Last week, the Federal Trade Commission (FTC) released revised self-regulatory principles ("the Principles") for online behavioral advertising—described as "tracking of consumer's online activities to deliver tailored advertising"—and continued to endorse self regulation, at least for now. The key revisions to the Principles include: (1) refining the scope of information and practices covered; (2) clarifying that data retention requirements should be considered part of a reasonable security program; (3) clarifying when affirmative express consent is necessary for material changes to privacy promises; and (4) allowing for use of sensitive data for behavioral advertising with affirmative express consent.
Even with these changes, which were issued on Feb. 12, 2009, two FTC commissioners wrote separately to express their skepticism that self-regulation would work at all. Indeed, in Commissioner Leibowitz's opinion, he noted that this may be the "last clear chance" for the industry to demonstrate that self-regulation is the best approach in this area.
Among the most important discussions in the report—and the area that was the subject of most comments—is the scope of the Principles. Notably, staff has indicated that the Principles should apply to both personally identifiable and non-identifiable data. However, the Principles exclude so-called "first party" and contextual behavioral advertising, providing guidance on how those terms should be interpreted. Also, the report offers guidance on the important issue of treatment of affiliated sites or sites under common ownership or control, noting that whether data sharing among such sites would fall within the exclusion for "first party" behavioral advertising activities should be evaluated from the perspective of the consumer.
In terms of next steps, the report notes that, during the coming year, Commission staff will (i) evaluate the development of self-regulatory programs and the extent to which they serve the goals of the Principles; (ii) conduct investigations, where appropriate, to determine if practices violate deceptive practices or other laws; and (iii) meet with stakeholders to follow changes and find opportunities to use its research tools to explore developments in this area. In addition, the staff will explore whether to revise the principles to cover secondary uses of data—use of tracking data for purposes other than behavioral advertising.