WSGR ALERT

Federal Trade Commission Announces Settlement in Online Behavioral Advertising Case

Mandates Use of "In Ad" Disclosure

March 16, 2011

On March 14, 2011, the Federal Trade Commission (FTC) announced a settlement with Chitika, Inc.,1 resolving its investigation of Chitika's allegedly deceptive disclosures concerning its practice of tracking consumers' online activities for behavioral advertising purposes, as well as its inadequate opt-out mechanism. According to the FTC complaint, Chitika offers an online behavioral advertising service that acts as an intermediary between website publishers and advertisers that wish to have their ads placed on websites. When consumers visit a website within the Chitika network of publishers, Chitika sets cookies in their browsers, which it uses to track the consumers' searches, the websites they visit, and the content they view. This information is used to furnish consumers with advertising targeted to their interests.

Chitika's privacy policy explained the company's use of cookies for purposes of such targeted advertising, stating "You can opt-out of receiving Chitika cookies by using the button below." Following this statement was an "Opt-Out" button, and consumers who clicked on it received a message stating, "You are currently opted out." To implement this choice, Chitika set an "opt-out cookie" in the consumer's browser. The opt-out cookie ensured that no additional cookies were set in the consumer's browser, no additional information was added to a previously set Chitika tracking cookie, and the data previously placed in the cookie was not used to target advertisements to the consumer.

However, according to the FTC's complaint, for more than a year and a half, the opt-out cookies Chitika delivered were set to expire after ten days, a fact that was not disclosed to consumers. The FTC concluded that the practice of an opt-out that did not last for a reasonable period of time rendered the privacy policy statements regarding the consumer's ability to opt out to be false or misleading.

Proposed Order

The settlement reached by the FTC and Chitika is reflected in a proposed order that includes both traditional and novel remedies. It prohibits Chitika from misrepresenting the extent to which consumers are able to control the collection, use, or sharing of data collected from or about them, and the extent to which data from or about a particular consumer is collected or shared—a standard provision in FTC consent orders. But it also requires Chitika to take very specific actions intended to make its collection practices transparent to consumers, and enable consumers to easily and effectively opt out of such collections.

First, Chitika must place a clear and prominent notice with a hyperlink for opting out on the home page of its website that states: "We collect information about your activities on certain websites to send you targeted advertisements. To opt out of Chitika's targeted ads, click here." When clicked on, the link must take the consumer to an opt-out mechanism.

Second, Chitika must provide a mechanism to enable its users to prevent Chitika from: (1) collecting data that can be associated with a Chitika user or such user's computer or device, or that contains any unique identifier, such as a user ID or IP address; (2) redirecting users' browsers to third parties that collect data absent affirmative action by such users; and (3) associating any previously collected data with any Chitika user's computer or device. This mechanism must remain in effect for at least five years unless disabled by the user. In addition, within close proximity to the mechanism, Chitika must disclose:

  • the fact that Chitika collects information about consumers' activities on certain websites to deliver targeted ads;
  • that if users opt out, Chitika will not collect this information to deliver such ads;
  • the consumers' current choice status (i.e., whether opted in or opted out of tracking); and
  • that the consumers' choice is specific to the browser they are using (i.e., if they switch browsers or devices, they will have to opt out again).

Third, Chitika's home page also must include banners alerting consumers who could have been previously subject to the allegedly deceptive conduct. Specifically, the website must include the following statement: "If you opted out of our targeted ads before March 1, 2010, the opt-out has expired and you must opt out again to avoid targeted ads."

Fourth, the order requires that within any behaviorally targeted advertisement that Chitika produces, it must include a hyperlink that takes consumers directly to the required opt-out mechanism. The hyperlink text must state: "Opt out?" And when a consumer's cursor, or equivalent, is placed over the hyperlink, a box must be visible that clearly and prominently states, "Opt out of Chitika's targeted ads."

The proposed order further prohibits Chitika's use of any data that it previously collected, and requires the company to destroy all such information and any information retained in its files that would allow the information to be associated with a particular consumer or that consumer's computer or device.

Implications of the Proposed Order

This settlement comes several months after the FTC issued its latest draft staff report on privacy, Protecting Consumer Privacy in an Era of Consumer Change: A Proposed Framework for Businesses and Policymakers, in which the FTC made clear its desire for greater transparency and simplified consumer choice concerning the collection and use of consumer data generally. The consent order echoes that sentiment. Consistent with the report, the order focuses on the collection of any consumer data, such as user IDs and IP addresses, and not just data that generally might be considered personal. It also underscores the agency's commitment to simplified choice when it comes to the collection and use of consumer data. To our knowledge, this is the first time that the FTC has required a company to provide notice of its data collection practices and the ability to opt out "in ad." This is significant because it tracks the guidance set forth in the Self-Regulatory Program of Online Behavioral Advertising (see http://www.aboutads.info/), and adopted by the Direct Marketing Association, the Interactive Advertising Bureau, and others as requirements for their members, suggesting that the FTC may view the self-regulatory requirements as adequate means of providing notice and choice for behavioral advertising. The settlement also is significant in that Chitika's practice of tracking for behavioral advertising purposes was disclosed in the company's privacy policy, but the disclosure, coupled with the actual opt-out practice, was inadequate. Accordingly, companies that engage in behavioral advertising or work with such companies may want to review their existing privacy policies to ensure that their disclosures are complete and consistent with actual practices.

Wilson Sonsini Goodrich & Rosati attorneys routinely counsel their clients with respect to evolving privacy and data security issues. If you have any questions regarding this WSGR Alert or any related privacy and data security matters, please contact Tonia Klausner at tklausner@wsgr.com or (212) 497-7706; Lydia Parnes at lparnes@wsgr.com or (202) 973-8801; Sara Harrington at sharrington@wsgr.com or (650) 320-4915; Gerry Stegmaier at gstegmaier@wsgr.com or (202) 973-8809; Matt Staples at mstaples@wsgr.com or (206) 883-2583; or Valentina Rucker at vrucker@wsgr.com or (202) 973-8861.



1 In the Matter of Chitika, Inc., File No. 1023087 (March 14, 2011).