The FTC Staff issued a first draft of proposed principles in December 2007 and invited public comment. That draft called on those engaged in behavioral advertising (defined as the tracking of a consumer's online activities in order to deliver targeted ads) to: (1) provide consumers with clear information about the collection and use of their information, as well as the means to "opt-out" of such collection; (2) provide reasonable security for the collected data; (3) seek "opt-in" consent for material changes to privacy practices; and (4) seek "opt-in" consent for collection of "sensitive" information, such as financial or health data. The FTC received 63 comments in response.
The Network Advertising Initiative (NAI), a prominent self-regulatory organization composed of businesses in the online advertising marketplace, also responded to the December 2007 draft principles in a concrete way. In December 2008, the NAI issued a set of binding principles governing its members. (More on the NAI principles can be found in our January 5, 2009 alert, or at the NAI website.) Leading online businesses have announced new privacy initiatives relating to behavioral data within the last year. While market pressure has encouraged many businesses to make clear or alter their practices, there is little doubt that the FTC attention and a series of Congressional hearings over the summer energized industry action.
The FTC report summarizes and responds to the comments and the developments over the intervening year. Most significantly, the FTC Staff redefined "behavioral advertising" to exclude "first party" advertising—where behavioral data is gathered, used and shared only within a single business. As a result, the revised principles apply to ad-serving platforms and advertising "networks" that deliver ads and collect user responses across many sites, but not to single-site advertising mechanisms (like an online retailer's product recommendation feature) that present ads based on customers' browsing or purchase history only on the site where the ad is displayed. Second, the revised principles also exclude "contextual advertising," which is narrowly defined as ads served in response to a single consumer action and not based on any other information the site might have about the user, from the scope of "behavioral advertising." This change means that the principles do not address activities in which ads are triggered by nothing more than the content of a web page being viewed, or a single search query.
The revised report retains the earlier draft's approach to applying the principles not only to personally-identifiable information (PII), such as name or email address, but also to non-personally-identifiable information (non-PII), such as an IP address or a collection of search queries, that the report nevertheless asserts can be reasonably associated with a specific individual or device, such as a mobile phone. This is an important point, as much of the "behavioral" data collected by websites consist only of IP addresses or unique but anonymous "cookies"—information not traditionally considered to be "personally identifiable"—as a means for distinguishing one user from another.
The FTC Staff made only minor changes to the principles themselves:
- Principle 1. "Transparency and User Control" obligates those collecting data for behavioral advertising to notify consumers about their practices and permit consumers to opt-out of the collection of information for that purpose. This final report clarifies that this obligation is not limited to the traditional website context, but also applies in the context of mobile and ISP-based technologies, which requires companies to develop new notification and choice mechanisms.
- Principle 2. "Reasonable Security, and Limited Data Retention for Consumer Data." The 2007 draft contained two separate principles, one requiring companies that collect and store consumer data for behavioral advertising to provide reasonable security for that data, and another obligating companies to retain data only as long as necessary for a legitimate business purpose. The revised principles combine these elements into a single principle, but do not modify the original approach.
- Principle 3. "Affirmative Express Consent for Material Changes to Existing Privacy Promises" Consistent with FTC enforcement actions, this principle prohibits the use of data collected for one purpose from being used for a materially different purpose without the "affirmative express consent" of the consumer. FTC enforcement cases in the past have relied on notice and opt-out mechanisms for material changes in general, and required opt-in consent only in a context in which non-PII data is combined with PII data. The revised principle contains a modest wording change, meant to clarify that opt-in consent is needed for retroactive application of policy changes to existing data, but may not be needed for policy changes applied on a going forward basis only. To comply with this principle, for example, a business that joins a new advertising network with which it expects to share existing consumer data that it had previously committed not to share, would first need to obtain express, "opt-in" consent, but could rely on "opt out" consent (perhaps through a simple amendment to its privacy policy) for the collection and sharing of new data, even if relating to the same users.
- Principle 4. "Affirmative Express Consent to (or Prohibition Against) Using Sensitive Data for Behavioral Advertising." "Sensitive data" is not defined in this principle, presumably in anticipation of further self-regulatory work in this area.
The FTC Staff report acknowledges that some consumer and privacy groups had called for more detail and more prescriptive rules, but concludes that the industry is still too new and malleable for such regulation. The report instead deliberately leaves some issues vague, such as the definition of "sensitive data" and when precisely anonymous data becomes detailed enough to "reasonably identify" a person or device.
Two FTC Commissioners issued concurring statements to voice their desire for more direct regulatory action on this issue. Commissioner Pamela Jones Harbour rejected a pure self-regulatory approach, claiming that self-regulation had a poor track record in creating meaningful privacy protections. She urged direct FTC action as part of a broader effort to establish clear rules for consumer privacy. Commissioner Jon Leibowitz—often mentioned as President Obama's top choice for FTC Chairman—similarly noted that the report's endorsement of self-regulation was not an endorsement of the industry's past and present practices. On the contrary, Leibowitz warned that "this could be the last clear chance" for the industry to shape up and regulate itself before the FTC adopts a more prescriptive approach.
The full text of the FTC Staff report and Commissioner statements are available on the FTC website.