Sunday, March 15, 2009

Online Advertisers’ Data Gathering Could Violate Federal Laws: Report

This posting was written by Thomas A. Long, Editor of CCH Privacy Law in Marketing.

Online advertisers that collect data about consumers through click tracking, capturing search terms, and other methods could be violating federal laws, such as the Electronic Communications Privacy Act (ECPA) and the Communications Act, unless consent is obtained from one of the parties to the communication, according to a report released by the Congressional Research Service.

The report, entitled Privacy Law and Online Advertising: Legal Analysis of Data Gathering by Online Advertisers Such as Double Click and NebuAd, examines the application of federal statutes to online behavioral advertising. It also examines the Federal Trade Commission's self-regulatory principles and standards published by the Network Advertising Initiative.

The ECPA generally prohibits the interception of electronic communications. Concerns have been raised that online advertising providers, websites, and ISPs that agree to collect certain data generated by Internet traffic to behaviorally target advertising may be violating the ECPA.

Although the ECPA could apply to such data collection, the report concludes that online advertising providers, like DoubleClick, that partner to collect data from individual websites generally are not violating the law, because the websites are "parties to the communication" with the ability to consent to interception.

On the other hand, when the partnership is between the ISP and the online advertising provider, neither of the parties to the agreement to intercept web traffic is a party to the communications that are being intercepted. Therefore, consent would have to be obtained from individual customers of the ISPs.

In addition, privacy provisions of the Communications Act could apply to agreements between cable operators acting as ISPs and online advertising providers, according to the report. Section 631 of the Act provides that cable operators must provide notice to subscribers, informing them of the types of personally identifiable information the cable operator collects, how the information is disclosed, and how long it is kept, among other things. Cable operators are prohibited from collecting or disclosing personally identifiable information without a subscriber's prior written or electronic consent.

Online advertising provider NebuAd contends that Sec. 631 does not apply when cable operators are acting as cable modem service providers. Courts have not yet resolved this issue, the report said.

Full text of the report is reproduced at CCH Privacy Law in Marketing ¶60,306.

No comments: