The Federal Trade Commission (“FTC”) on February 12, 2009 issued revised guidelines for self-regulation for online behavioral advertising (the practice of tracking consumers’ online activities in order to deliver targeted advertising). The guidelines, titled “Self-Regulatory Principles for Online Behavioral Advertising,” refine the self-regulatory principles initially released for public comment in December 2007. The guidelines and the FTC’s news release are available in full on the FTC website.1
In a concurrence to the guidelines, newly appointed FTC Chairman Jon Leibowitz signaled that increased regulation is almost assured if the industry fails to effectively police itself in the area of behavioral advertising: “Industry needs to do a better job of meaningful, rigorous self-regulation, or it will certainly invite legislation by Congress and a more regulatory approach by [the FTC]. Put simply, this could be the last clear chance to show that self-regulation can — and will — effectively protect consumers’ privacy in a dynamic online marketplace.”
The FTC has already initiated 23 actions against companies for failing to adequately protect consumers’ sensitive information since 2001.
History of the Guidelines
The guidelines stem from a November 2007 FTC town hall meeting that brought together various stakeholders to discuss privacy issues surrounding behavioral advertising. Two key principles emerged from the town hall meeting. First, online behavioral advertising has many benefits, including supporting free online content and providing personalized advertisements. Second, online behavioral advertising raises significant privacy concerns, including the invisible nature of data collection, the inadequacies of current disclosures, and the potential for misuse of data. The FTC issued proposed guidelines for self-regulation in December 2007 and invited public comment. Sixty-three stakeholders commented on the guidelines and the FTC released the revised guidelines on February 12, 2009.
Who and What Is Covered
The guidelines define online behavioral advertising as the “tracking of a consumer’s online activities over time — including the searches the consumer has conducted, the web pages visited, and the content viewed — in order to deliver advertising targeted to the individual consumer’s interests.”
The guidelines cover any data collected for online behavioral advertising that could “reasonably be associated with a particular consumer or with a particular computer or device” depending on the context. The FTC expressly rejected the distinction between personally identifiable information (“PII”) and non-personally identifiable information (“non-PII”) because they are becoming increasingly indistinguishable and because consumers are less concerned about the difference between PII and non-PII and more about whether their data is collected in the first place.
The new guidelines apply broadly to the conduct of any entity engaging in online behavioral advertising, including websites and entities that gather data for targeted advertising outside of the traditional website context. The staff’s report accompanying the guidelines indicates that a company’s conduct is subject to the principles if it hosts a website that “sells or shares data with third parties” or “participates in a network that collects data at the site” for purposes of behavioral advertising. The FTC explicitly excluded from the ambit of this definition “first party” advertising, where no data is shared with third parties, and contextual advertising, which involves an ad based on a single visit to a web page or a single search query.
The FTC staff emphasizes in the report accompanying the guidelines that the principles of self-regulation do not supplant the obligation of any company, regardless of whether they are covered by the guidelines, to comply with all applicable state and federal laws.
Key Provisions of the Guidelines
The guidelines set forth four principles for self-regulation and include recommendations for companies to implement those guidelines as follows:
Transparency and Consumer Control
The guidelines recommend that websites provide (1) clear and prominent notice that consumers’ information is being collected for use in behavioral advertising and (2) consumer choice as to whether information will be used in behavioral advertising by providing consumers a meaningful opt-out method. Companies are encouraged to develop disclosure mechanisms that are independent of their privacy policies because according to the FTC, most companies’ privacy policies are confusing to consumers. The guidelines advise companies that collect data outside the traditional website context — e.g. through a mobile device or an Internet Service Provider — to develop notice and consumer choice mechanisms that comport to these recommendations.
Reasonable Security, and Limited Data Retention, for Consumer Data
The guidelines advise companies to provide reasonable security for the collection and storage of data and to only retain data as long as is necessary to “fulfill a legitimate business or law enforcement need.” The reasonableness of security is dictated by the sensitivity of the data, the nature of a company’s business, the types of risks a company faces, and the protections available to a company.
Affirmative Express Consent for Material Changes to Existing Privacy Promises
The guidelines advise companies to obtain “affirmative express consent” from affected consumers before a company uses previously collected data in a matter that is materially different from how a company notified consumers it would use such data. This recommendation applies to corporate mergers if the merger materially affects a company’s collection, sharing, and use of consumer data.
Affirmative Express Consent to (or Prohibition Against) Using Sensitive Data for Behavioral Advertising
The guidelines advise companies to obtain “affirmative express consent” from consumers before collecting “sensitive data” for behavioral advertising. The guidelines do not establish the specific contours of what the FTC will consider “sensitive data” but, according to the staff’s report it likely includes financial data, data about children, health information, precise geographic location information, and Social Security numbers.
The FTC confirmed that the guidelines for self-regulation are merely a stepping stone in the FTC’s overall plan to continue to examine the privacy implications of behavioral advertising. The FTC has plans to evaluate existing self-regulatory programs and to conduct investigations to determine whether any industry practices violate Section 5 of the FTC Act. In anticipation of closer scrutiny, companies should ensure that their operations are in line with the FTC’s guidelines.
Bingham’s Privacy and Security Group helps companies in a broad range of industries comply with a complex array of data protection and privacy laws, regulations, and standards. We have successfully handled numerous major data breach matters in a variety of jurisdictions.
For more information about this alert, please contact any of the attorneys listed below:
Andrew D. Lipman, Partner