Last week, the Federal Trade Commission (FTC) released revised self-regulatory principles ("the Principles") for online behavioral advertising—described as "tracking of consumer's online activities to deliver tailored advertising"—and continued to endorse self regulation, at least for now. The key revisions to the Principles include: (1) refining the scope of information and practices covered; (2) clarifying that data retention requirements should be considered part of a reasonable security program; (3) clarifying when affirmative express consent is necessary for material changes to privacy promises; and (4) allowing for use of sensitive data for behavioral advertising with affirmative express consent.

Even with these changes, which were issued on Feb. 12, 2009, two FTC commissioners wrote separately to express their skepticism that self-regulation would work at all. Indeed, in Commissioner Leibowitz's opinion, he noted that this may be the "last clear chance" for the industry to demonstrate that self-regulation is the best approach in this area.

Among the most important discussions in the report—and the area that was the subject of most comments—is the scope of the Principles. Notably, staff has indicated that the Principles should apply to both personally identifiable and non-identifiable data. However, the Principles exclude so-called "first party" and contextual behavioral advertising, providing guidance on how those terms should be interpreted. Also, the report offers guidance on the important issue of treatment of affiliated sites or sites under common ownership or control, noting that whether data sharing among such sites would fall within the exclusion for "first party" behavioral advertising activities should be evaluated from the perspective of the consumer.

With respect to the Principles, the first principle—transparency and consumer control—remains unchanged. The report encourages the development of alternative mechanisms for notice and choice for other business models (e.g., mobile and Internet service provider). Regarding the second principle—reasonable security and limited data retention—the report continues to support a requirement for reasonable security and clarifies that this would include retaining data only as long as it is needed to fulfill a legitimate business or law enforcement need. As to the third principle regarding material changes, the report clarifies that its focus is on material changes that are retroactive—that is, material changes to a privacy policy that affect previously collected information. Finally, rather than a per se prohibition, under the sensitive data principle companies would obtain affirmative express consent before collecting sensitive data.

In terms of next steps, the report notes that, during the coming year, Commission staff will (i) evaluate the development of self-regulatory programs and the extent to which they serve the goals of the Principles; (ii) conduct investigations, where appropriate, to determine if practices violate deceptive practices or other laws; and (iii) meet with stakeholders to follow changes and find opportunities to use its research tools to explore developments in this area. In addition, the staff will explore whether to revise the principles to cover secondary uses of data—use of tracking data for purposes other than behavioral advertising.

The report also encourages industry to (i) explore alternative disclosures mechanisms (e.g., notice outside of the privacy policy, such as in close proximity to an advertisement); (ii) develop more specific standards to define what constitutes sensitive data; and (iii) consider whether to prohibit the use of certain categories of sensitive data.