In December, 2007, the Federal Trade Commission issued proposed voluntary guidelines for online behavioral advertising. (Online behavioral advertising refers to the tracking of a consumer's activities online over time in order to deliver advertising targeted to the individual consumer's interests.) At that time, the FTC stated that it favored a self-regulatory approach to online behavioral advertising and encouraged the advertising industry to develop guidelines and a mechanism for monitoring compliance. The FTC issued revised guidelines in February of this year, and in July, five advertising and consumer groups issued their own voluntary guidelines for online behavioral advertising (hereinafter called Industry Guidelines). (We summarized the FTC's revised principles in a previous client alert.)
The seven principles in the Industry Guidelines address Education, Transparency, Consumer Control, Data Security, Material Changes, Sensitive Data and Accountability.
The voluntary Industry Guidelines largely mirror the FTC's guidelines. The Industry Guidelines provide an opt-out structure for the collection and use of data for online behavioral advertising purposes, with two exceptions. An opt-in structure is proposed for the collection and use of sensitive data (i.e., data from children under 13 and financial and medical data) and data collected or used by service providers. In addition, all entities should obtain consent before applying any material change to their online behavioral advertising data collection and use policies prior to such change. The Industry Guidelines also call for clear and conspicuous notice about online behavioral advertising practices and an easy to use mechanism for exercising choice, but do not require specific kinds of language or mechanisms. Finally, the Industry Guidelines indicate that the industry will develop a self-regulatory enforcement program that will include monitoring, a way for consumers, competitors and government agencies to submit complaints, and public reporting of non-compliance.
The Industry Guidelines do not apply to contextual advertising (i.e., advertising based on the content of the web page being visited, a consumer's current visit to a web page, or a search query) or a web site's collection of viewing behavior solely for its own uses.
The Industry Guidelines recognize that several different kinds of entities are engaged in online behavioral advertising, that consumers are not always aware of the presence or actions of these entities, and that some entities (such as Internet service providers) have access to more consumer data than other entities. These entities include First Parties (the owner of a web site, or the web site of an Affiliate, where data is collected regarding web viewing behaviors, by the First Party on behalf of itself, its Affiliates and/or its advertising partners), Affiliates (an entity that controls, is controlled by, or is under common control with, another entity), Third Parties (an entity engaging in online behavioral advertising on a non-Affiliate's web site), and Service Providers (an entity that collects and uses data from all or substantially all URLs traversed by a web browser across web sites for online behavioral advertising in the course of the entity's activities as a provider of Internet access service, a toolbar, an Internet browser, or comparable desktop application or client software and not for its other applications and activities).
The Guidelines provide different notice, choice and data security requirements for each kind of entity. For example, Third Parties and Service Providers should provide notice which discloses:
(a) The types of data collected online, including any personally identifiable information for online behavioral advertising purposes;
(b) The uses of such data, including whether the data will be transferred to a non-Affiliate for online behavioral advertising purposes;
(c) An easy to use mechanism for exercising choice with respect to the collection and use of the data for online behavioral advertising purposes or to the transfer of such data to a non-Affiliate for such purpose; and
(d) The fact that the entity adheres to the Industry Guidelines.
In addition, Third Parties should also provide "enhanced notice" in one of two ways: (1) by providing a link to their notice of their data collection practices (with the link appearing in or around the advertisement delivered on the web page where data is collected or on the web page where the data is collected if there is an arrangement with the First Party for the provision of such notice) or (2) by being identified in a list of Third Parties maintained on an industry-developed web site (that is linked from the Third Party's notice) or, if agreed to by the First Party, in the disclosure on the web page where data is collected for online behavioral advertising purposes.
Online behavioral advertising is clearly a hot button issue right now. Congress held hearings on this issue earlier this summer, and Rep. Rick Boucher is expected to introduce legislation governing online behavioral advertising by the end of September. Jon Leibowitz, the recently-appointed chairman of the FTC, said in an interview "It's not clear that [marketers] are moving far enough or fast enough, even though they're making some progress," and that he supports making more of the targeted ads on the Internet "opt-in". It remains to be seen whether these Guidelines will satisfy Congress and the FTC, or if Congress and the FTC see a need for federal legislation regulating online behavioral advertising. A copy of the Self-Regulatory Principles for Online Behavioral Advertising can be found on the Loeb & Loeb LLP web site here.
FTC Alleges Sears.com and Kmart.com Failed to Adequately Disclose Data Collection Practices
The FTC announced a settlement with Sears Holdings Management Company relating to tracking software available on the sears.com and kmart.com web sites. The FTC alleged that Sears failed to adequately disclose the scope of the tracking software which was described in a lengthy user agreement that was accessed only after a multi-step registration process.
According to the FTC's complaint, Sears invited certain consumers visiting the sears.com and kmart.com web sites to become members of the "My SHC Community." Sears invited these consumers to "participate in exciting, engaging, and on-going interactions" and paid consumers $10 to participate. As part of this process, Sears asked consumers to download "research" software that it said would confidentially track their "online browsing." However, the FTC alleged that the software also monitored consumers' online secure sessions - including sessions on third parties' web sites - and collected information transmitted in those sessions, such as the contents of shopping carts, online bank statements, drug prescription records, video rental records, library borrowing histories, and the sender, recipient, subject, and size of web-based e-mails.
According to the complaint, Sears disclosed the full extent of the information the software tracked in a lengthy user license agreement, available to consumers at the end of a multi-step registration process. The FTC charged that Sears' failure to adequately disclose the scope of the tracking software's data collection was deceptive and violates the FTC Act. The proposed settlement calls for Sears to stop collecting data from the consumers who downloaded the software and to destroy all data it had previously collected. In addition, if Sears advertises or disseminates any tracking software in the future, it must clearly and prominently disclose the types of data the software will monitor, record, or transmit. This disclosure must be made prior to installation and separate from any user license agreement. Sears must also disclose whether any of the data will be used by a third party.
This client alert is a publication of Loeb & Loeb LLP and is intended to provide information on recent legal developments. This client alert does not create or continue an attorney client relationship nor should it be construed as legal advice or an opinion on specific situations. For more information, please contact a member of Loeb & Loeb's Advertising and Promotions Group.
Circular 230 Disclosure: To assure compliance with Treasury Department rules governing tax practice, we inform you that any advice (including in any attachment) (1) was not written and is not intended to be used, and cannot be used, for the purpose of avoiding any federal tax penalty that may be imposed on the taxpayer, and (2) may not be used in connection with promoting, marketing or recommending to another person any transaction or matter addressed herein.