A coalition of Internet advertising companies and the Federal Trade Commission agreed earlier this summer on privacy guidelines for "online profiling" used in Internet advertising. Responding to a wave of public criticism and threats of government regulation, these guidelines illustrate the FTC's continuing efforts to encourage "self-regulation" while seeking new federal Internet privacy legislation.

Online profiling is the practice of aggregating information about consumers' preferences and interests by tracking consumers' online movements in order to provide targeted advertising on Internet web sites. Profiling is attractive to advertisers because it focuses online marketing efforts on those consumers who are most likely to respond by purchasing the advertised products or services. Opponents of profiling complain that it is unfair to compile consumer profiles and that the profile data may be easily misused or improperly disclosed.

In order to track online behavior by a consumer over an extended period of time, online profilers often associate online movements with IP addresses, the numerical codes used to locate computers connected to the Internet. Profilers may also use cookies, which are small files deposited on a consumer's computer in order to remind web sites that the consumer has previously visited a particular web site or a portion of a web page. While web site operators may conduct profiling themselves, consumers' online movements are typically tracked by third party Internet advertising companies which specialize in collecting and analyzing consumer data and transmitting targeted advertisements.

In November 1999, the FTC sponsored a public workshop to discuss the consumer privacy issues raised by online profiling. These concerns included (1) the linkage of "anonymous" profile information to individuals' names or other personally identifying information, (2) the potentially sensitive nature of the information collected, (3) the fact that online profiling companies are often third parties unknown to the consumers being profiled, (4) the extent to which profile information may be combined with "offline" marketing data, and (5) whether consumers have any right to prevent the tracking of their online movements.

Seeking to avoid new federal privacy regulations, the Network Advertising Initiative (NAI), a coalition of several leading online profiling companies, formulated a set of self-regulatory privacy guidelines. The FTC formally endorsed these voluntary guidelines after finding that they "reasonably implement the fair information practice principles" of notice, choice, access and security. These widely-accepted data privacy principles are summarized in our May 2, 2000 Internet Alert. Click here to review the FTC's report.

The NAI guidelines include the following:

Online profiling companies will not use personally identifiable information about sensitive medical or financial data, social security numbers, or information about sexual behavior or sexual orientation.

• Online profiling companies collecting non-personally identifiable information will require host web sites with whom they contract to clearly and conspicuously describe the profiling in their privacy policies and to provide a link to a page that allows consumers to opt out.
• Online profiling companies will not allow personally identifiable information to be combined with previously-collected non-identifiable information, except with the consumer's prior consent.
• Online profiling companies will not create personally identifiable profiles unless consumers are notified and given an opportunity to opt out at the time and place that the personally identifiable information is collected.
• Online profiling companies will collect personally identifiable profile information only from web site operators with which the profilers have contractual relationships.
• Online profiling companies will provide reasonable access to profile information which is personally identifiable or is associated with personally-identifiable information

By accepting the NAI guidelines, the FTC continued its dual policy of encouraging self-regulation, as discussed in our May 2, 2000 Internet Alert, while simultaneously calling for new federal Internet privacy legislation, as discussed in our May 26, 2000 Internet Alert. The FTC now says that federal legislation is still needed to extend the NAI principles to online profiling companies which do not participate in the NAI's self-regulatory program. Existing law, however, allows the FTC to take enforcement actions against unfair or deceptive practices by online profilers, even without mandatory privacy standards for online profiling.

Online profiling companies may also be subject to the Children's Online Privacy Protection Act, which requires collectors of online data to notify and obtain parental consent before gathering personally identifiable information from children under the age of 13. These children's privacy rules may be triggered if the host web site is directed to children or if the profile information reveals that a consumer is under age 13. The children's privacy rules were summarized in our February 11, 2000 Internet Alert.

Online profiling companies and their host web sites will soon have new incentives to address Internet privacy. Earlier this summer, another coalition of leading Internet companies agreed to make web browsers and web sites compatible with the Platform for Privacy Preferences, or P3P, a system which will alert Internet users when they access web sites which intend to collect more data than the user is willing to disclose. The Clinton Administration specifically endorsed P3P as a useful step toward protecting Internet privacy.

Recent developments concerning online profiling have not ended lingering privacy concerns. As industry standards, government policy and public opinion continue to evolve, online profiling of consumers' Internet activities — whether used for targeted advertising or other purposes — will remain under close scrutiny.