FTC Staff Proposal Raises the Bar for Behavioral Advertising

Specifically, the FTC staff proposes a broad definition of 'behavioral advertising' that includes 'the tracking of a consumer's activities online, including the searches the consumer has conducted, the Web pages visited, and the content viewed in order to deliver advertising targeted to the individual consumer's interests.' (See, FTC, Online Behavioral Advertising: Moving the Discussion Forward to Possible Self-Regulatory Principles, at 2, at www.ftc.gov/os/2007/12/P859900stmt.pdf.)

Notably, this definition includes not only cross-site tracking, such as that used by network advertisers, but also single-site or domain tracking that is now commonly used by Web site operators to personalize their sites' content and advertising.

The Proposed Principles

The FTC staff's proposed Principles for the self-regulation of behavioral advertising include the following considerations and points of interest.

Transparency and Consumer Control

Notice. The Principles propose that notice to consumers be a 'clear, concise, consumer-friendly, and prominent statement' (see, www.ftc.gov/os/2007/12/P859900stmt.pdf.), disclosing that consumer data is collected for behavioral advertising and that consumers can decide whether such collection is permitted. Under the proposal, this disclosure would be located on every Web site where consumer data is collected for purposes of behavioral targeting.

The staff's language, on its face, appears to require something more than notice in a privacy policy or set of privacy policies of companies engaged in behavioral advertising. The first question arising from this proposal is how this would be done in light of extremely tight restraints on Web page real estate, especially on a site's home page. Also, if some kind of notice ' even in abbreviated form ' is required on a site's home page, then industry will be on a slippery slope, indeed. If notice regarding the use of even non-personal information is required on a home page, for instance, then surely regulators will find other, seemingly more important activities that also require a disclosure outside the privacy policy or terms of use. Each such proposal, on its own, may be well justified, but the fact remains that real estate is limited, and low opt-out rates resulting from Gramm-Leach-Bliley notices suggest that consumers feel inundated with notices already.

The Commission staff's 'design standard' ' specifying where notice should appear ' is also problematic for industry on two levels. First, it isn't always clear whether data used for behavioral-advertising purposes is collected from a specific Web site. What about, for example, social-networking applications, such as those that have recently sprung up on Facebook? Second, this standard is already obsolete, as some behavioral-marketing companies do not draw the data they use for behavioral advertising from Web sites with which they have a relationship, but rather from Internet service providers ('ISPs') or from advertising exchanges.

Consumer choice. The staff's proposal calls for a 'clear, easy-to-use, and accessible method' (see, www.ftc.gov/os/2007/12/P859900stmt.pdf.) to stop a behavioral-advertising company's data-collection practices, and that this method be displayed clearly and prominently on the Web publisher's site. This sounds like an opt-out standard, but it is not clear whether the staff has intentionally left this vague on the theory that opt-in may be appropriate in some cases.

These transparency principles (notice and choice) alone appear to be more stringent than the current Network Advertising Initiative principles for notice of behavioral targeting using anonymous data, which allows for notice and an opt-out to be in the Web publisher's privacy policy. Under the Principles that the FTC staff proposed, notice and choice would appear to be required on the Web site itself, in a prominent way, like any other disclosure, unless restricted by industry comment. Commentors should focus on whether this standard is realistic and whether it would unnecessarily retard the growth and development of behavioral targeting. Commentors also may consider whether the notice standard is appropriate for behavioral targeting using non-personal data, and whether such a standard could make its way outside the narrow confines of behavioral advertising.

Data security. Under the proposed Principles, companies that collect and store data for behavioral-advertising purposes would be required to provide security consistent with data-security laws, and FTC data-security enforcement actions and guidance. The proposed Principles, then, call for data security that is appropriate, considering the type of data collected, the nature of the company's business, the risks faced, and the reasonable protections available. This standard would apply even for anonymous data used for behavioral targeting. If data is anonymous and cannot be linked to any personal identifiable information, then is such a standard appropriate? If there is no risk of harm at all, then how does the standard, which is inherently flexible, apply?

