PERFECT STORM FOR BEHAVIORAL ADVERTISING: |
Question: What do the following have in common?
Answer: All occurred in 2009, and they may have hastened legislation regulating online behavioral advertising. If you advertise online, you probably are using behavioral advertising technologies, and therefore, you need to know what existing FTC guidelines and proposed legislation mean for you. What is Online Behavioral Advertising? The Internet is supported almost entirely by advertising in that online businesses are able to provide free content in exchange for advertising that is served via their online sites. Online behavioral advertising is a widely used form of advertising on the Internet, and uses targeting technologies to collect information regarding a particular person's web-browsing behavior, such as the pages they have visited or the searches they have made, to serve that person ads. Behavioral advertising is also referred to as “behavioral tracking," "behavioral marketing," and "targeted marketing." Online behavioral advertising includes: 1) “first party” or contextual behavioral advertising by and at a single website, or advertising based on a consumer’s current visit to a single web page or a single search query; and 2) "third party" ads selected and delivered from the advertising networks of companies such as Google, Yahoo, AOL, and Value Click that select and serve advertisements across the Internet at websites that participate in their ad networks. Ads from network advertisers are usually delivered based upon data collected about a particular consumer as that person moves across various websites in the advertising network. Each ad network usually includes thousands of unrelated websites, and each website often is part of multiple ad networks. The FTC is less concerned about the first type of behavioral advertising because consumers are more likely to expect that they will receive advertising from the visited site, whereas the FTC is concerned about "third party" ads because it may not be clear that the associated tracking is taking place. Targeted advertising has great value and encourages more Web traffic. The goal is for people to use the Internet more and trust it more by giving a clear sense that the Internet is secure. . . . If not for the ability to target advertising for Internet users, there would not be as much free content. I personally appreciate the convenience that arises from ads that are targeted to my specific interests delivered by websites that I frequently visit for online shopping. It is also important to note that online advertising supports much of the commercial content, applications and services that are available to Internet users today without charge, and I have no intention of disrupting this well-established and successful business model. However, there is substantial concern about behavioral advertising. Following is more detail regarding the four events affecting behavioral advertising which took place in 2009, and what the push for regulation means for the companies that use behavioral advertising: FTC Enforcement Action Against Sears In September 2009, the FTC announced that it entered into a final consent order in the matter of Sears Holdings Management Corp. ("Sears"), in which the FTC charged that Sears violated Section 5 of the FTC Act in connection with a software tracking application it offered as part of its "My SHC Community Program." When installed, the tracking application tracked participating consumers’ online as well as certain offline activities, e.g. online bank accounts and prescription drug records. In its advertising, Sears had invited customers to join its online “community” and barely mentioned the tracking application. However, Sears had provided substantial details about the tracking application in a combined Privacy Statement/User License Agreement (“PSULA”) with which consumers had to agree to in order to enroll in the club, but the FTC stated this was not enough. The Sears Matter is notable because it is the FTC's first enforcement action for behavioral tracking brought against a prominent "brick and mortar" company with an online presence. The fact that Sears was embracing behavioral tracking technologies signaled that such uses are mainstream. Therefore, it intensified the behavioral advertising dialogue and the concern that consumers are not aware of the data which is collected about them as they navigate online. Changing of the Guard at the FTC In February 2009, there was a changing of the guard at the Federal Trade Commission. Jon Leibowitz, a FTC commissioner who has long been very concerned about Internet privacy, was appointed Chairman. He in turn brought in David Vladeck (formerly Director of the Public Citizen Litigation Group) to be the FTC’s new director of consumer protection. Shortly after his appointment, Vladeck gave a no-holds barred interview to the New York Times regarding behavioral tracking and the Sears Matter, including: There’s a huge dignity interest wrapped up in having somebody looking at your financial records when they have no business doing that. . . . [Sears was] compiling everything that the consumer did on the computer. [Sears’] disclosure . . . was not comprehensible, and I don’t think a reasonable person who read it would’ve understood that Sears was going to routinely download everything that that person did on the computer including financial records, health records, passwords. . . . We’d prefer to persuade industry it’s in their best interests to cooperate on these sorts of things. If not, we’ll be forced to imagine the worst, and that doesn’t help anybody. . . . Maybe we’re moving into a post-disclosure environment. But there has to be greater transparency about what’s going on. Until I see evidence otherwise, we have to presume that most people don’t understand, and the burden is going to be on industry to persuade us that people really are well informed about this. . . . Our patience isn’t infinite. . . . [W]e can always bring enforcement cases, and we do set guidance through enforcement cases. . . . Reports That Some Online Advertisers Are Using