been described recently by the FTC as “the process of tracking consumers’ activities online to target advertising.” It often (but not always) includes a review of the searches consumers have conducted, the Web pages visited, the purchases made, and the content viewed – in order to deliver advertising tailored to an individual consumer’s interests. The B2B backend technology that is required (e.g., the creation of user advertising profiles for specific computer addresses) to effectuate ehavioral advertising and innovations in technologies to deliver advertising have fueled a renewed debate over ehavioral advertising and the ways in which it may arguably pit users’ privacy interests against the core advertising-based monetization model of the internet. On the one hand, the growth of the internet is premised upon obtaining advertising revenue that drives free Web content and other benefits for consumers (i.e., free access to news reports). On the other hand, according to the FTC, consumers remain largely oblivious to the processes necessary to effectuate targeted advertising and this has raised new regulatory questions regarding privacy concerns.

Recent efforts by trade associations, regulators, and legislators to develop rules of engagement for ehavioral advertising demonstrate the growing tension between privacy, transparency, and online advertising.

Regulatory Developments

For now, the protocol governing behavioral advertising remains self-regulatory. Many advertising organizations have self-regulation models for behavioral advertising. In light of recent consumer concerns raised regarding privacy, last year the Federal Trade Commission (“FTC”), and the Network Advertising Initiative (“NAI”), one of the leading organizations for online advertisers, issued updated self-regulatory principles in the behavioral marketing area. The key points are summarized below.

FTC’s Proposed Self Regulatory Guidance

On November 1-2, 2007, the Federal Trade Commission (“FTC”) held a town hall meeting titled “Ehavioral Advertising, tracking, targeting and technology.” Although the FTC had previously developed a guidance on behavioral advertising in 2000, it believed that innovations in technology and ad targeting methods necessitated updates. The stated purpose of the November 2007 workshop was to examine:

“[H[ow the online advertising market, and specifically behavioral advertising, has changed in recent years, and what changes are anticipated over the next five years. Among other things, it will examine what types of consumer data are collected, how such data are used, what protections are provided for that data, and the costs and benefits of behavioral advertising to consumers. The Town Hall will also address what companies are disclosing to consumers and what consumers understand about the online collection of their information for use in advertising.”2

Following the town hall, on December 20, 2007, the FTC proposed updates to its self-regulatory principles for behavioral advertising in a new document, titled “ONLINE BEHAVIORAL ADVERTISING: MOVING THE DISCUSSION FORWARD TO POSSIBLE SELF-REGULATORY PRINCIPLES: STATEMENT OF THE BUREAU OF CONSUMER PROTECTION PROPOSING GOVERNING PRINCIPLES FOR ONLINE BEHAVIORAL ADVERTISING AND REQUESTING COMMENT”. The key features of the FTC’s new guidance include focus in the following areas:

Transparency: The guidance requires a clear and concise statement that the users’ online activities are being collected at the site for use in providing advertising about products and services tailored to the individual consumer; and notification to consumers that they can choose whether or not to have their information collected for such purposes.

Reasonable security: Without providing fixed rules on the nature of security necessary, the guidance calls for reasonable security measures under the circumstances. It also calls for limited data retention (“only as long as necessary to fulfill a legitimate business or law enforcement need”).

Affirmative express consent is recommended for the following areas:

  • For material changes to existing privacy promises.
  • Collection and use of sensitive data for behavioral advertising.

Requests for More Information:

  • The FTC also called for comment on what types of information should be considered “sensitive” while recognizing that health conditions, sexual orientation and children’s online activities are generally considered “sensitive.”
  • It also requested greater information regarding possible secondary use of tracking data. Privacy advocates claim that secondary use of tracking data is a major privacy concern. The FTC wished to find out greater information regarding the types of secondary uses for behavioral tracking data (e.g., for research and development of new products), and the additional privacy implications, if any of same.