Data retention. The proposed Principles call for companies to retain data only as long as necessary to fulfill a legitimate business or law-enforcement need. This idea, borrowed from FTC law-enforcement cases in information security, is not part of the existing NAI self-regulatory regime. It appears that the Commission staff would like to see a sliding scale for data-retention timeframes, depending on the type and sensitivity of the data, and the usefulness of the data for purposes of behavioral advertising over time. Companies are welcome to ' and should ' comment on whether such a standard is reasonable for anonymous data that cannot be linked to personally identifiable information (known in the industry as 'PII') and what specific minimum retention periods are appropriate to avoid business risks associated with being required to destroy data too soon. Rather than focusing only on the 'legitimate business need' to determine an appropriate retention period, commentators should consider calling for self-regulation to take into account the injury to consumers that could result from a breach of information security. If data truly is anonymous, and cannot be linked to personal information in any way, then what harm (other than to the behavioral-advertising business) could result?

Changes to privacy policies. The proposed Principles would require behavioral-advertising companies operating under self-regulation to obtain affirmative express consent from consumers before using consumer data in a way that is materially different from the uses permitted under the privacy policy in place when the data was collected. This amounts to a ban on the retroactive application of material changes to a privacy policy in the behavioral-advertising context because it's hard to imagine an entire user base opting into anything. A user base that is subject to different privacy regimes (as a result of some opting in and others not opting in) is inefficient and ultimately unworkable over the long term, as companies will need to change their privacy policies many times over a multi-year period to reflect new developments and innovations.

This opt-in standard proposed by the staff is also unclear when applied to specific facts. For example, would opt-in be required for behavioral-advertising companies and their Web site customers if the behavioral-advertising company proposes to run its ads on Web sites that have policies that are silent on behavioral advertising? How can a company determine, in advance, if a change is material? Right now it is unclear. Commentators should urge that for opt-in, the definition of 'material' should be specific, and should focus on things like direct contradictions to previous representations in privacy policies, as opposed to simply addressing a use that is unaddressed in the existing policy.

Commentators also should focus on how this very stringent requirement ' affirmative express consent ' would work in practice under a variety of scenarios and preexisting privacy representations by Web publishers, and whether its effect on the growth of a promising new industry would outweigh any marginal benefits to consumer privacy.

Sensitive data. The FTC staff also proposes that a company should obtain affirmative express consent before collecting sensitive data for behavioral advertising. The FTC staff acknowledges the difficulty inherent in defining 'sensitive information' in this context, and so asks for comment on:

• What types of information should be considered 'sensitive' (and therefore subject to a higher standard for use in behavioral targeting); and
• Whether targeting using this information should be prohibited outright instead of limited to consumer choice.

Note: The FTC staff's questions assume that there should be a higher standard for behavioral advertising using 'sensitive data.' On its face, that seems appropriate, but it raises important definitional questions. For instance, would otherwise sensitive data be considered so if it is not tied to any personally identifiable information? Moreover, while the FTC staff's comments acknowledge the difficulty of identifying at a granular level what is sensitive and what is not, then they assume that it can be done. This assumption itself carries with it a further assumption that the decisions on what constitutes sensitive data will carry with it some consensus. These are crucial assumptions, and it is not clear whether they will be borne out.

Is Potential for Broader
Application a Foreshadowing?

The FTC staff's proposals also raise questions about the Commission staff's views of privacy in a much broader context. This is the first time that the Commission or its staff has ever proposed detailed privacy guidelines (beyond the fair-information practices of notice, choice, access and security) for the online marketplace. There is, however, some question about whether the same logic that supports these Principles for online conduct applies equally to online conduct outside the behavioral-advertising context, and even to offline conduct. For example, if retroactive application of material changes to privacy policies requires an opt-in for behavioral advertising, then on what basis would the FTC staff take a different view outside the narrow context of privacy policies associated with online behavioral advertising? It is no surprise, then, that the FTC's Proposals have grabbed the attention not only of online marketers, but also of industries that have long advertised offline. Expect the comments in response to the Proposals to be numerous and diverse, as virtually every industry that engages in advertising is likely to comment through trade associations or coalitions.

What Happens After
The Comment Period?