a Combination of Personally Identifiable Information with “Anonymized” Information in Order to Serve More Targeted Ads Traditionally, behavioral advertising has been understood to be based on information that could not be tracked to a particular individual, so-called non-personally identifiable or anonymized data. However, in August 2009, the New York Times reported: Companies like Acxiom and a competitor, Datran Media, make the connection between online and offline data when a person registers on a Web site or clicks through on an e-mail message from a marketer. . . . Acxiom estimates it has 1,500 pieces of data on every American, based on information from warranty cards, bridal and birth registries, magazine subscriptions, public records and even dog registrations with the American Kennel Club. . . . [C]onsumer advocates say such unseen tracking is troubling. On the old Internet, nobody knew you were a dog. On the new targeted Internet, they now know what kind of dog you are, your favorite leash color, the last time you had fleas and the date you were neutered. . . . Study Showing a Majority of Americans Object to Behavioral Tracking In September 2009, the University of Pennsylvania and University of California at Berkeley announced the results of a study showing that despite the claims of marketers that consumers appreciate receiving targeted advertisements, about two-thirds of Americans object to online tracking across websites by advertisers, and once they learn the different ways marketers are following their online movements, that number rises to 86%. The FTC and Behavioral Advertising The FTC has long been concerned about online behavioral advertising. In 1999, the FTC first held a joint workshop with the Department of Commerce on behavioral advertising, and has held numerous workshops ever since. For years, the FTC has urged companies to self regulate as an industry practice, and in its Self-Regulatory Principles for Online Behavioral Advertising issued in February 2009 ("2009 Behavioral Advertising Report"), the FTC set out four key self-regulatory Principles for behavioral advertising which are based on existing FTC law and policy, and which are discussed below. Looming Legislation? At the same time, there has been increasing concern that users are being tracked too much online, with information about their Web browsing, shopping habits and overall interests being collected for advertising purposes. In September, 2009, Representative Rick Boucher of Virginia laid out the framework for his planned behavioral advertising legislation and it resembles the Principles outlined by the FTC. At least until there is legislation, companies that use behavioral advertising technologies should particularly heed the four Principles for behavioral advertising which the FTC set out in its 2009 Behavioral Advertising Report: 1)Transparency and Consumer Control. In text accompanying this Principle, the FTC explained: Every website where data is collected for behavioral advertising should provide a clear, concise, consumer-friendly, and prominent statement that (1) data about consumers’ activities online is being collected at the site for use in providing advertising about products and services tailored to individual consumers’ interests, and (2) consumers can choose whether or not to have their information collected for such purpose. The website should also provide consumers with a clear, easy-to-use, and accessible method for exercising this option. Where the data collection occurs outside the traditional website context, companies should develop alternative methods of disclosure and consumer choice that meet the standards described above (i.e., clear, prominent, easy-to-use, etc.) 2) Reasonable Security, and Limited Data Retention, for Consumer Data In text accompanying this Principle, the FTC explained: Any company that collects and/or stores consumer data for behavioral advertising should 3) Affirmative Express Consent for Material Changes to Existing Privacy Promises. In text accompanying this Principle, the FTC explained: As the FTC has made clear in its enforcement and outreach efforts, a company must keep This Principle will be of particular concern for companies which have previously stated something like “we will never share your personally identifiable information" or "the information we share is non-personally identifiable" if they now intend to employ behavioral advertising technologies which are combining information that is personally identifiable with non-personally identifiable information (or are using companies such as Datran or Axciom to do so). Such companies must ensure that they obtain affirmative express consent from consumers to the changes in their existing privacy promises. 4) Affirmative Express Consent to (or Prohibition Against) Using Sensitive Data [including data from children] for Behavioral Advertising. In text accompanying this Principle, the FTC explained: Companies should collect sensitive data for behavioral advertising only after they obtain affirmative express consent from the consumer to receive such advertising. As I discussed more fully in Nobody Reads Your Privacy Policy? Time for a New One! (available at http://media.ir-law.com/seg/nobodyreads/), it was Sears' collection of sensitive data which seems to have been particularly infuriating to the FTC, and as part of the final consent order in the Sears Matter, the FTC requires that Sears obtain affirmative express consent from consumers before installing any future tracking applications. The FTC Principles are also based on existing FTC law and policy, and therefore companies may want to review the enforcement actions the FTC has brought against companies that have violated similar requirements outside the behavioral advertising realm. For example, with regard to Transparency, the FTC brought an action against ValueClick in part because of its failure to clearly and conspicuously disclose key terms in an advertising campaign which offered receive free merchandise in exchange for consumer participation in third party offers. As for Reasonable Security, and Limited