March 22, 2009
Intellectual Property, Internet & E-Commerce Alerts

Online Behavioral Advertising: New FTC Report and Pending Litigation
by Walter W. Hansell, Cyrus Wadia

New FTC Report:  Self-Regulatory Principles for Online Behavioral Advertising

The Federal Trade Commission issued a Staff Report on February 12, 2009 discussing policies and views on the FTC's "ongoing examination of online behavioral advertising," which it defines as "the practice of tracing an individual's online activites in order to deliver advertising tailored to his or her interests."  The Report, entitled "Self-Regulatory Principles for Online Behavioral Advertising," addresses how online service providers can protect consumers' right to privacy while at the same time collecting information about their online activities.  The Report essentially publicizes principles and business practices which the FTC staff believes Internet service providers (ISPs), advertisers, and related service providers should follow voluntarily, unless they are to invite the adoption of compulsory regulation on the topic by the FTC, Congress, or other regulatory bodies. 

In November 2007, the FTC held a "Behavioral Advertising" Town Hall, and shortly thereafter issued a set of proposed principles to guide industry self-regulation in this area.  The proposed principles were:

  • Transparency and Consumer Control.  Every website where data is collected for behavioral advertising should provide a clear, concise, consumer-friendly, and prominent statement that (1) data about consumers' activities online is being collected at the site for use in providing advertising about products and services tailored to individual consumers' interests, and (2) consumers can choose whether or not to have their information collected for such purpose."  The website should also provide consumers with a clear, easy-to-use, and accessible method for exercising this option.
  • Reasonable security, and limited data retention, for consumer dataAny company that collects and/or stores consumer data for behavioral advertising should provide reasonable security for that data. Consistent with the data security laws and the FTC’s data security enforcement actions, such protections should be based on the sensitivity of the data, the nature of a company’s business operations, the types of risks a company faces, and the reasonable protections available to a company. 
  • Affirmative express consent for material changes to existing privacy promises.  A company should obtain affirmative express consent from consumers before using consumers' data in a mannter materially different from promises the company made when it collected the data.
  • Affirmative express consent to (or prohibition against) using sensitive data for behavioral advertising.  Companies should only collect sensitive data for behavioral advertising if they obtain affirmative express consent from the consumer to receive such advertising.

The new Staff Report summarizes and responds to more than 60 comments received from industry, academics, consumer and privacy groups as well as consumers in response to the proposed principles.  As a general matter, the FTC agreed with the commenters that "first party" behavioral advertising (information collected to deliver targed advertising at a site, but not shared with third parties) and contextual advertising (based on websites viewed or search queries, which involve little or no data storage) should be excluded from the scope of the principles given the fewer privacy concerns. 

The new Staff Report goes on to address and refine its four initial principles as follows:

  • Transparency and Consumer Control.  Every website where data is collected for behavioral advertising should provide a clear,concise, consumer-friendly, and prominent statement that (1) data about consumers’ activitiesonline is being collected at the site for use in providing advertising about products and services tailored to individual consumers’ interests, and (2) consumers can choose whether or not to havetheir information collected for such purpose. The website should also provide consumers with aclear, easy-to-use, and accessible method for exercising this option. Where the data collection occurs outside the traditional website context, companies should develop alternative methods of disclosure and consumer choice that meet the standards described above (i.e., clear, prominent, easy-to-use, etc.)
  • Reasonable Security, and Limited Data Retention, for Consumer DataAny company that collects and/or stores consumer data for behavioral advertising should provide reasonable security for that data. Consistent with data security laws and the FTC’s data security enforcement actions, such protections should be based on the sensitivity of the data, the nature of a company’s business operations, the types of risks a company faces, and the reasonable protections available to a company. Companies should also retain data only as long as is necessary to fulfill a legitimate business or law enforcement need.
  • Affirmative Express Consent for Material Changes to Existing Privacy PromisesAs the FTC has made clear in its enforcement and outreach efforts, a company must keep any promises that it makes with respect to how it will handle or protect consumer data, even if it decides to change its policies at a later date. Therefore, before a company can use previously collected data in a manner materially different from promises the company made when it collected the data, it should obtain affirmative express consent from affected consumers.  This principle would apply in a corporate merger situation to the extent that the merger creates material changes in the way the companies collect, use, and share data.   

  • Affirmative Express Consent to (or Prohibition Against) Using Sensitive Data for Behavioral Advertising.  Companies should collect sensitive data for behavioral advertising only after they obtain affirmative express consent from the consumer to receive such advertising.

The FTC states that this Report is part of an ongoing process to examine online behavioral advertising, and that the FTC staff "will evaluate self-regulatory programs and will conduct investigations, where appropriate, to determine whether practices in this industry violate Section 5 of the FTC Act."

Pending Behavioral Advertising Litigation

Concurrently, two separate federal class action cases are pending with the Northern District of California, as filed for consumers claiming privacy violations by behavioral advertising sales and technology companies in conjunction with deep-packet inspection of user activity with online service providers.  First, Valentine et al.. v. Nebaud, Inc. et al., (N. Dist. California Case No. CV08-5113) was filed in November 2008; and then Simon v. Adzilla, Inc. (N. Dist California Case No. CV09-00879) was filed February 27, 2009.  These cases contain claims for violation of the federal Electronic Communications Privacy Act (ECPA), the federal Computer Fraud and Abuse Act (CFAA), and violations of the California privacy and computer crime statutes (Penal Code Sections 631, 502).  Substantive rulings have not been issued yet in either case.

Back to Alerts