It is unclear what, precisely, will ultimately emerge from the comment period. The Dec. 20 document calls only for comments and views on a variety of questions. This the FTC will get, in abundance, from industry, advocates, academics and consumers. Of course, all these comments will not be aligned; in fact, there's likely to be disagreement on nearly every topic among the commentors. Even industry comments may not be aligned precisely. In light of this, the FTC staff may decide to host another workshop, with the focus on trying to achieve some consensus among the commentors. With or without such a workshop, the FTC staff may well issue a staff report, or even a report to Congress, on the state of behavioral advertising self-regulation. If the FTC is not pleased with the response it's soliciting, then it's possible that a report to Congress could call for new legislation. It's also possible that the FTC could issue so-called business guidance on its views of how Section 5 of the FTC Act applies to behavioral advertising, thereby putting industry on notice that doing or failing to do specific things could subject a company to enforcement action under the FTC's general authority to police deception and unfairness.

Conclusion

The FTC's proposed Principles for the self-regulation of behavioral advertising carry important implications far beyond the online behavioral-advertising industry. Advertisers, Web site publishers and online behavioral-advertising service providers are well advised to present their views to the FTC, to watch the development of privacy principles in this area, and to be aware that what happens here may foreshadow privacy regulation in other online contexts, or even in the offline world.

The release of these Principles followed a two-day Town Hall meeting the FTC held late last year on behavioral advertising, which itself followed the FTC's Tech-Ade Workshop in 2006. The FTC staff's Principles include specific recommendations and questions for industry regarding:

• Transparency and consumer control (including notice and choice);
• Data security;
• Data retention;
• Changes to privacy policies (including a proposed opt-in for the retroactive application of material changes to privacy policies); and
• Questions regarding how sensitive data should be treated.

Comments on the proposed Principles were initially due by Feb. 22, but the deadline was extended to April 11. Comments are likely to range from the very specific ' some trade associations may propose entirely new or modified self-regulatory principles for their members ' to the general, with other trade associations and coalitions offering arguments, and perhaps even econometric and other statistical evidence supporting arguments opposed to the staff's proposals.

While the FTC document recognizes that behavioral advertising provides a number of benefits to consumers, it is important to understand that the staff's proposed Principles are based on the premises that:

• Consumers are unaware of behavioral-advertising practices or cannot discern when such practices are used;
• Transparency and consumer autonomy are critical to consumer trust and to the online marketplace; and
• Data collected for behavioral advertising may fall into the wrong hands or be used for unanticipated purposes.

Broad Definition of Behavioral Advertising

The proposed Principles, describ-ed in detail below, would impose a heavy self-regulatory burden on the online behavioral-advertising industry. The Principles would extend well beyond the principles of the Net-work Advertising Initiative ('NAI') for Online Preference Marketing (see, www.networkadvertising.org/pdfs/NAI_principles.pdf.), approved by the FTC in 2000 (see, Online Profiling, A Report to Congress Part 2: Recommendations (July 2000), available at www.ftc.gov/os/2000/07/onlineprofiling.htm). They would also apply to a very wide array of online activity.

Specifically, the FTC staff proposes a broad definition of 'behavioral advertising' that includes 'the tracking of a consumer's activities online, including the searches the consumer has conducted, the Web pages visited, and the content viewed in order to deliver advertising targeted to the individual consumer's interests.' (See, FTC, Online Behavioral Advertising: Moving the Discussion Forward to Possible Self-Regulatory Principles, at 2, at www.ftc.gov/os/2007/12/P859900stmt.pdf.)

Notably, this definition includes not only cross-site tracking, such as that used by network advertisers, but also single-site or domain tracking that is now commonly used by Web site operators to personalize their sites' content and advertising.

The Proposed Principles

The FTC staff's proposed Principles for the self-regulation of behavioral advertising include the following considerations and points of interest.

Transparency and Consumer Control

Notice. The Principles propose that notice to consumers be a 'clear, concise, consumer-friendly, and prominent statement' (see, www.ftc.gov/os/2007/12/P859900stmt.pdf.), disclosing that consumer data is collected for behavioral advertising and that consumers can decide whether such collection is permitted. Under the proposal, this disclosure would be located on every Web site where consumer data is collected for purposes of behavioral targeting.

