New Principles for the Collection of Data Online Released
November 17, 2011
Principles for Multi-Site Data
The General Principles represent a major effort by key stakeholders to establish standard business practices to respond to Federal Trade Commission (FTC) concerns that consumers should have a choice in the collection and use of their data. The principles cover companies that are members of the associations participating in the Digital Advertising Alliance,4 although every company should consider complying with them. While the General Principles contain some new restrictions, data still may be collected and used without restraint under the following circumstances:
- For operations and systems management, including billing and fulfillment, fraud prevention and security, compliance, and IP protection
- For market research or product development
- When it will be de-identified within a "reasonable period of time" following collection
There are four General Principles:
- Limitations on the Collection of Multi-Site Data. User notice and choice are at the core of the General Principles. Companies that collect multi-site data should provide users with "transparency" (i.e., clear, meaningful, and prominent notice of their collection of multi-site data) and "user control" (i.e., the ability to control data collection through an opt-out mechanism). The General Principles do not contain specific transparency requirements, but they refer companies to the appropriate methods described in the OBA Principles.5 Usually advertisers, advertising agencies, and brands provide transparency and user control through in-ad or on-site notice. Service providers, vendors, and others covered by the General Principles may find that providing adequate transparency and user control is more challenging.
- Restrictions on the Use of Multi-Site Data for Eligibility Determinations. The General Principles restrict the collection, use, or transfer of multi-site data in specific situations. Companies should not collect, use, or transfer multi-site data when making adverse decisions with respect to employment, credit, healthcare treatment, or insurance eligibility. This particular restriction is similar to those contained in the Fair Credit Reporting Act.
- Sensitive Data. The General Principles also prohibit the collection of certain sensitive data. Companies should not collect or use multi-site data that includes financial account numbers, Social Security numbers, prescription information, or medical records unless they have opt-in consent from the individual. Companies also are directed to comply with the Children's Online Privacy Protection Act (COPPA). This prohibition on collecting certain sensitive data extends the OBA Principles to companies that collect multi-site data for any purpose.
- Accountability. Finally, like the OBA Principles, the General Principles will be subject to the DAA's Accountability Program, which recently announced several self-regulatory compliance actions. Both the Council of Better Business Bureaus and the Direct Marketing Association monitor compliance.
The FTC long has encouraged the online advertising industry to give consumers accessible and understandable notice and choice about the use of data for targeted advertising.6 The industry responded by adopting the OBA Principles, in which it voluntarily agreed to provide meaningful transparency and choice to consumers. The AdChoices icon was developed to implement these core principles. Following the rollout of the OBA Principles, the FTC expressed continuing concern about the collection and use of data for purposes other than behavioral advertising.7 The General Principles respond to these concerns with respect to the collection and use of multi-site data.
The DAA expects the General Principles to go into effect in 2012. Though the scope of the activities the DAA is attempting to self-regulate has expanded, the organization will continue to rely on the Accountability Program to ensure compliance. In addition, the FTC likely will monitor data collection and use beyond OBA and bring enforcement actions if it finds that companies have violated the FTC Act.
Companies engaged in the collection and use of data for OBA or other purposes should carefully review their practices in light of these new industry self-regulatory principles to determine whether they need to comply with them.
Wilson Sonsini Goodrich & Rosati's privacy practice is uniquely positioned to assist clients in the highly complex and evolving area of domestic and international privacy and data security law. The group regularly assists companies in responding to FTC inquiries and defending related investigations. The firm's privacy and data security practice can help companies assess whether they should comply with the OBA Principles and the General Principles and assist in formulating practical strategies to assess and manage related risk.
For more information, please contact Lydia Parnes at firstname.lastname@example.org or (202) 973-8801; Gerry Stegmaier at email@example.com or (202) 973-8809; Matthew Staples at firstname.lastname@example.org or (206) 883-2583; Wendell Bartnick at email@example.com or (202) 973-8800; or any of the many members of the firm's privacy and data security practice.
2Digital Advertising Alliance, "Self-Regulatory Principles for Multi-Site Data" (2011), available at http://www.aboutads.info/resource/download/Multi-Site-Data-Principles.pdf.
3The General Principles do not define the term "Affiliate." Presumably it has the same meaning as found in the OBA Principles, which define an "Affiliate" as "an entity that Controls, is Controlled by, or is under common Control with, another entity."
4The DAA is a collection of leading media and marketing trade associations and their members, including the American Association of Advertising Agencies (4A's), the American Advertising Federation (AAF), the Association of National Advertisers (ANA), the Direct Marketing Association (DMA), the Interactive Advertising Bureau (IAB), and the Network Advertising Initiative (NAI). Members of these trade associations include the range of companies involved in the online advertising ecosystem, as well as virtually all national advertisers. Representative members include: Aetna, American Airlines, Apple, AT&T Mobility, Bank of America, Best Buy, Boeing, Cisco, Coca Cola, Domino's Pizza, General Electric, General Mills, Google, The Home Depot, Honda, Intel, Johnson & Johnson, Kellogg Company, MasterCard, Mattel, McDonald's, Microsoft, The New York Times, Procter & Gamble, Toyota, Verizon, Wal-Mart, Walgreens, Walt Disney, and Yahoo!.
6In 2009, the FTC issued an FTC Staff Report titled "Self-Regulatory Principles for Online Behavioral Advertising," which called for the industry to adopt a self-regulatory program. The report is available at http://www.ftc.gov/os/2009/02/P085400behavadreport.pdf. Then, in 2010, the FTC issued a more comprehensive privacy report, proposing a new framework for analyzing privacy and again calling for meaningful transparency when consumer data is used for OBA purposes. See Federal Trade Commission, "Preliminary FTC Staff Report: Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers" (2010), available at http://www.ftc.gov/os/2010/12/101201privacyreport.pdf.
7"Prepared Statement of the Federal Trade Commission on the State of Online Consumer Privacy Before the Committee on Commerce, Science, and Transportation of the United States Senate," 112 Cong. 17 (2011) (statement of J. Liebowitz, Chairman, Federal Trade Commission), available at http://www.ftc.gov/os/testimony/110316consumerprivacysenate.pdf.
8For additional information about Chitika's settlement with the FTC, please see the WSGR Alert available at http://www.wsgr.com/wsgr/Display.aspx?SectionName=publications/PDFSearch/wsgralert_online_behavioral_advertising.htm.