On February 12, the Federal Trade Commission (FTC) released the long-awaited Staff Report on Self-Regulatory Principles for Online Behavioral Advertising. The report (www.ftc.gov/os/2009/02/P085400behavadreport.pdf) clarified and, to some extent, narrowed the draft principles on the topic released by the FTC staff in December 2007. At the same time, the report also expressed ongoing concern about certain issues. Unfortunately, while the staff indicated that it would consider bringing enforcement actions, it did not provide guidance in areas where the lines between lawful and unlawful conduct are not well defined.
The FTC staff report imposes no legal obligations and does not have the status of a rule or regulation. However, the report provides insights into the type of business activities that are of concern to the FTC staff, and thereby sheds light on the types of business practices that are likely to attract staff attention in future enforcement actions. Persons interested in the evolving public policy debate regarding behavioral targeting and online advertising issues should also consider a number of other recently issued pronouncements, as summarized in the related story in this issue.
The report tracks the format of the proposed draft Principles and makes the following modifications:
- Definition of Behavioral Advertising. The report clarifies that two behavioral marketing practices arguably within the scope of the original definition are no longer included and, therefore, no longer subject to the Principles themselves:
- "First party" advertising—"behavioral advertising by and at a single website;" and
- "Contextual" advertising—"advertising based on a consumer's current visit to a single web page or a single search query that involves no retention of data . . . beyond that necessary for the immediate delivery of an ad or search result." The contextual advertising exception is narrow. As written, the report seems to take the position that the retention of any data would constitute behavioral targeting if used to select and deliver a contextual ad. Where a first-party site retains data, arguably the first exception would apply, but this is not entirely clear.
Moreover, the report breaks some new ground (at least in the United States) in stating expressly that the principles apply not only to the collection and use of personally identifiable information (PII) but also to "any data collected for online behavioral advertising that reasonably could be associated with a particular consumer or with a particular computer or device." In other words, the FTC staff appears to be abandoning the concept that PII is distinct from non-personally identifiable information (non-PII), and instead, the two may blur. The FTC staff stated: "in the context of online behavioral advertising, the traditional notion of what constitutes PII versus non-PII is becoming less and less meaningful and should not, by itself, determine the protections provided for consumer data." Developments in technology are easing the identification of individual consumers based on information that, in years past, may have been considered non-PII. In addition, data that are not identifiable in and of themselves may become PII when linked by a common identifier.
- Transparency and Control. The report clarifies that where behavioral marketing occurs "outside the traditional website context" (e.g., on a mobile phone), "companies should develop alternative methods of disclosure and consumer choice" that comply with the Principles' requirement that consumers be informed when data is being collected and how it will be used. The FTC staff believes that traditional privacy policies are not only too long and complex, but that consumers using devices other than computers cannot reasonably be expected to read them. In practice, this means, for example, the disclosure of data collection on a mobile phone should be appropriate to a "small screen" instead of the PC "big screen."
Unfortunately, the FTC staff report offers no real guidance as to what alternative form of notice might prove acceptable. Accordingly, industry is on its own to devise new ways of providing notice, and bears the risk that the agency staff may find that new forms of notice are insufficient.
- Reasonable Security, and Limited Data Retention, for Consumer Data. The staff report recommends that "companies should . . . retain data only as long as is necessary to fulfill a legitimate business or law enforcement need." Thus, the staff has conflated data retention with data security. The recommendation, however, is consistent with other recent recommendations from other regulators on this topic.
- Affirmative Express Consent for Material Changes to Existing Privacy Promises. The staff report takes the position that a company should obtain "affirmative express consent" from its customers where it makes a change in the use of "previously collected" data. This is consistent with the full Commission's enforcement action against Gateway Learning Corporation a few years ago. In re Gateway Learning Corp., FTC File No. 042-3047 (proposed Consent Order announced July 7, 2004) (discussed at www.wileyrein.com/ftc_sanctions). The phrasing of this Principle originally proposed in December 2007 suggested that companies might need to obtain affirmative express consent whenever they changed their data collection practices. The new phrasing makes clear that affirmative express consent should be obtained only where the change in a data collection practice is "material" and "retroactive," meaning that it impacts the use of data previously collected under a different understanding with the customer.
- Affirmative Express Consent to (or Prohibition Against) Using Sensitive Data for Behavioral Advertising. The report did not change this Principle but clarified that the FTC continues to believe that "affirmative express consent" is warranted before collecting or using "sensitive data" and indicated that "sensitive data" includes, but is not limited to, "financial data, data about children, health information, precise geographic location information, and Social Security numbers."
Overall, the FTC staff report continued to express the agency's decade-old support for industry self-regulation in this area, although passages in the report suggest that the staff may expect to take a more proactive enforcement role. However, patience with industry may be wearing thin. Two of the FTC's current commissioners—Commissioner Jones Harbour and newly designated Chairman Leibowitz—issued statements on the release of the report suggesting that more formal regulation or legislation would be in order if industry practices do not begin to conform more closely to the staff recommendations.