FTC Revises Guidelines for Online Behavioral Advertising as the Prospect of Legislative Action Looms
February, 2009
On February 12, 2009, the United States Federal Trade Commission released a revised set of Self-Regulatory Principles for Online Behavioral Advertising. Online behavioral advertising is the practice of tracking an individual's online activities in order to deliver advertising tailored to the individual's interests. Although the principles are advisory in nature, the FTC has broad enforcement authority to regulate unfair or deceptive practices in advertising under §5 of the FTC Act and has become increasingly involved in regulating the field of online advertising. The recent announcement that FTC Commissioner Jon Leibowitz, a noted proponent of more aggressive regulation of online advertising, has been appointed as FTC Chairman likely signals that the FTC will become even more assertive in bringing enforcement actions to address perceived abuses in this area. Those involved in or affected by the field of online advertising should take note of these developments.
Transparency and Consumer Control
The FTC's first Self-Regulatory principle states that "[e]very website where data is collected for behavioral advertising should provide a clear, concise, consumer-friendly, and prominent statement" that data is being collected and that consumers may choose whether or not to have their data collected. Significantly, although the FTC declined to require a particular form of notice, it questioned whether the widespread practice of providing notice in a long and cumbersome Privacy Policy is adequate to satisfy the standard and encouraged advertisers to develop and test new methods that are better calculated to provide actual notice to consumers.
Reasonable Security and Limited Data Retention for Consumer Data
The second principle states that any company that collects or stores consumer data should provide reasonable security for the data, taking into account the sensitivity of the data, the nature of the company's business, the types of risks the company faces, and the measures available. Importantly, the principle was revised to also provide that companies should "retain data only as long as is necessary to fulfill a legitimate business or law enforcement need." Companies that retain data longer than necessary put themselves at significant legal risk.
Affirmative Express Consent for Material Changes to Existing Privacy Promises
The third principle states that before a company can use data "in a manner materially different" from the manner disclosed when the data was collected, it should obtain "affirmative express consent" from affected consumers. The accompanying commentary makes clear that "pre-checked boxes and choice-mechanisms that are buried within a lengthy privacy policy or a uniform licensing agreement are insufficient to express a consumer's 'affirmative express consent.'" Although this principle was phrased in aspirational terms, it is significant that the FTC made a point of reminding companies that any firm that failed to honor a promise concerning how it intended to use data collected from a consumer would be subject to an FTC enforcement action.
Affirmative Express Consent to (or Prohibition Against) Using Sensitive data for Behavioral Advertising
The fourth and final principle states that companies should collect "sensitive data" for behavioral advertising only after receiving "affirmative express consent." The FTC declined to define sensitive data, but stated that financial data, data about children, health information, precise geographic location information (i.e., from a mobile device) and Social Security numbers clearly qualified as sensitive, and encouraged industry, consumer and privacy advocates to develop more specific standards. Given the current uncertainty, those considering using data that might be considered sensitive for marketing purposes should consult counsel to discuss how best to protect themselves from potential legal liability.
The Principles' Scope
The FTC made clear that it did not intend the principles to restrict "first-party" online behavioral advertising (targeting based on the consumer's interaction with a particular company's website, not shared with third parties) or contextual advertising (advertising directed to a consumer based on content of a particular site or search query, not retained over time).
The FTC also clarified, however, that the principles were not limited in their application to data traditionally considered "personally identifiable information" (or "PII"), such as name, address, SSN, or driver's license number, stating that they were intended to cover any data that "could reasonably be associated with a particular consumer or with a particular computer or device," including IP addresses, cookie data and other information that "could allow behaviors or actions to be associated with a particular individual or computer user."
Future Legislative and/or Regulatory Action?
With the release of the revised principles, newly-appointed Chairman Leibowitz issued a Concurring Statement in which he stated that he was "troubled" by many current practices and warned online marketers that they need "to do a better job of meaningful, rigorous self-regulation or it will certainly invite legislation by Congress and a more regulatory approach by our commission." He stated that this may be "the last clear chance" to show that self-regulation will effectively protect consumer privacy.
At the same time, Rep. Rick Boucher (D-Va.), powerful chair of the Internet subcommittee in the House Energy and Commerce Committee, vowed to introduce data collection legislation in the "not-too-distant" future.
In light of these developments, companies, network advertisers, affiliate marketers and those that advise them must ensure that they understand the current regulatory regime and that they carefully monitor developments in this constantly changing regulatory environment.
If your company utilizes online advertising or if you have questions about the potential impact of these issues on your business, please contact Dan Rockey toll free at 1-800-654-8972.