Friday, December 21, 2007

Privacy Principles for Online Behavioral Advertising Proposed by FTC Staff

This posting was written by William Zale, Editor of CCH Advertising Law Guide.

The Federal Trade Commission staff has released proposed privacy principles to guide the development of companies’ “self-regulation” in the rapidly evolving area of online behavioral advertising. The Commission vote approving issuance of the principles was 5-0.

“Behavioral advertising” is the tracking of a consumer’s activities online—including the searches the consumer has conducted, the web pages visited, and the content viewed—in order to deliver advertising targeted to the individual consumer’s interests.

Commissioner Jon Leibowitz, in a statement issued in connection with the closing of the FTC’s investigation into the Google/DoubleClick merger, called the staff's self-regulatory principles “a very useful first step” in moving forward the discussion of how the Commission should address privacy issues across industries and from multiple perspectives.

The FTC staff’s proposed privacy principles are as follows:

1. Transparency and consumer control

Every website where data is collected for behavioral advertising should provide a clear, concise, consumer-friendly, and prominent statement that (1) data about consumers’ activities online is being collected at the site for use in providing advertising about products and services tailored to individual consumers’ interests, and (2) consumers can choose whether or not to have their information collected for such purpose. The website should also provide consumers with a clear, easy-to-use, and accessible method for exercising this option.

2. Reasonable security, and limited data retention, for consumer data

Security against risk of unauthorized access. Any company that collects and/or stores consumer data for behavioral advertising should provide reasonable security for that data. Consistent with the data security laws and the FTC’s data security enforcement actions, such protections should be based on the sensitivity of the data, the nature of a company’s business operations, the types of risks a company faces, and the reasonable protections available to a company.

Retention time. Companies should retain data only as long as is necessary to fulfill a legitimate business or law enforcement need. FTC staff commends recent efforts by some industry members to reduce the time period for which they are retaining data. However, FTC staff seeks comment on whether companies can and should reduce their retention periods further.

3. Affirmative express consent for material changes to existing privacy promises

As the FTC has articulated in its enforcement and outreach efforts, a company must keep any promises that it makes with respect to how it will handle or protect consumer data, even if it decides to change its policies at a later date. Therefore, before a company can use data in a manner materially different from promises the company made when it collected the data, it should obtain affirmative express consent from affected consumers. This principle would apply in a corporate merger situation to the extent that the merger creates material changes in the way the companies collect, use, and share data.

4. Affirmative express consent to (or prohibition against) using sensitive data for behavioral advertising

Companies should only collect sensitive data for behavioral advertising if they obtain affirmative express consent from the consumer to receive such advertising. FTC staff seeks specific input on (1) what classes of information should be considered sensitive, and (2) whether using sensitive data for behavioral targeting should not be permitted, rather than subject to consumer choice.

5. Call for additional information: using tracking data for purposes other than behavioral advertising

FTC staff seeks additional information about the potential uses of tracking data beyond behavioral advertising and, in particular: (1) which secondary uses raise concerns, (2) whether companies are in fact using data for these secondary purposes, (3) whether the concerns about secondary uses are limited to the use of personally identifiable data or also extend to non-personally identifiable data, and (4) whether secondary uses, if they occur, merit some form of heightened protection.

Request for Comments

FTC staff seeks comment and discussion on the appropriateness and feasibility of the above principles for both consumers and businesses, including the costs and benefits of offering choice for behavioral advertising.

Comments should be sent by Friday, February 22, 2008, to: Secretary, Federal Trade Commission, Room H-135 (Annex N), 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580, or The comments will be posted on the FTC’s behavioral advertising web page for possible use in the development of self-regulatory programs.

The full text of the FTC Staff Statement is available here on the FTC website and will be published in CCH Privacy Law in Marketing and CCH Advertising Law Guide.

No comments: