FTC Issues New Guidelines for Online Behavioral Advertising
February 17, 2009
A report issued by Federal Trade Commission (FTC) staff on February 12, 2009, provides revised guidelines for self-regulation by the online behavioral advertising industry, but indicates that the sustained viability of self-regulation in the industry is uncertain. The report details the FTC's ongoing examination of online behavioral advertising and issues revised governing principles for the privacy practices of behavioral advertisers. The report supports continuing self-regulatory efforts that emphasize consumer transparency and control, reasonable security measures to protect information collected for behavioral advertising purposes, and obtaining consumers' express consent to the use of "sensitive" data and to material changes to practices that apply to previously collected information. The FTC's revised guidelines, taken with the FTC's stated intention to bring enforcement actions as needed, make clear that online behavioral advertising remains squarely on the agenda of regulators, and that behavioral advertisers will need to afford meaningful privacy protections to consumers. This could, in the words of FTC Commissioner Jon Leibowitz, be the industry's "last clear chance" to avoid "legislation by Congress and a more regulatory approach" by the FTC.
What is Online Behavioral Advertising?
To address these concerns, the FTC issued proposed principles for self-regulation in December 2007. The FTC staff's recent report addresses comments received in response to the proposed principles and makes several clarifications.
The FTC's Report
First, the FTC staff confirms that its principles apply to any data that "reasonably could be associated with a particular consumer or computer or other device." This approach reflects the FTC's view that in the online behavioral advertising context, traditional notions of "personally identifiable" and "non-personally identifiable" information are less meaningful. This conclusion is not surprising, because consumers' privacy concerns may not arise solely from the collection, use, and disclosure of information that fits the traditional notion of personally identifiable information. For example, as noted in the report, even where certain information is anonymous when standing alone, it can become identifiable when combined and linked by a common identifier.
Second, the FTC staff agrees with comments questioning the necessity of applying the principles to "first-party" behavioral advertising, in which a website operator collects information to deliver targeted advertising at its site, but does not share any of that information with third parties, and "contextual" advertising, which targets advertisements based on the Web page a consumer is viewing or a search query the consumer has made, and involves little or no data storage. After concluding that first-party and contextual advertising present fewer privacy concerns than other forms of behavioral advertising, it excludes those two forms of advertising from the scope of its principles.
The FTC staff is careful to note in its report, however, that regardless of the scope of its principles, companies still must comply with all applicable privacy laws, some of which may impose requirements that are similar to those established by the principles.
Transparency and control
The report reiterates the original principle that website operators should provide clear and prominent notice regarding behavioral advertising, as well as an accessible means for consumers to opt out from having their information collected for that purpose.
The report encourages behavioral advertisers to design creative, effective disclosure mechanisms that are separate from their privacy policies. It urges companies collecting information outside the traditional Web usage context, such as through mobile applications or the provision of Internet service, to develop disclosure mechanisms that are meaningful and effective in those contexts.
Reasonable security and limited data retention
The report continues to urge companies to provide "reasonable security" to prevent unauthorized access to any data they collect for behavioral advertising purposes.1 A company's data security protections should be based on the sensitivity of the data, the nature of the company's business operations, the types of risks faced by the company, and the reasonable protections available to it. Additionally, companies that collect data for behavioral advertising purposes should retain it only as long as it is needed to fulfill a legitimate business or law enforcement need.
The report reiterates that before a company uses behavioral data in a manner that differs materially from promises made when the company collected the data, it should obtain affirmative express consent from the consumer.
Due to the heightened privacy concerns raised by the collection and use of consumers' "sensitive data," the report continues to urge companies to obtain affirmative express consent before collecting such data for behavioral advertising.
The report does not specify the types of information that constitute sensitive information, but notes that the FTC traditionally has considered financial information, information about children, health information, and Social Security numbers to be sensitive. The FTC encourages stakeholders to develop more specific standards to address this issue.
Finally, the report notes that FTC staff had requested additional information regarding the potential uses of non-personally identifiable information for uses other than for behavioral advertising. Some examples of such "secondary" uses are website design and optimization, content customization, fraud detection, security, and research and development. Given the small number of comments it received on this topic, the FTC staff simply noted that further investigation was merited. Secondary usage remains an area of ongoing potential attention, however, and businesses should remain aware of the potential for future limitations on secondary uses of non-personally identifiable information.
With its revised principles and accompanying report, the FTC has left intact a system that emphasizes self-regulation to balance behavioral advertising's potential benefits with related privacy concerns. However, the report, including the concurring statements of two FTC commissioners and the FTC's stated intention to investigate whether online behavioral advertisers' practices violate Section 5 of the FTC Act, suggests the ongoing importance of these issues to regulators. As businesses look to refine and improve their business models in order to locate and monetize new opportunities, they must remain vigilant of regulatory concerns relating to privacy. Regular review of practices, especially with respect to the development of new products and services, can help companies manage class action litigation, regulatory investigation, and public relations risks associated with online businesses.
Wilson Sonsini Goodrich & Rosati's attorneys routinely help clients manage risks associated with behavioral advertising, as well as other marketing and privacy matters. The firm also has significant experience assisting companies with the defense of investigations and litigations involving these issues. If you have questions in these areas, please contact Tonia Klausner, Matt Staples, or Gerry Stegmaier.
1 Since 2001, the FTC has brought 23 actions against companies that allegedly failed to provide reasonable protections for sensitive information in both offline and online settings. See, e.g., WSGR Alert at www.wsgr.com/WSGR/Display.aspx?SectionName=publications/PDFSearch/clientalert_bjs_wholesale.htm.