Skip to content

It looks like we may have content for your preferred language. Would you like to view this page in English?

FTC Staff Issues Revised Principles and Guidance for Online Behavioral Advertising

In December, 2007, Federal Trade Commission staff issued proposed principles for online behavioral advertising. Last week, the Commission staff issued a report (approved by the Commission) that includes slightly revised principles for online behavioral advertising and some specific suggestions for companies engaged in these practices.

The principles are part of a self-regulatory program which, the FTC admits, is still a work in progress. And with a new administration in Washington, it's not clear if the FTC will continue to support a self-regulatory program or switch gears and encourage Congress to enact legislation in this area. Moreover, the principles are guidelines and do not affect the obligation of any company - whether or not its advertising is covered by the principles - to comply with all applicable state and federal law.

In preparing the revised principles, the FTC staff examined consumer expectations regarding behavioral advertising practices; whether such practices are transparent; the potential for consumer harm; and "the need to maintain vigorous competition in the online marketplace and avoid stifling innovation."

In general, the revised principles follow the earlier principles in suggesting that web sites:

  1. disclose their data collection practices tied to online behavioral advertising;
  2. disclose that consumers can opt-out of these practices and provide a mechanism for opting out;
  3. provide security for consumer data and retain it only as long as necessary;
  4. for companies that revise their privacy policy, obtain affirmative express consent before using consumer data in ways that are materially different from the privacy policy that was in effect when the data was collected; and
  5. obtain affirmative express consent before using sensitive consumer data.

The most significant change in the revised principles is that they do not apply to "first party" advertising, i.e., behavioral advertising by and at a single website where no data is shared with third parties, or to "contextual advertising," i.e., where an ad is based on a consumer's current visit to a single web page or single search query and where no consumer data is retained beyond the immediate delivery of the ad or search result.

Below is a more detailed discussion of the FTC staff's report and revised principles.

Scope of the Principles
The report defines online behavioral advertising as "the tracking of a consumer's activities online over time - including the searches the consumer has conducted, the web pages visited, and the content viewed - in order to deliver advertising targeted to the individual consumer's interests."

The revised principles narrow their scope by clarifying that this definition "is not intended to include 'first party' advertising, where no data is shared with third parties." Examples of "first party" data collection and use include product recommendations, tailored content, shopping card services, fraud detection and security. The principles also do not apply to "contextual advertising," where an ad is based on a single visit to a web page or single search query. The FTC staff cautioned that it construes "contextual advertising" narrowly and that if data is retained for future use, the marketer is not engaging in contextual advertising.

The FTC staff declined to limit the scope of the principles by having them apply only to personally identifiable information (PII); instead, having determined that "the traditional notion of what constitutes PII versus non-PII is becoming less and less meaningful," the Commission staff suggested that the principles apply to "any data collected for online behavioral advertising that reasonably could be associated with a particular consumer or with a particular computer or device." Such data can include "clickstream data that, through reasonable efforts, could be combined with the consumer's website registration information; individual pieces of anonymous data combined into a profile sufficiently detailed that it could become identified with a particular person; and behavioral profiles that, while not associated with a particular consumer, are stored and used to deliver personalized advertising and content to a particular device."

The Four Principles
The revised principles are the same as those issued in 2007: (1) transparency and consumer control, (2) reasonable security and limited data retention for consumer data, (3) affirmative express consent for material changes to existing privacy promises, and (4) affirmative express consent to (or prohibition against) using sensitive data for behavioral advertising.

The revised first principle retains the same guidance: web sites should provide a clear, prominent, consumer-friendly disclosure that (1) data is being collected to provide advertising tailored to an individual's interests, and (2) consumers can choose whether or not to have their information collected for this purpose. Web sites should also provide consumers with a clear, easy to use method for opting-out.

The revised principles expand on this guidance by stating that "where data collection occurs outside the traditional web site context, companies should develop alternative methods of disclosure and consumer choice that meet the standards described above (i.e., clear, prominent, easy to use, etc.)" In the commentary, the FTC staff described some ways web sites are notifying consumers of their online behavioral advertising practices. For example, a disclosure "Why did I get this ad?" that is located in close proximity to an advertisement and links to the pertinent section of a privacy policy explaining how data is collected for purposes of delivering targeted advertising could be an effective way to communicate with consumers, according to the report, and "is likely to be far more effective than a discussion (even a clear one) that is buried within a company's privacy policy."

The guidance relating to the second principal also remains the same: any company that collects and/or stores consumer data for behavioral advertising should provide reasonable security for that data and should retain data only as long as is necessary to fulfill a legitimate business or law enforcement need. The type of protections afforded consumer data should be based on the sensitivity of the data, the nature of the company's business operations, the types of risk a company faces, and the reasonable protections available to a company.

Regarding changes to a privacy policy and obtaining consumer consent before using consumer data in new ways, the revised third principle states that this applies only to retroactive changes and not to prospective changes in a privacy policy. Thus, if a company makes material changes to its privacy policy, it should obtain affirmative express consent from consumers (i.e., an opt-in) before using consumer data collected prior to the change in ways that are materially different from the ways allowed under the privacy policy that was in effect when the data was collected. But if a company changes its privacy policy and then proceeds to collect new data under the new policy, it may be sufficient to provide notice and an opt-out, depending on the nature of the change and the type of information collected.

The fourth principle remains the same: companies should obtain affirmative, express consent before using sensitive data. Although the FTC declined to specifically define the term sensitive data, in the commentary the Commission staff stated that it includes financial data, data about children, health information, precise geographic location information, and Social Security numbers.

The report describes several developments that have taken place since the proposed principles were issued in 2007, such as revised guidelines released by the Network Advertising Initiative, Google's and Yahoo's announcements that they would retain data for shorter amounts of time, technological improvements that allow consumers to configure their browser so that browsing and searching histories are not saved, and industry educational programs to inform consumers about online tracking. However, the FTC staff thinks that industry needs to do more, especially in the area of enforcement. In the report, the FTC staff called upon industry to redouble its efforts in developing self-regulatory programs and to ensure that any such programs include meaningful enforcement mechanisms. The FTC staff stated that "self-regulation can work only if concerned industry members actively monitor compliance and ensure that violations have consequences." The FTC staff stated that it would continue to monitor the development of self-regulatory programs and conduct investigations, where appropriate, to determine if online behavioral advertising practices violate Section 5 of the FTC Act.

This client alert is a publication of Loeb & Loeb LLP and is intended to provide information on recent legal developments. This client alert does not create or continue an attorney client relationship nor should it be construed as legal advice or an opinion on specific situations. For more information, please contact a member of Loeb & Loeb's Advertising & Media Group.

Circular 230 Disclosure: To assure compliance with Treasury Department rules governing tax practice, we inform you that any advice (including in any attachment) (1) was not written and is not intended to be used, and cannot be used, for the purpose of avoiding any federal tax penalty that may be imposed on the taxpayer, and (2) may not be used in connection with promoting, marketing or recommending to another person any transaction or matter addressed herein.