Report May Trigger Change in Practices  

The Federal Trade Commission (FTC) staff issued a supplemental report on February 12, 2009, that finalizes its December 2007 draft Self-Regulatory Principles for Online Behavioral Advertising. The revised principles are not “regulations” per se, and are instead guidelines for best practices. The report on its face continues to support self-regulatory programs for behavioral advertising, although that support is tempered, particularly by Commissioners Jones Harbour and Leibowitz’s concurrences.  

This staff report is particularly relevant in light of its retreat from long-standing industry best practices and breadth of purported covered activities, including: 1) emphasizing the purported privacy risks associated with behavioral advertising, perhaps even higher than privacy risks associated with personally identifiable information; 2) blurring the line between privacy protections for personally identifiable information and non-personally identifiable information; 3) parlaying the threat of behavioral advertising using “sensitive information” such as health, finance, or children, to craft broad principles for the entire industry; and 4) engaging in broader policy statements such as mandating express affirmative consent for retroactive changes to privacy policies, regardless of whether the change applies to personally identifiable information and/or behavioral data.  

In particular, the staff report formally stated what had been anecdotally reported by FTC staff with respect to the transparency and control principle—i.e., traditional privacy policies likely may not constitute sufficient notice for online behavioral advertising activities. In addition, the staff report adopted a very broad and open-ended definition of PII for online behavioral advertising and indicated that sharing information within a company family falls outside of the scope of first partysharing of data and, consequently, may be included within the scope of the principles.  

Introduction

The FTC Staff Report: Self-Regulatory Principles for Online Behavioral Advertising (February 2009) contains revisions to the proposed principles, which were published for public comment in December 2007.1 The staff report also responds to the comments submitted by various businesses, consumer advocates, academics, and individual consumers. The majority of changes in the revised principles are intended to clarify the applicable scope of the principles as a whole and steps necessary to conform with the principles.  

While the applicable scope of the revised principles has been reduced to a certain degree, the obligations for the businesses still covered by the principles are largely unchanged with one noteworthy exception. Accordingly, the FTC has adjusted the definition of online behavioral advertising, which now covers “…the tracking of a consumer's online activities over time – including the searches the consumer has conducted, the Web pages visited, and the content viewed – in order to deliver advertising targeted to the individual consumer's interests. This definition is not intended to include "first party" advertising, where no data is shared with third parties, or contextual advertising, where an ad is based on a single visit to a Web page or single search query." The significant aspects of the revised principles are summarized below.  

It should be noted that the principles are not formal regulations and do not directly confer legal liability in the event of noncompliance. They are guidelines provided as suggested best practices for the advertising industry. Legal enforcement actions by the FTC in this area are primarily subject to the requirements of Section 5 of the FTC Act, which prohibits deceptive and unfair trade practices.  

Applicable Scope

In response to numerous comments critical of the broad scope of the draft principles, the staff report refined the definition of behavioral advertising in order to create narrow exemptions for two common advertising practices described below. However, the staff report staunchly maintains that the principles shall not be limited to personally identifiable information (PII).  

Non-PII  

Despite criticism that the principles impose obligations upon the collection and use of non-PII that have historically only been applied to PII, the staff report unequivocally states that the traditional distinction between PII and non-PII should no longer be determinative of privacy concerns. For example, the staff report claims that increased use of static IP addresses, anticipated as a result of the transition to Internet Protocol version 6, may render some traditional non-PII personally identifiable. Therefore, any data (PII or non-PII) “collected for online behavioral advertising that reasonably could be associated with a particular consumer or with a particular computer or device” (emphasis added) is covered by the principles.  

This focus differs from the FTC’s previous approach of looking first at what is traditionally considered to be “personally identifiable information” as a major privacy risk. The report seems to consider the ubiquitous, persistent nature of online activity to be so uniquely identifiable as to render “personal information” obsolete. Instead of focusing on whether information is defined as “personal information,” with these principles the FTC is taking the position that, even without knowing the name or e-mail address of a user, the tracking of actions over time constitutes a privacy right to which Fair Information Practices apply. This approach is similar to the European Union’s expansive definition of “personal data” in its Data Protection Directive 95/46/EC.

First Party Behavioral Advertising  

“First party” behavioral advertising is exempted from the principles. The staff report acknowledges that use of behaviorally targeted content by a Web site publisher to customize content (including advertising) to visitors on its Web site has demonstrable benefits for consumers. In addition, the staff report concedes that such customization is “within reasonable expectation of consumers.” Further, the staff report states that the direct (first party) relationship between the consumer and the Web site publisher properly equips consumers to direct complaints and seek redress if they dislike the advertising practices or feel they have been injured.  

Web site publishers may contract with third party vendors to facilitate “first party” behavioral advertising. Thus, it appears that Web site publishers can hire third party ad servers to collect and use behavioral information from visitors on the publisher’s site to serve ads to those visitors solely on that Web site. If there is further use of the data by the third party service provider, the FTC would consider that use to be behavioral advertising.  

