WSGR ALERT

New Principles for the Collection of Data Online Released

November 17, 2011

Following its publication of "Self-Regulatory Principles for Online Behavioral Advertising" (OBA Principles),1 the Digital Advertising Alliance (DAA), a leading coalition for responsible online advertising, announced new "Principles for Multi-Site Data" (General Principles)2 on November 7, 2011. These General Principles cover the collection and use of all multi-site data, or "data collected from a particular computer or device regarding Web viewing over time and across non-Affiliate3 Web sites," except data used for online behavioral advertising (OBA) purposes. Any entity that collects data regarding web viewing from unaffiliated sites (for example, through the use of cookies) should carefully review its practices and consider complying with the principles.

Principles for Multi-Site Data

The General Principles represent a major effort by key stakeholders to establish standard business practices to respond to Federal Trade Commission (FTC) concerns that consumers should have a choice in the collection and use of their data. The principles cover companies that are members of the associations participating in the Digital Advertising Alliance,4 although every company should consider complying with them. While the General Principles contain some new restrictions, data still may be collected and used without restraint under the following circumstances:

  • For operations and systems management, including billing and fulfillment, fraud prevention and security, compliance, and IP protection
  • For market research or product development
  • When it will be de-identified within a "reasonable period of time" following collection

There are four General Principles:

  • Limitations on the Collection of Multi-Site Data. User notice and choice are at the core of the General Principles. Companies that collect multi-site data should provide users with "transparency" (i.e., clear, meaningful, and prominent notice of their collection of multi-site data) and "user control" (i.e., the ability to control data collection through an opt-out mechanism). The General Principles do not contain specific transparency requirements, but they refer companies to the appropriate methods described in the OBA Principles.5 Usually advertisers, advertising agencies, and brands provide transparency and user control through in-ad or on-site notice. Service providers, vendors, and others covered by the General Principles may find that providing adequate transparency and user control is more challenging.
  • Restrictions on the Use of Multi-Site Data for Eligibility Determinations. The General Principles restrict the collection, use, or transfer of multi-site data in specific situations. Companies should not collect, use, or transfer multi-site data when making adverse decisions with respect to employment, credit, healthcare treatment, or insurance eligibility. This particular restriction is similar to those contained in the Fair Credit Reporting Act.
  • Sensitive Data. The General Principles also prohibit the collection of certain sensitive data. Companies should not collect or use multi-site data that includes financial account numbers, Social Security numbers, prescription information, or medical records unless they have opt-in consent from the individual. Companies also are directed to comply with the Children's Online Privacy Protection Act (COPPA). This prohibition on collecting certain sensitive data extends the OBA Principles to companies that collect multi-site data for any purpose.
  • Accountability. Finally, like the OBA Principles, the General Principles will be subject to the DAA's Accountability Program, which recently announced several self-regulatory compliance actions. Both the Council of Better Business Bureaus and the Direct Marketing Association monitor compliance.

Implications

The FTC long has encouraged the online advertising industry to give consumers accessible and understandable notice and choice about the use of data for targeted advertising.6 The industry responded by adopting the OBA Principles, in which it voluntarily agreed to provide meaningful transparency and choice to consumers. The AdChoices icon was developed to implement these core principles. Following the rollout of the OBA Principles, the FTC expressed continuing concern about the collection and use of data for purposes other than behavioral advertising.7 The General Principles respond to these concerns with respect to the collection and use of multi-site data.

The original principles articulated by the FTC—transparency and choice—may be more than a call for the industry to engage in best, or better, practices. Rather, to some extent, they seem to reflect the agency's enforcement perspective. Earlier this year, the FTC announced a settlement with Chitika, an online advertising network. The company offered consumers the ability to opt out of targeted advertisements; however, the FTC alleged that the offer was deceptive because the opt-out choice lasted only 10 days. As a result of the settlement, Chitika is required to provide in-ad notice of an opt-out mechanism that lasts for five years (similar to the in-ad notice used to comply with the OBA Principles).8 Last week, the FTC announced its second case involving online behavioral advertising, in which the FTC charged ScanScout, an in-stream video advertising network, with deception because the company's privacy policy allegedly informed consumers that they could opt out of data collection and tracking by using a cookie-based opt-out mechanism. In fact, ScanScout used Flash cookies, which could not be turned off using the mechanism provided by the company.

