The Federal Trade Commission (“FTC” or “Commission”) announced on December 20, 2007 a staff proposal regarding online behavioral advertising privacy principles. These principles were issued at the same time that the FTC closed its antitrust review of the Google acquisition of Double Click. These draft self-regulatory principles also follow a two-day FTC workshop at the beginning of November 2207 that focused on privacy issues related to online “behavioral advertising.” The Commission issued these principles with a stated purpose of encouraging the development of meaningful self-regulatory principles that will address the privacy concerns raised from behavioral advertising. Specifically, the Commission indicated that the principles respond to concerns with consumer awareness of behavioral advertising practices, vulnerability of consumer data, and the level of transparency tied to behavioral advertising.
Invitation to Comment
The Commission seeks comment on the specific proposed principles. In addition, the Commission invites comment on uses of tracking data for purposes other than behavioral advertising. The Commission specifically requests comment on:
- Whether secondary uses of tracking data raise concerns;
- Whether companies are using tracking data for secondary purposes;
- Whether the concerns about secondary uses are limited to the use of personally identifiable data or also extend to non-personally identifiable data; and
- Whether secondary uses merit some form of heightened protection.1
The original due date for submitting comments on the proposal is February 22, 2008, but the Commission has indicated that the date will likely be extended.
Staff’s Proposed Principles
This proposal, as drafted, encompasses a very broad set of business practices. The Commission has indicated that these principles are meant for discussion purposes and that the scope of the principles could be revised going forward. Also, the Commission defines the term ‘behavioral advertising’ as “the tracking of a consumer’s activities online, including the searches the consumer conducted, web pages visited, and the content viewed, in order to deliver advertising targeted to the individual consumer’s interest.”
Set forth below are the proposed principles.
1. Transparency and consumer control
- Every website where data is collected for behavioral advertising should provide a clear, c oncise, consumer-friendly, and prominent statement that (1) data about consumers’ a ctivities online is being collected at the site for use in providing advertising about products a nd services tailored to individual consumers’ interests, and (2) consumers can choose w hether or not to have their information collected for such purpose. The website should a lso provide consumers with a clear, easy-to-use, and accessible method for exercising t his option.
2. Reasonable security, and limited data retention, for consumer data
- Any company that collects and/or stores consumer data for behavioral advertising should provide reasonable security for that data. Consistent with the data security laws and the F TC’s data security enforcement actions, such protections should be based on the s ensitivity of the data, the nature of a company’s business operations, the types of risks a c ompany faces, and the reasonable protections available to a company. Proposed Principle:
- Companies should retain data only as long as is necessary to fulfill a legitimate business or law enforcement need. FTC staff commends recent efforts by some industry members to reduce the time period for which they are retaining data. However, FTC staff seeks comment on whether companies can and should reduce their retention periods further.
3. Affirmative express consent for material changes to existing privacy promises
- As the FTC has made clear in its enforcement and outreach efforts, a company must keep any promises that it makes with respect to how it will handle or protect consumer data, even if it decides to change its policies at a later date. Therefore, before a company can use data i n a manner materially different from promises the company made when it collected the data, i t should obtain affirmative express consent from affected consumers. This principle would apply in a corporate merger situation to the extent that the merger creates material changes in the way the companies collect, use, and share data.
4. Affirmative express consent to (or prohibition against) using sensitive data for behavioral advertising
- Companies should only collect sensitive data for behavioral advertising if they obtain a ffirmative express consent from the consumer to receive such advertising. FTC staff seeks specific input on (1) what classes of information should be considered sensitive, and ( 2) whether using sensitive data for behavioral targeting should not be permitted, rather than subject to consumer choice.