Contextual Advertising  

Contextual advertising is exempted from the principles. The staff report acknowledges that contextual advertising is consistent with consumer expectations and provides valuable consumer benefits. However, contextual advertising is very narrowly defined as “delivery of ads based upon a consumer’s current visit to a single web page or a singe search query, without the collection and retention of data about the consumer’s online activities over time.” The staff report expressly states that any time data is collected and retained “for future purposes beyond the immediate delivery of an ad or search result” it is no longer contextual advertising, and would thus not be excluded from application of the principles. This position may mean that many publisher Web sites will not be able to rely on this exclusion.  

Implementation Requirements  

Notice and Choice  

  • Disclosures Required. Consumers must be given notice and choice before the collection of any data subject to the principles. The staff report explicitly declined to state whether the choice should be opt-in or opt-out. Instead, the report explains that the choice must be “clear, easy to use, and accessible to consumers.” Since the principles unequivocally call for opt-in consent in specific circumstances, discussed in the subsequent sections, it may be reasonable to conclude that any other behavioral data collection or use may be undertaken with opt-out consent.
  • Viability of Traditional Notice and Choice Mechanisms Called Into Doubt. The staff report casts doubt upon the sufficiency of traditional privacy policies as a means of delivering notice and choice to consumers. The report states that current privacy policies may be too dense and extensive to provide proper notice. It also acknowledges that traditional billboard-style privacy policies are not readily applicable to many emerging advertising platforms, such as mobile devices, ISPs, and Web applets. Similarly, the report questions the viability of using opt-out cookies to effectuate consumer choices. The report cites concerns that consumers who delete their cookies, either directly or through the use of anti-malware applications, accidentally delete the opt-out cookies that are often used today to implement their privacy choices.
  • Preferred Disclosure Methods Remain Undetermined. Nonetheless, the staff report makes no firm recommendations for alternative methods of consumer disclosure. To the contrary, the report encourages industry to experiment with new methodologies. While this has the virtue of not imposing one regime on industry that may not be appropriate for all participants, this result also fails to provide comfort that any particular innovative disclosure methodology will be deemed acceptable by the FTC in the future, and thus increases the possibility of inadvertent violations of Section 5 of the FTC Act.  

Reasonable Security and Data Retention  

In response to criticisms regarding the expansiveness and vagueness of the security provision of the draft principles, the staff report refines the security requirements. Although the text of the security provision is unchanged, the report clarified the intent by stating that the “protections should be based on the sensitivity of the data and the nature of a company’s business operations, the types of risks a company faces, and the reasonable protections available to a company.” It should also be noted that the FTC has merged the data retention provision into the data security provision. The text and intent of the data retention provision remains unchanged, providing that behavioral data should only be retained as long as necessary for legitimate business and/or legal reasons.  

Affirmative Consent for Changes in Practices  

In response to criticism of the breadth of this “change in practices” provision in the draft principles, the FTC has limited it to retroactive material changes. Thus, if a company makes material changes to its data practices and wishes to apply those changes to data previously collected under different terms, it must seek affirmative (opt-in) consent from the affected consumers. Affirmative consent is not necessary for behavioral data collected after the change in practices has been effectuated and proper notice and choice (as described in the preceding sections) has been provided.  

For the purposes of this principle, material change is described as “a change in a company’s practices that, if known to the consumer, would likely affect the consumer’s conduct or decisions with respect to the company’s products or services.” Examples of such material changes include sharing data with third parties if previous privacy promises indicated that this would not be done. The staff report does not differentiate between PII and non-PII, nor does it address the question of whether this provision applies to all data uses. Read literally, this provision applies to any material change in data practices, whether behavioral data is involved or not.  

Affirmative Consent for Collection of Sensitive Information  

While acknowledging the vagueness of this provision, the staff report maintains the requirement that companies acquire affirmative consent when collecting sensitive information. The report declines to define what constitutes sensitive data. It references certain types of information as examples of sensitive data, including: medical information, financial information, sexual orientation, Social Security numbers, government ID numbers, information about children, and specific geographic locations (such as GPS coordinates). However, it does not address other potentially sensitive information, such as: political affiliations, religious affiliations, and race/ethnicity. The report encourages the advertising industry to develop further guidelines to determine the data types that should be treated as sensitive information for the purposes of this provision.  

Conclusions  

In conclusion, there are several notable elements to these revised principles:

  • The FTC appears to be moving toward an approach to data privacy similar to Europe where forms of non-PII that might be used to identify an individual person (or an individual machine connected to the Internet), even if not specifically named, are subject to the same restrictions as traditionally-defined PII. In the long run, this could have ramifications beyond behavioral advertising.
  • Sentiment among the FTC Commissioners is leaning toward formal regulation or legislation if this round of self-regulatory efforts does not meet their expectations for protecting consumer interests.
  • The “first party” and contextual advertising exceptions are very narrowly crafted and may provide limited, if any, relief for many Web site operators and advertisers.
  • The value of traditional billboard-style privacy policies is significantly undermined, though the staff report does not provide any particular alternatives.