SETTLEMENT REGARDING ONLINE ADVERTISING

Among the many interesting settlements at the Federal Trade Commission (FTC) this past year, the FTC announced in March 2011 that it had reached a settlement with online advertising company Chitika, Inc., to resolve its complaint against the company involving its online consumer tracking practices. According to the FTC complaint, Chitika serves as an intermediary between websites and advertisers, by buying ad space on websites and contracting with advertisers to place ads with cookies on those sites. Chitika also engages in the practice of "behavioral advertising" by placing cookies on the browsers of consumers who visit the websites displaying the advertisements it has placed. Chitika then tracks the consumer's activities on the web, including searches made and sites visited by the consumer. Chitika then displays targeted ads to that consumer based on the tracked activities.

The FTC alleged that while Chitika disclosed in its privacy policy that it collects data about consumers' preferences, the privacy policy also stated that consumers could opt out of having cookies placed on their browsers and receiving targeted ads. The FTC alleged that the opt-out lasted only 10 days. After that brief opt-out period expired, Chitika re-placed tracking cookies on browsers of those consumers, and targeted ads to them again. The FTC complaint alleged that Chitika's claims about its opt-out mechanism were deceptive and violated federal law.

Chitika ultimately agreed to settle the matter and refrain from making misleading statements about the extent of data collection about consumers and the extent to which consumers can control the collection, use or sharing of their data. The agreed Consent Order requires that every targeted ad include a hyperlink that takes consumers to a clear opt-out mechanism that allows a consumer to opt out for at least five years. It also requires that Chitika destroy all identifiable user information collected when the defective opt-out was in place. In addition, the settlement requires that Chitika alert consumers who previously tried to opt out that their attempt was not effective, and they should opt out again to avoid targeted ads.

After a period of public comment on the proposed settlement, the FTC finalized the matter in June 2011. A few pointers for companies that engage in online marketing practices can be gleaned from the Decision and Order. First, if a company wishes to engage in behavioral advertising, it must adequately disclose the practice in the online privacy policy. Second, it appears the FTC does permit a company to put an expiration date on a consumer's opt-out election. However, that expiration date must be reasonable. Here, the FTC found 10 days was too short and instead agreed upon an expiration period of five years. It remains to be seen whether some shorter time period would also be deemed reasonable by the FTC, but there may be updated guidance on this issue in 2012, as described below.

GUIDANCE REGARDING ONLINE ADVERTISING

Following on the heels of the Chitika settlement, in May 2011, the FTC requested public comments on its advertising guidance, "Dot Com Disclosures: Information About Online Advertising." The guidance, originally published in 2000, advises businesses how federal advertising law applies to online advertising and sales. However, there has been tremendous change in the online world since the FTC first published the guidance—mobile marketing has seen rapid growth, the "app" market for mobile devices and tablets took off, and online social networking now includes many millions across the globe. As a result, the FTC invited public comment on the guidance, indicating that the agency was particularly interested to hear what marketers, consumer advocates and other stakeholders believe are the technical and legal issues that the agency needed to address given the growth in online use and online marketing over the years.

The public comment period closed in August 2011, and it is not yet clear when the FTC will publish the revised guidance. The original guidance addressed issues of transparency in marketing, and means by which marketers could provide clear and conspicuous disclosures to consumers making online purchases. Any updated guidance will likely focus on how much online marketing has changed, the need for improved transparency in online marketing practices, and how companies can find appropriate ways to make adequate disclosures to consumers using online services.

PROPOSED COPPA AMENDMENTS

The FTC recently proposed changes to its online privacy rule for children, the Children's Online Privacy Protection Act (COPPA), to expand coverage of its protection, and accepted comments until November 28, 2011. The proposed changes are available at www.ftc.gov/os/2011/09/110915coppa.pdf. COPPA, which was implemented in 2000, gives parents control over what personal information websites can collect from children under the age of 13, and limits the amount of data websites can collect and use about children.

One of the most significant proposed changes to COPPA is the expanded definition of covered "personal information," which would now include screen and user names, as well as persistent identifiers such as Internet Protocol addresses and tracking cookies. In addition, the FTC proposed eliminating one of the ways in which businesses can obtain parental consent—the "e-mail plus" mechanism, which allowed sites to obtain consent by receiving e-mails from parents, then sending them a delayed response confirming the parental consent. Under the proposed amendments, companies would have to find alternatives to the e-mail plus mechanism for consent, including using video conferencing or government-issued identification numbers for verification.

COPPA will continue to apply to those who operate websites directed at children and collect personal information, and those who have actual knowledge that they are collecting personal information from a child under 13. But the FTC clarified its position in the proposed changes that COPPA applies to a wide range of current technologies that could be considered "online services," including mobile apps, network-connected games and some text messaging. While the FTC did not expand the technical application of COPPA by significantly expanding the definition of personal information or by including all online services (not just websites), such as mobile apps, the changes to COPPA will likely expand the scope of covered businesses.

The proposed changes related to parental consent and the expanded definition of personal information will likely have the largest impact on current business practices, because companies will now have to find new ways of obtaining consent, and the use of certain identifiers that previously were not considered personal information could now bring companies under the domain of COPPA. More discussion on COPPA will likely occur in 2012, as the FTC is expected to release revised regulations that will reflect on comments received to date.

To read "Privacy and Data Protection 2011 Year in Review" in full, please click here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.