The FTC received over 60 comments from advertisers, content providers, and public interest groups. For example, the Direct Marketing Association (“DMA”) criticized the guidance as “exceeding” current self-regulatory practices by calling for consumer choice for “collection” of information for behavioral advertising rather than “use” of the data. The DMA also believed that affirmative consent to material changes in privacy policies advocated by the FTC should be limited to material changes involving third party uses of personal information for behavioral advertising and not all privacy policies. In addition, several other commentators noted the current lack of a definition of “sensitive data.” Others differed on whether consumers should be allowed to opt-in, rather than opt-out of behavioral advertising. The comments further highlight the tension between companies that believe that this type of advertising delivers a better, richer and more focused Internet consumer experience, and privacy advocates that are continuously pushing for greater governmental oversight to ensure the protection of privacy rights.

NAI’s Self Regulatory Guidance

The NAI is comprised primarily of third-party online behavorial advertisers such as Tacoda (recently acquired by AOL), Double Click (acquired by Google in 2007) and Yahoo! The NAI defines online behavorial advertising (“OBA”) as “any process used whereby data is collected across multiple web domains owned or operated by different entities to categorize likely consumer interest segments for use in online advertising.”3

In December 2007, perhaps in reaction to the FTC’s increased interest in ehaviorial advertising, the NAI released proposed updates to its existing self-regulatory standards titled, “2008 NAI PRINCIPLES: THE NETWORK ADERTISING INITIATIVE’S SELF REGULATORY CODE OF CONDUCT FOR ONLINE BEHAVIOR ADVERTISING” (hereinafter the “NAI 2008 Principles”). The NAI 2008 Principles update the NAI’s original behavioral advertising guidance (issued in 2000).

The NAI 2008 Principles were proposed to address new types of ehavioral advertising involving “robust uses of user data that raise distinct issues potentially justifying higher standards of notice and choices” –far beyond those raised by routine display advertising. Id. at p. 4. Some of the key features of the NAI 2008 Principles include:

Transparency: The NAI 2008 Principles contemplate a NAI web site acting as a centralized portal that explains the various types of behavioral advertising and provides links to consumer mechanisms for choice.

Notice: The NAI 2008 Principles provide guidance for clear and conspicuous notice to consumers (on the advertising network’s site as well as the individual web sites on which the ads are published) which explain:

  • the types of personally identifiable (“PII”) and non-PII collected;
  • what PII and non-PII may be merged and what, if any, merged data will be transferred to third party advertising networks;
  • what PII may be shared with third-party advertising networks; and clear mechanisms for opt-in and opt-out;
  • the approximate length of time the data will be maintained.

Choice: The NAI 2008 Principles require the following types of consumer consent:

  • Opt-out For use of non-PII for OBA purposes.
  • Opt-out With Robust Notice4 For use of non-PII to be merged prospectively with PII for OBA purposes.
  • Opt-in For use of PII to be merged with previously collected non-PII (retrospective merger) for OBA, with an opt-in mechanism in place at the time the PII is collected online, or if collected offline then the first time used online.
  • Opt-in For OBA directed at “restricted consumer segments.” Restricted consumer segments are defined as those that rely only on non-PII for targeted marketing based on specified categories (e.g., certain medical/health conditions or other types of personal life information).

Definition of Restricted or Sensitive Consumer Segments: Unlike the FTC Guidance that does not define “sensitive data,” and instead looks to public comment for same, the NAI clarifies the definition of "sensitive" consumer data to include5:

  • Certain medical/health conditions: HIV /AID status, sexually related conditions, psychiatric conditions, cancer status, and abortion-related matters.
  • Certain personal information: Sexual behavior/orientation identity (e.g. lesbian/gay/bisexual/transgender); and criminal victim status (e.g., rape victim status).