The staff's language, on its face, appears to require something more than notice in a privacy policy or set of privacy policies of companies engaged in behavioral advertising. The first question arising from this proposal is how this would be done in light of extremely tight restraints on Web page real estate, especially on a site's home page. Also, if some kind of notice ' even in abbreviated form ' is required on a site's home page, then industry will be on a slippery slope, indeed. If notice regarding the use of even non-personal information is required on a home page, for instance, then surely regulators will find other, seemingly more important activities that also require a disclosure outside the privacy policy or terms of use. Each such proposal, on its own, may be well justified, but the fact remains that real estate is limited, and low opt-out rates resulting from Gramm-Leach-Bliley notices suggest that consumers feel inundated with notices already.

The Commission staff's 'design standard' ' specifying where notice should appear ' is also problematic for industry on two levels. First, it isn't always clear whether data used for behavioral-advertising purposes is collected from a specific Web site. What about, for example, social-networking applications, such as those that have recently sprung up on Facebook? Second, this standard is already obsolete, as some behavioral-marketing companies do not draw the data they use for behavioral advertising from Web sites with which they have a relationship, but rather from Internet service providers ('ISPs') or from advertising exchanges.

Consumer choice. The staff's proposal calls for a 'clear, easy-to-use, and accessible method' (see, www.ftc.gov/os/2007/12/P859900stmt.pdf.) to stop a behavioral-advertising company's data-collection practices, and that this method be displayed clearly and prominently on the Web publisher's site. This sounds like an opt-out standard, but it is not clear whether the staff has intentionally left this vague on the theory that opt-in may be appropriate in some cases.

These transparency principles (notice and choice) alone appear to be more stringent than the current Network Advertising Initiative principles for notice of behavioral targeting using anonymous data, which allows for notice and an opt-out to be in the Web publisher's privacy policy. Under the Principles that the FTC staff proposed, notice and choice would appear to be required on the Web site itself, in a prominent way, like any other disclosure, unless restricted by industry comment. Commentors should focus on whether this standard is realistic and whether it would unnecessarily retard the growth and development of behavioral targeting. Commentors also may consider whether the notice standard is appropriate for behavioral targeting using non-personal data, and whether such a standard could make its way outside the narrow confines of behavioral advertising.

Data security. Under the proposed Principles, companies that collect and store data for behavioral-advertising purposes would be required to provide security consistent with data-security laws, and FTC data-security enforcement actions and guidance. The proposed Principles, then, call for data security that is appropriate, considering the type of data collected, the nature of the company's business, the risks faced, and the reasonable protections available. This standard would apply even for anonymous data used for behavioral targeting. If data is anonymous and cannot be linked to any personal identifiable information, then is such a standard appropriate? If there is no risk of harm at all, then how does the standard, which is inherently flexible, apply?

Data retention. The proposed Principles call for companies to retain data only as long as necessary to fulfill a legitimate business or law-enforcement need. This idea, borrowed from FTC law-enforcement cases in information security, is not part of the existing NAI self-regulatory regime. It appears that the Commission staff would like to see a sliding scale for data-retention timeframes, depending on the type and sensitivity of the data, and the usefulness of the data for purposes of behavioral advertising over time. Companies are welcome to ' and should ' comment on whether such a standard is reasonable for anonymous data that cannot be linked to personally identifiable information (known in the industry as 'PII') and what specific minimum retention periods are appropriate to avoid business risks associated with being required to destroy data too soon. Rather than focusing only on the 'legitimate business need' to determine an appropriate retention period, commentators should consider calling for self-regulation to take into account the injury to consumers that could result from a breach of information security. If data truly is anonymous, and cannot be linked to personal information in any way, then what harm (other than to the behavioral-advertising business) could result?

Changes to privacy policies. The proposed Principles would require behavioral-advertising companies operating under self-regulation to obtain affirmative express consent from consumers before using consumer data in a way that is materially different from the uses permitted under the privacy policy in place when the data was collected. This amounts to a ban on the retroactive application of material changes to a privacy policy in the behavioral-advertising context because it's hard to imagine an entire user base opting into anything. A user base that is subject to different privacy regimes (as a result of some opting in and others not opting in) is inefficient and ultimately unworkable over the long term, as companies will need to change their privacy policies many times over a multi-year period to reflect new developments and innovations.

