Ms. Allen is based in our Washington, D.C. office.
Mr. Reisler is based in our New York office.

This alert summarizes the Federal Trade Commission's (FTC) revised guiding privacy principles for online behavioral advertising.

Online Behavioral Advertising And FTC Action To Date

Online behavioral advertising is the tracking of consumers' online activities, using various Internet tools, to deliver tailored advertising. Many businesses participate in Internet advertising networks that use behavioral advertising. The FTC views online behavioral advertising as a threat to consumer privacy because consumers are often unaware of the information they provide to advertising networks and the uses being made of that information. Congress has also expressed concern that behavioral advertising could give rise to privacy abuses, and held hearings last year as a predicate to possible legislative action. In 2007, the FTC adopted certain guiding principles to guard against consumer abuses stemming from behavioral advertising, and encouraged industry participants to adopt voluntary standards of conduct to implement the principles.

The New FTC Principles

On February 12, 2009, the FTC released a report examining the effectiveness of its current guiding principles in protecting online consumer privacy. The FTC found its current self-regulatory scheme wanting in certain respects, and adopted amendments that any company using online advertising should implement. The FTC has adopted four principles governing self-regulation of online behavioral advertising:

  1. Consumers must have transparency and control over use of their personal information.
  2. Reasonable security measures to avoid unauthorized access to behavioral advertising data bases should be in place, with personal data retained only so long as it is needed for legitimate business or law enforcement purposes.
  3. The consumer's affirmative express consent must be obtained if behavioral data will be used in ways materially different than set forth in the privacy policy.
  4. The consumer's affirmative express consent must be obtained if sensitive data (i.e., data about children, health or finances) is to be used in behavioral advertising.

Applicability And Scope

The FTC made clear that the principles do not just apply to personally identifiable data collected online. The principles also apply to non-personally identifiable data if the data can associate a consumer with a particular computer or device. Second, the report found that so-called "first party" behavioral advertising and "contextual advertising" were beyond the scope of the new principles. An example of first-party behavioral advertising is an online bookstore that offers book recommendations to returning customers based on past purchases. An example of contextual advertising is when a consumer wishing to purchase a particular product or service is shown competing products or services at the same time.

Privacy Policy Disclosure Inadequate

Significantly, the FTC found disclosures of behavioral advertising practices in online privacy policies insufficient to satisfy its first principle. The FTC characterized privacy policies as "long and difficult to understand." Accordingly, the FTC advised website owners and Web advertisers to pursue more effective ways of providing consumers with notice of behavioral data collection and choice to prevent use of behavioral data. No single method of providing notice and choice was mandated by the FTC, but approaches that are clear, prominent and easy-to-use by consumers were endorsed.

Scaled Approach To Security

The FTC declined to specifically define a standard of care for offering reasonable security to behavioral data bases in order to meet its second principle. The FTC did, however, recommend a scalable approach that affords greater levels of protection to sensitive behavioral data. The FTC re-emphasized that data retention practices should be kept to the absolute minimum amount of time required to fulfill the business objective or law enforcement need.

Required Consent

The FTC clarified the consent required to satisfy its third principle, stating that express affirmative consent is only required for a change to the use of information collected if the change is material and if it applies retroactively to information that was previously collected. While declining to specifically define what is meant by "sensitive data" in its final principle, the FTC cautioned that the concept can be broadly construed by consumers and should be handled with care.

Businesses Still Must Keep Privacy Promises

The FTC reiterated that its revised principles do not affect the obligation of any company to comply with all applicable federal and state laws and that it will continue to take enforcement action against websites that do not abide by the promises to consumers made in privacy policies.

Holland & Knight Services

Based on the actions taken by the FTC in its report, it is timely and important to review privacy policies and procedures to determine if they are consistent with the requirements of the FTC's new principles.

www.hklaw.com

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.