Last week, the FTC issued four new self-regulatory rules
governing how marketers should deploy "behavioral
advertising" -- the practice of tracking a person's online
activity in order to tailor ads to that person's interests. The
rules appear in a staff report titled "Self-Regulatory
Principles for Online Behavioral Advertising." The rules
attempt to strike a balance between consumer privacy and consumer
benefits (e.g., personalized ads and free online content).
Here's what the FTC is asking marketers to do.
Provide transparency and consumer control.
Marketer Web sites that collect data for behavioral advertising
purposes should say so in a "clear, concise,
consumer-friendly, and prominent" way. Such sites should also
give consumers the option to choose whether to have their
information collected. If marketers collect data by means other
than through a Web site, they should develop alternative disclosure
and opt-out mechanisms.
Provide security and place limits on data
retention. Marketers should safeguard the data they
collect. And marketers should only keep data "as long as is
necessary to fulfill a legitimate business or law enforcement
Get "affirmative express consent" prior to
using previously collected data differently than promised.
Past FTC enforcement actions make clear that marketers must keep
the promises they make about how they handle or protect consumer
data. Before a marketer can use previously collected data in a way
different than previously promised (for example, a marketer that
has obtained consumer data in a merger or acquisition), the
marketer should obtain "affirmative express consent" from
people affected by the change.
Get "affirmative express consent" before
using "sensitive" data. The rules say that
marketers planning to use "sensitive" data in behavioral
advertising should obtain "affirmative express consent"
before doing so. "Sensitive" data may include
"financial data, data about children, health information,
precise geographic location information, and Social Security
numbers." But the FTC report acknowledges that a precise
definition of "sensitive" data is difficult to determine.
The report therefore encourages industry to develop its own
standards of what constitutes "sensitive." The report
also suggests that certain data may be so sensitive that marketers
would be better off not using it for behavioral advertising at
The new self-regulatory rules will certainly raise concerns for
marketers, and we expect a lot of questions and push-back. But
there is some good news: the FTC has expressly excluded so-called
"first party" advertising, and "contextual"
advertising, from the definition of online behavioral advertising:
"[O]nline behavioral advertising means the tracking of a
consumer's online activities over time – including
the searches the consumer has conducted, the web pages visited, and
the content viewed – in order to deliver advertising
targeted to the individual consumer's interests. This
definition is not intended to include "first Party"
advertising, where no data is shared with third parties, or
contextual advertising, where an ad is based on a single visit to a
web page or single search query (emphasis in
To read the full text of the FTC staff report, click here.
This alert provides general coverage of its subject area. We
provide it with the understanding that Frankfurt Kurnit Klein &
Selz is not engaged herein in rendering legal advice, and shall not
be liable for any damages resulting from any error, inaccuracy, or
omission. Our attorneys practice law only in jurisdictions in which
they are properly authorized to do so. We do not seek to represent
clients in other jurisdictions.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Internet service providers (ISPs) like to believe that in Section 230 of the Communications Decency Act (CDA) Congress afforded them broad immunity from any liability potentially caused by third-party content posted on ISP sites.
European consumers have expressed concern that the USA Patriot Act (the "Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001" or "Patriot Act") will afford the US government undue and unfettered access to their data if they choose to store it on the cloud servers of US providers (e.g., Microsoft or IBM).