Potentially restricted or sensitive consumer segments under certain undefined circumstances: The NAI 2008 Principles also outline potential areas that may be considered restrictive or sensitive segments, depending upon the type of OBA and use of the potentially sensitive information. They include the following areas:

  • age/birthdate, addictions (e.g., drug, alcohol), criminal history, alienage or nationality, death, disability, ethnic affiliation, martial status, philosophical beliefs, political affiliations or opinions, pregnancy, race identification, religious affiliation (or lack thereof), and trade union membership.

Limitations:

  • Prohibiting the creation of behavioral advertising segments specifically targeting children under the age of 13
  • Prohibiting OBA marketing directed at sensitive consumer segments- i.e., those that rely on PII for targeted ads based on those segments. These are the same categories as “restricted consumer segments” but restricted segments are permissible for OBA because they rely on non-PII.
  • Prohibiting merger of non-PII with PII for use in OBA, if non-PII was collected under a privacy policy that indicated such merger would never occur.

Enhancing data security requirements:

The NAI 2008 Principles call for use of reasonable data security measures as appropriate for the data at issue.

The NAI recently asked for public comment on the NAI 2008 Principles. The NAI Board is considering the feedback and will make final decisions about appropriate updates shortly.

Legislative Developments

In addition to regulatory developments, legislative bodies across the country have reacted to the privacy concerns raised by opponents of online behavioral advertising.

New York’s Ehavioral Advertising Bill – Died But Will Be Introduced Again in 2009.

On June 19, 2007, New York’s behavioral advertising bill titled “Third Party Internet Advertising Consumer's Bill of Rights Act of 2008” bill was introduced. The bill would have established limitations with respect to how third party online advertisers collect and use information concerning the online behavior of consumers. The bill required third party advertisers and the web sites that publish their ads to provide notice to consumers regarding the types of information collected by third party advertisers and methods for consumers to opt-out of third party advertising/profiling activity. It also would have banned companies from collecting personal information like names or addresses without users' consent. The law cleared several hurdles in the New York Assembly, but on June 26, 2008, it was reported that the bill did not advance to the floor for a vote. According to the bill’s authors, it will be resubmitted in January 2009. 

Connecticut Ehavioral Advertising Bill – Passed the General Law Committee Vote and is Awaiting Full Vote and Passage.

On March 25, 2008, Connecticut’s General Assembly approved the Connecticut behavioral advertising bill (H.B. Bill 5765) titled "An Act Concerning Online Advertising & Privacy". If it passes and takes effect on October 1, 2008, the bill would require third-party advertising networks to post notice about the their data collection practices and how they use data collected to: (1) provide advertisements to third-party internet web sites; (2) report statistics about activity on a web site; (3) track the number of advertisements delivered to particular web sites; and (4) collect personally or non-personally-identifiable information about separate visits to a web site by a consumer or web browser; and (5) the approximate length of time that the information will be retained.

Massachusetts has a similar bill under consideration. More states can be expected to focus on online advertising in the future.

Federal Legislation on the Horizon

Federal lawmakers are also looking into online advertising. On July 9, 2008, the Senate Committee on Commerce, Science, & Transportation will hold a hearing on Privacy Implications of Online Advertising. The Committee will consider the current state of the online advertising industry and that market’s impact on users’ privacy. Witnesses will focus on the key factors driving online behavioral advertising, the methods of online behavioral advertising employed by industry, and the protections the FTC and the Federal Communications Commission (FCC) should adopt to protect consumers from unwanted or unnecessary invasions of their privacy.

In addition, Reps. Ed Markey (D-Mass.) and Joe Barton (R-Texas) recently investigated whether Internet service providers violate subscribers' privacy by sharing data about their web surfing activity to ad firms. They sent a letter to Charter about its plan to share data with NebuAd. On June 24, 2008, Charter delayed its plan.

The DOJ’s recent announcement that it has opened a probe into behavioral advertising activities is a further indication that federal involvement will be forthcoming.

Conclusion

With all of this attention, there will continue to be significant controversy and scrutiny of privacy issues related to online behavioral advertising. Online behavioral advertising, like all advertising, should be analyzed to ensure it is in compliance with applicable law.