Here is an update on the recent FTC Report on Behavioral Targeting:
The FTC issued a report on February 12, 2009 regarding its ongoing examination of online behavioral targeting and setting forth revisions to proposed principles to govern self-regulatory efforts in this area. It is attached. It appears that the FTC may be focusing on this issue, especially since an FTC commissioner stated that "this could be the last clear chance to show that self-regulation can - and will - effectively protect consumers' privacy in a dynamic online marketplace" or that it would invite "a more regulatory approach by our Commission." A summary of the principles is below. Note that "affirmative express consent" would mean "opt-in."
1. Transparency and Consumer Control
Every website where data is collected for behavioral advertising should provide a clear, concise, consumer-friendly, and prominent statement that (1) data about consumers' activities online is being collected at the site for use in providing advertising about products and services tailored to individual consumers' interests, and (2) consumers can choose whether or not to have their information collected for such purpose. The website should also provide consumers with a clear, easy-to-use, and accessible method for exercising this option. Where the data collection occurs outside the traditional website context, companies should develop alternative methods of disclosure and consumer choice that meet the standards described above (i.e., clear, prominent, easy-to-use, etc.)
2. Reasonable Security, and Limited Data Retention, for Consumer Data
Any company that collects and/or stores consumer data for behavioral advertising should provide reasonable security for that data. Consistent with data security laws and the FTC's data security enforcement actions, such protections should be based on the sensitivity of the data, the nature of a company's business operations, the types of risks a company faces, and the reasonable protections available to a company. Companies should also retain data only as long as is necessary to fulfill a legitimate business or law enforcement need.
3. Affirmative Express Consent for Material Changes to Existing Privacy Promises
As the FTC has made clear in its enforcement and outreach efforts, a company must keep any promises that it makes with respect to how it will handle or protect consumer data, even if it decides to change its policies at a later date. Therefore, before a company can use previously collected data in a manner materially different from promises the company made when it collected the data, it should obtain affirmative express consent from affected consumers. This principle would apply in a corporate merger situation to the extent that the merger creates material changes in the way the companies collect, use, and share data.
4. Affirmative Express Consent to (or Prohibition Against) Using Sensitive Data for Behavioral Advertising
Companies should collect sensitive data for behavioral advertising only after they obtain affirmative express consent from the consumer to receive such advertising.
The whole report can be found on the FTC website:
http://www.ftc.gov/opa/2009/02/behavad.shtm and is also below for your convenience.
FTC Staff Revises Online Behavioral Advertising PrinciplesFederal Trade Commission staff today issued a report describing its ongoing examination of online behavioral advertising and setting forth revisions to proposed principles to govern self-regulatory efforts in this area. The key issue concerns how online advertisers can best protect consumers’ privacy while collecting information about their online activities.
Over the last decade, the FTC has periodically examined the consumer privacy issues raised by online behavioral advertising – which is the practice of tracking an individual’s online activities in order to deliver advertising tailored to his or her interests. The FTC examined this practice most recently at its November 2007 “Behavioral Advertising” Town Hall. The following month, in response to public discussion about the need to address privacy concerns in this area, FTC staff issued a set of proposed principles to encourage and guide industry self-regulation for public comment. Today’s report, titled “Self-Regulatory Principles for Online Behavioral Advertising,” summarizes and responds to the main issues raised by more than 60 comments received. It also sets forth revised principles.
The report discusses the potential benefits of behavioral advertising to consumers, including the free online content that advertising generally supports and personalization that many consumers appear to value. It also discusses the privacy concerns that the practice raises, including the invisibility of the data collection to consumers and the risk that the information collected – including sensitive information regarding health, finances, or children – could fall into the wrong hands or be used for unanticipated purposes. Consistent with the FTC’s overall approach to consumer privacy, the report seeks to balance the potential benefits of behavioral advertising against the privacy concerns it raises, and to encourage privacy protections while maintaining a competitive marketplace.
The report points out that most of the public comments the FTC received concern the scope of the proposed principles. For example, commenters discussed whether it is necessary to provide privacy protections for data that is not personally identifiable. In response, the report states that privacy protections should cover any data that reasonably can be associated with a particular consumer or computer or other device.
Also, commenters questioned the need to apply the principles to (1) “first party” behavioral advertising, in which a Web site collects consumer information to deliver targeted advertising at its site, but does not share any of that information with third parties, and (2) contextual advertising, which targets advertisements based on the Web page a consumer is viewing or a search query the consumer has made, and involves little or no data storage. The report concludes that fewer privacy concerns may be associated with “first-party” and “contextual” advertising than with other behavioral advertising, and concludes that it is not necessary to include such advertising within the scope of the principles. The report notes, however, that regardless of the scope of the principles, companies must still comply with all applicable privacy laws, some of which may impose requirements that are similar to those established by the principles.
The report also provides additional guidance regarding each of the four principles and sets forth revised principles reflecting this guidance. The first principle – transparency and consumer control – remains unchanged from the proposed principles. Accordingly, Web sites are expected to provide clear and prominent notice regarding behavioral advertising, as well as an easily accessible way for consumers to choose whether to have their information collected for such purpose. Noting that privacy policies posted on companies’ Web sites often are long and difficult to understand, the report encourages firms to design creative and effective disclosure mechanisms that are separate from their privacy policies. The report also states that companies that collect information outside the traditional Web site context – for example, through a mobile device or by an Internet Service Provider – should develop disclosure mechanisms that are meaningful and effective for these contexts.
In addition, the report continues to urge companies to provide reasonable security for any data they collect for behavioral advertising and to retain data only as long as it is needed to fulfill a legitimate business or law enforcement need.
As to the material change principle, the report clarifies that its focus is on retroactive changes – for example, material changes to a privacy policy that affect information a company collected prior to the changes. Accordingly, the principle has been revised to reflect that clarification. The report recognizes that prospective changes require a more flexible approach, and that depending on the circumstances, some form of prominent notice and opt-out choice may be sufficient.
Finally, due to the heightened privacy concerns raised by the collection and use of consumers’ sensitive data, the report continues to urge companies to obtain affirmative express consent before collecting such data for behavioral advertising. The report states that FTC staff has traditionally considered financial information, information about children, health
information, and Social Security numbers to be sensitive, but encourages stakeholders to develop more specific standards to address this issue.
Thanks to SFIMA board member and attorney
Gaida Zirkelbach for sending us this update.
(SFIMA is providing general information to you, which should not be construed as legal advice. If you have any questions, please seek your attorney's advice.)