The DAA expects the General Principles to go into effect in 2012. Though the scope of the activities the DAA is attempting to self-regulate has expanded, the organization will continue to rely on the Accountability Program to ensure compliance. In addition, the FTC likely will monitor data collection and use beyond OBA and bring enforcement actions if it finds that companies have violated the FTC Act.

Companies engaged in the collection and use of data for OBA or other purposes should carefully review their practices in light of these new industry self-regulatory principles to determine whether they need to comply with them.

Wilson Sonsini Goodrich & Rosati's privacy practice is uniquely positioned to assist clients in the highly complex and evolving area of domestic and international privacy and data security law. The group regularly assists companies in responding to FTC inquiries and defending related investigations. The firm's privacy and data security practice can help companies assess whether they should comply with the OBA Principles and the General Principles and assist in formulating practical strategies to assess and manage related risk.

For more information, please contact Lydia Parnes at lparnes@wsgr.com or (202) 973-8801; Gerry Stegmaier at gstegmaier@wsgr.com or (202) 973-8809; Matthew Staples at mstaples@wsgr.com or (206) 883-2583; Wendell Bartnick at wbartnick@wsgr.com or (202) 973-8800; or any of the many members of the firm's privacy and data security practice.


1Digital Advertising Alliance, "Self-Regulatory Principles for Online Behavioral Advertising," (2009), available at http://www.aboutads.info/resource/download/seven-principles-07-01-09.pdf; Digital Advertising Alliance, "Self-Regulatory Principles for Online Behavioral Advertising Implementation Guide" (2010), available at http://www.aboutads.info/resource/download/OBA%20Self-Reg%20Implementation%20Guide%20-%20What%20Everyone%20Needs%20to%20Know.pdf.

2Digital Advertising Alliance, "Self-Regulatory Principles for Multi-Site Data" (2011), available at http://www.aboutads.info/resource/download/Multi-Site-Data-Principles.pdf.

3The General Principles do not define the term "Affiliate." Presumably it has the same meaning as found in the OBA Principles, which define an "Affiliate" as "an entity that Controls, is Controlled by, or is under common Control with, another entity."

4The DAA is a collection of leading media and marketing trade associations and their members, including the American Association of Advertising Agencies (4A's), the American Advertising Federation (AAF), the Association of National Advertisers (ANA), the Direct Marketing Association (DMA), the Interactive Advertising Bureau (IAB), and the Network Advertising Initiative (NAI). Members of these trade associations include the range of companies involved in the online advertising ecosystem, as well as virtually all national advertisers. Representative members include: Aetna, American Airlines, Apple, AT&T Mobility, Bank of America, Best Buy, Boeing, Cisco, Coca Cola, Domino's Pizza, General Electric, General Mills, Google, The Home Depot, Honda, Intel, Johnson & Johnson, Kellogg Company, MasterCard, Mattel, McDonald's, Microsoft, The New York Times, Procter & Gamble, Toyota, Verizon, Wal-Mart, Walgreens, Walt Disney, and Yahoo!.

5See generally Sections III.A and III.B of the OBA Principles for more information.

6In 2009, the FTC issued an FTC Staff Report titled "Self-Regulatory Principles for Online Behavioral Advertising," which called for the industry to adopt a self-regulatory program. The report is available at http://www.ftc.gov/os/2009/02/P085400behavadreport.pdf. Then, in 2010, the FTC issued a more comprehensive privacy report, proposing a new framework for analyzing privacy and again calling for meaningful transparency when consumer data is used for OBA purposes. See Federal Trade Commission, "Preliminary FTC Staff Report: Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers" (2010), available at http://www.ftc.gov/os/2010/12/101201privacyreport.pdf.

7"Prepared Statement of the Federal Trade Commission on the State of Online Consumer Privacy Before the Committee on Commerce, Science, and Transportation of the United States Senate," 112 Cong. 17 (2011) (statement of J. Liebowitz, Chairman, Federal Trade Commission), available at http://www.ftc.gov/os/testimony/110316consumerprivacysenate.pdf.

8For additional information about Chitika's settlement with the FTC, please see the WSGR Alert available at http://www.wsgr.com/wsgr/Display.aspx?SectionName=publications/PDFSearch/wsgralert_online_behavioral_advertising.htm.