This opt-in standard proposed by the staff is also unclear when applied to specific facts. For example, would opt-in be required for behavioral-advertising companies and their Web site customers if the behavioral-advertising company proposes to run its ads on Web sites that have policies that are silent on behavioral advertising? How can a company determine, in advance, if a change is material? Right now it is unclear. Commentators should urge that for opt-in, the definition of 'material' should be specific, and should focus on things like direct contradictions to previous representations in privacy policies, as opposed to simply addressing a use that is unaddressed in the existing policy.

Commentators also should focus on how this very stringent requirement ' affirmative express consent ' would work in practice under a variety of scenarios and preexisting privacy representations by Web publishers, and whether its effect on the growth of a promising new industry would outweigh any marginal benefits to consumer privacy.

Sensitive data. The FTC staff also proposes that a company should obtain affirmative express consent before collecting sensitive data for behavioral advertising. The FTC staff acknowledges the difficulty inherent in defining 'sensitive information' in this context, and so asks for comment on:

• What types of information should be considered 'sensitive' (and therefore subject to a higher standard for use in behavioral targeting); and
• Whether targeting using this information should be prohibited outright instead of limited to consumer choice.

Note: The FTC staff's questions assume that there should be a higher standard for behavioral advertising using 'sensitive data.' On its face, that seems appropriate, but it raises important definitional questions. For instance, would otherwise sensitive data be considered so if it is not tied to any personally identifiable information? Moreover, while the FTC staff's comments acknowledge the difficulty of identifying at a granular level what is sensitive and what is not, then they assume that it can be done. This assumption itself carries with it a further assumption that the decisions on what constitutes sensitive data will carry with it some consensus. These are crucial assumptions, and it is not clear whether they will be borne out.

Is Potential for Broader
Application a Foreshadowing?

The FTC staff's proposals also raise questions about the Commission staff's views of privacy in a much broader context. This is the first time that the Commission or its staff has ever proposed detailed privacy guidelines (beyond the fair-information practices of notice, choice, access and security) for the online marketplace. There is, however, some question about whether the same logic that supports these Principles for online conduct applies equally to online conduct outside the behavioral-advertising context, and even to offline conduct. For example, if retroactive application of material changes to privacy policies requires an opt-in for behavioral advertising, then on what basis would the FTC staff take a different view outside the narrow context of privacy policies associated with online behavioral advertising? It is no surprise, then, that the FTC's Proposals have grabbed the attention not only of online marketers, but also of industries that have long advertised offline. Expect the comments in response to the Proposals to be numerous and diverse, as virtually every industry that engages in advertising is likely to comment through trade associations or coalitions.

What Happens After
The Comment Period?

It is unclear what, precisely, will ultimately emerge from the comment period. The Dec. 20 document calls only for comments and views on a variety of questions. This the FTC will get, in abundance, from industry, advocates, academics and consumers. Of course, all these comments will not be aligned; in fact, there's likely to be disagreement on nearly every topic among the commentors. Even industry comments may not be aligned precisely. In light of this, the FTC staff may decide to host another workshop, with the focus on trying to achieve some consensus among the commentors. With or without such a workshop, the FTC staff may well issue a staff report, or even a report to Congress, on the state of behavioral advertising self-regulation. If the FTC is not pleased with the response it's soliciting, then it's possible that a report to Congress could call for new legislation. It's also possible that the FTC could issue so-called business guidance on its views of how Section 5 of the FTC Act applies to behavioral advertising, thereby putting industry on notice that doing or failing to do specific things could subject a company to enforcement action under the FTC's general authority to police deception and unfairness.

Conclusion

The FTC's proposed Principles for the self-regulation of behavioral advertising carry important implications far beyond the online behavioral-advertising industry. Advertisers, Web site publishers and online behavioral-advertising service providers are well advised to present their views to the FTC, to watch the development of privacy principles in this area, and to be aware that what happens here may foreshadow privacy regulation in other online contexts, or even in the offline world.