Data Retention, for Consumer Data, the FTC brought actions against retailer TJX and data brokers Reed Elsevier and Seisint for failing to provide adequate security for consumers’ data. Regarding Affirmative Express Consent for Material Changes to Existing Privacy Promises, the FTC brought an action against Gateway Learning (known for "Hooked on Phonics") because it rented its customers' personal information to target marketers contrary to explicit promises made in its privacy policy, and because, after collecting consumers’ information, Gateway Learning changed its privacy policy to allow it to share the information with third parties without notifying consumers or getting their consent. Further, with regard to the Principle requiring Affirmative Express Consent to (or Prohibition Against) Using Sensitive Data for Behavioral Advertising, the FTC brought the enforcement action against Sears, for its extensive behavioral tracking without informed affirmative express consent. Finally, as noted, the 2009 events discussed in this Article have intensified concerns about the tracking of consumers without adequate disclosures. However, these events, along with the FTC's four Principles, provide important lessons which will benefit companies working to address consumer and congressional concerns as well as to avoid becoming the next target of an FTC enforcement action. If you have any questions regarding this Alert, please contact Susan at 303-256-7046 or sgindin@ir-law.com. Susan has been practicing in the areas of data privacy & security, advertising, electronic contracting, and intellectual property law for over fourteen years. Attorney Advertising. This publication is intended to provide clients with information on recent legal developments. It should not be construed as legal advice or a legal opinion on specific facts or circumstances. The content is intended for general information purposes only. Please consult licensed legal counsel if you have any further questions regarding your specific legal situation. This does not create an attorney-client relationship between any reader and the Firm. © 2009 Susan E. Gindin. Susan is Of Counsel, Intellectual Property & New Media Group, Isaacson Rosenbaum P.C., Denver, and she has concentrated on data privacy and security, electronic contracting, advertising, and intellectual property law for over fourteen years. She is also the author of Lost and Found in Cyberspace: Informational Privacy in the Age of the Internet, 34 San Diego L. Rev. 1153 (1997) http://www.info-law.com/lost.html; Guide to E-Mail & the Internet in the Workplace, Bureau of Nat'l Affairs, Inc. (1999) http://www.info-law.com/guide.html; Current Issues in Drafting Electronic Transaction Agreements, Colo. Bar Ass'n (2002), When Are A Posted Privacy Policy and "Enforceable" Terms Of Use Not Enough? Lessons Learned and Questions Raised by the FTC’s Action Against Sears, 8 Nw. J. Tech. & Intell. Prop. (forthcoming Fall 2009); The Details Are In Your Online Contract? Think Again! and Nobody Reads Your Privacy Policy? It's Time for a New One! See, e.g., Jon Leibowitz, Comm'r, FTC, So Private, So Public: Individuals, The Internet & The Paradox Of Behavioral Marketing, Ehavioral Advertising: Tracking, Targeting & Technology, Nov. 1, 2007 at 6, available at www.ftc.gov/speeches/leibowitz/071031ehavior.pdf (discussing the FTC's position regarding behavioral advertising: " So what should the Commission do? Well, sometimes the answer to problems in cyberspace is clear, like in the case of unfair and deceptive nuisance adware. Put the malefactors under order. Disgorge their profits. Pass a law giving the FTC the authority to impose fines. For behavioral marketing, the solution is not so certain. Behavioral marketing is complicated. In some cases the privacy tradeoff may make sense. But one thing is clear: the current “don’t ask/don’t tell” mentality in online tracking and profiling needs to end.") Cecilia Kang, My Chat with Representative Boucher on His Privacy Bill, Wash. Post, Oct. 23, 2009 http://voices.washingtonpost.com/posttech/2009/10/my_chat_with_rep_boucher_on_hi.html Rep. Rick Boucher, Behavioral Ads: The Need for Privacy Protection, The Hill, Sept. 26, 2009 http://thehill.com/special-reports/technology-september-2009/60253-behavioral-ads-the-need-for-privacy-protection. For example, Leibowitz has made the following statements regarding regulation of behavioral marketing: “[W]e have to face the fact that the current model is not working. . . . if there isn’t an appropriately vigorous response, my sense is that Congress and the Commission may move toward a more regulatory model.”). Remarks for CDT Dinner (March 10, 2009) http://www.ftc.gov/speeches/leibowitz/090310remarksforcdtdinner.pdf Stephanie Clifford, Fresh Views at Agency Overseeing Online Ads, N.Y. Times, Aug. 5, 2009, available at In fact, researchers have shown that there is really no such thing as non-personally identifiable information because nearly all so-called anonymized data can be identified with a particular person. See, e.g. www.info-law.com/lost.htmlSeth Schoen, What Information is “Personally Identifiable”? Electronic Frontier Foundation, Sept. 11, 2009, available at https://www.eff.org/deeplinks/2009/09/what-information-personally-identifiable. According to FTC staff, the FTC is skeptical of the ability to keep this data anonymous. See e.g. the response from the FTC’s Vladeck, to the question from the New York Times: See Stephanie Clifford, Ads Follow Web Users, and Get More Personal, N.Y. Times, July 30, 2009 available at http://www.nytimes.com/2009/07/31/business/media/31privacy.html?_r=1&emc=eta1. Joseph Turow, Jennifer King, Chris Jay Hoofnagle, Amy Bleakley, and Michael Hennessy, Americans Reject Tailored Advertising and Three Activities that Enable It (Sept. 29, 2009) available at http://graphics8.nytimes.com/packages/pdf/business/20090929-Tailored_Advertising.pdf. Rep. Rick Boucher, Behavioral Ads: The Need for Privacy Protection, The Hill, Sept. 26, 2009 http://thehill.com/special-reports/technology-september-2009/60253-behavioral-ads-the-need-for-privacy-protection:
|