By Robert J. Driscoll, Paul Glist and Jennifer Small
On July 2, 2009, a group of advertising industry associations published the Self-Regulatory Principles for Online Behavioral Advertising (PDF)—a set of guidelines concerning the collection and use of online behavioral data by advertisers, service providers, publishers and ad networks.
The principles, drafted by the American Association of Advertising Agencies (4A’s), the Association of National Advertisers (ANA), the Direct Marketing Association (DMA), the Interactive Advertising Bureau (IAB) and the Council of Better Business Bureaus (BBB), focus on the areas that the Federal Trade Commission (FTC) has identified as desirable for industry self-regulation. The principles set forth recommended practices for providing consumers with greater control over online behavioral advertising.
These proposed self-regulatory principles arise against a backdrop of growing political and consumer awareness of privacy issues. FTC Chairman Jon Leibowitz has twice warned the industry that it is facing the “last clear chance” to avoid specific governmental regulation. The FTC has stepped up enforcement action in the area, recently proposing an order against Sears that treats formal notices of Web tracking buried in fine print as “unfair” or “deceptive” under current law.
This advisory provides a brief overview of the new principles. Businesses involved in online behavioral advertising should be aware of them and consider taking steps toward their implementation.
Of particular note is an enhancement of consumer notice and education about the collection and use of predictive profiling information, with new, easier-to-use tools for consumers to “opt out” of such collection and use by online ad networks. In addition, the principles propose more significant restrictions on service providers—specifically, Internet service providers and providers of desktop application software such as browsers and tool bars—who would be permitted to engage in the collection and use of data for online behavioral advertising purposes only on an “opt in” basis.
The principles do not address display advertising or contextual advertising; rather, they focus on advertising targeted to the user based upon data regarding that user’s activities across various Web sites, a practice that has attracted considerable political attention.
The proposed requirements are summarized briefly below.
- Transparency. Online behavioral advertising will be accompanied by enhanced notice to consumers. Among other things, the principles contemplate that a uniform link or icon indicating that behavioral data is being collected will be displayed in or around behavioral ads. In addition, ad networks and other entities that collect and use data from others’ Web sites would be required to include notices of their online behavioral advertising practices on their Web sites, along with a mechanism for consumers to opt out of the collection and use of behavioral data. Service providers would also be required to provide online notices of their behavioral advertising practices, and Web sites at which behavioral data is collected would be required to display links to the ad networks’ notices.
- Consumer control. The principles require entities involved in online behavioral advertising to provide users with a means of controlling the collection and use of data relating to them. Ad networks could satisfy this obligation by providing a means for consumers to opt out of such data collection and use. Service providers, on the other hand, would be prohibited from collecting or using data for online behavioral advertising purposes without securing affirmative consumer consent, i.e., by deploying an opt-in mechanism.
- Data security. Data will be reasonably secured and discarded when no longer necessary to fulfill a legitimate business or law enforcement purpose. This principle extends to offer reasonable assurances that the anonymization process will prevent the re-identification of anonymized profiles.
- Material changes. Consent is required for any retroactive material change in the use of collected data.
- Sensitive data. Children known to be under 13 are provided additional protections, as is health and financial data. The principles note that what is “sensitive” information may change over time.
- Accountability. Enforcement of the principles will be handled principally by nongovernmental bodies, perhaps analogous to the Children’s Advertising Review Unit of the Better Business Bureau with respect to children’s advertising issues. Enforcement mechanisms may include internal and third-party monitoring and self-reporting systems, and possible reports to the applicable government agencies in the event of an uncorrected violation.
- Education. Participants are encouraged to educate individuals and businesses about online behavioral advertising. It has been reported that industry groups expect to conduct a large educational campaign—on the order of 500,000,000 impressions—over the next 18 months.
Currently key House members are drafting new legislation on online privacy. We expect that even if such legislation is pursued, it may still provide room for effective self-regulatory programs to operate. In the meantime, the BBB will spearhead implementation of the Self-Regulatory Principles for Online Behavioral Advertising, with an implementation program expected to be launched by early 2010.