On February 12, 2009, the Federal Trade Commission (“FTC” or “Commission”) released the staff’s final report on self-regulatory principles for online behavioral advertising.1 Commission staff indicated that they sought to strike a balance with privacy concerns raised by the practice of online behavioral advertising with its benefits when developing the principle, which were originally proposed and opened for public comment on December 20, 2007. In the report, the FTC staff express their hope the principles will further encourage the development of meaningful self-regulatory principles that include meaningful enforcement mechanisms. The report also states that the staff intends to continue its inquiry into behavioral advertising. Timed with the release of the report, Commissioners Jon Leibowitz and Pamela Jones Harbour issued concurring statements, with Commissioner Leibowitz suggesting that more rigorous self-regulation was required to avoid legislation, and Commissioner Harbour calling on the FTC to conduct a broader examination of behavioral advertising within the privacy context.

The scope of the principles covers “online behavioral advertising,” a term meaning “the tracking of a consumer’s online activities over time – including the searches the consumer has conducted, the web pages visited, and the content viewed – in order to deliver advertising targeted to the individuals consumer’s interests.”[2] As a modification from the earlier proposal, the definition now clarifies that this definition is not intended to include “first party” advertising, where data is not shared with third parties, or contextual advertising, where ads are based on a single visit to a web page or single search query. The report also states that the principles cover any data collected for online behavioral advertising that “reasonably could be associated” with an consumer or device.[3]

Self-regulatory principles outlined in the report include: (1) transparency and consumer control; (2) reasonable security and limited data retention for consumer data; (3) affirmative express consent for material changes to existing privacy promises; and (4) affirmative express consent to or prohibition against using sensitive data for behavioral advertising.

A. Transparency and Consumer Control

The principle on transparency and consumer control states that every website that collects data for behavioral advertising should provide a clear, concise, consumer-friendly, and prominent statement. According to the report, this statement should inform consumers that data is being collected on the site for use in providing them with advertising about products and services tailored to their interests, and that consumers have a choice about whether their information is collected for behavioral advertising. The report also provides that websites should provide consumers with a easy-to-use and accessible method of exercising the option of whether their information is collected for such a purpose. Additionally, the report now states that companies should develop alternative methods outside the traditional website context to ensure disclosure and consumer choice when collecting data.

B. Reasonable Security and Limited Data Retention for Consumer Data

The principle on security and data retention states that any company collecting or storing consumer data for behavioral advertising should provide reasonable security. As previously proposed, the report indicates that such security should be based on the sensitivity of the data, nature of a company’s business operations, risks a company faces, and reasonable available protections. Regarding data retention, the report now indicates that a company should retain data only as long as necessary for legitimate business purposes or law enforcement needs.

C. Affirmative Express Consent for Material Changes to Existing Privacy Promises

The principle on affirmative express consent for material changes to existing privacy promises provides that a company must maintain its promises pertaining to consumer data even if the company later changes its policies. Clarifying from the proposed principle, the new principle states that affirmative express consent should be acquired from consumers before using previously collected data in a manner materially different from the promises made.

D. Affirmative Express Consent to (or Prohibition Against) Using Sensitive Data for Behavioral Advertising

The principle on affirmative express consent to or prohibition against using sensitive data for behavioral advertising states that a company may collect sensitive data only after obtaining affirmative express consent from the consumer. Staff expressed support for developing standards that define the term sensitive data.