FTC Behavioral Advertising Principles Reinforce Self-Regulation

The principles came with a stern warning from Commissioner Jon Leibowitz. “This could be the last clear chance to show that self-regulation can -- and will -- effectively protect consumer’s privacy,” he said in a concurring statement. Commissioner Pamela Harbour also warned that more regulation could be on the horizon, saying she continues to support comprehensive privacy legislation. “Last fall, the Commission expressed ‘cautious optimism’ for a self-regulatory approach to online advertising,” she said. “Today’s staff report reflects more optimism, but less caution -- even though nothing has happened to justify a change in tone.”

The new principles focus on transparency and consumer control; security and data retention; consent for material changes to privacy promises; and consent for using sensitive data. They don’t distinguish between personally identifiable information and non-personally identifiable information, which prompted industry groups to tell the FTC the principles were too broad. FTC staff, however, said in the report that “the traditional notion of what constitutes PII and non-PII is becoming less and less meaningful.” It’s becoming increasingly possible to identify people through information once considered generic, the FTC said, and consumers are concerned about the overall idea of data collection. FTC staff said the principles should apply to any data that “reasonably could be associated with a particular consumer or with a particular computer or device.” Including information that tends to identify a person is a bright spot in a document that missed a lot of low-hanging fruit, according to Chris Hoofnagle, director of information privacy programs at the Berkeley Center for Law and Technology.

Hoofnagle said the principles depend upon the same regulatory scheme that existed for telemarketing prior to the Do Not Call list. Opting out on a company by company basis is a system “calculated to fail,” he said, because the cumulative burden on the consumer becomes so great that consumers don’t opt out. The FTC has been forced into a narrow intellectual framework that says only self-regulation is acceptable, said Jeff Chester, executive director of the Center for Digital Democracy. “I see this document as the last official act of the Bush administration,” he said, saying it remains to be seen how the Obama administration will address behavioral advertising.

Unlike several of the privacy advocates who found little improvement to consumer protection in the document, the Center for Democracy & Technology did find areas of progress. The scope of data covered is broader than existing self- regulatory regimes, said CDT’s Alissa Cooper, as is the disclosure and notice called for in the principles. The principles call for “clear, concise, consumer-friendly and prominent” disclosure, including the choice about whether to allow data collection. The report encourages companies to create this disclosure outside the privacy policy, which Cooper said would be a higher standard because existing self- regulatory guidelines allow for notice within privacy policies. Consumer advocates often see placing notice within the privacy policy as ineffective because the policies are long and difficult to read, and because consumers often assume that having a privacy policy means the company isn’t collecting data. CDT did wish the FTC had addressed ISP deep-packet inspection, however.

The principles clearly seem to be the last opportunity for industry to effectively regulate itself, said Jules Polonetsky, director of the Future of Privacy Forum. While the focus in the past has been on advertising networks, the new document directs Web sites to take responsibility for communicating with their customers, he said. Further, the report and commissioners’ statements gave very specific examples of areas where industry should work with advocates to come up with new ideas, he said -- for example, in coming up with an alternative to cookies to keep track of who’s opted out.

A recently formed industry task force, composed of the Interactive Advertising Bureau, Association of National Advertisers, Direct Marketing Association and American Association of Advertising Agencies, said it supports the idea of a “comprehensive and effective self-regulatory program” and will continue its work to meet the FTC’s challenge. Yahoo also applauded the self-regulatory model. Its “relationship of trust” with its users makes it a stronger business when “customers understand we offer compelling, innovative services within a trusted environment,” said Anne Toth, vice president of policy and head of privacy, in a statement.

The FTC’s work shows how complex this issue is and how much ongoing dialogue needs to occur, said Justin Weiss, associate counsel for the Network Advertising Initiative. “It’s very much an endorsement of the promise of self- regulation, but that requires more work to get there,” he said. The FTC guidelines on PII and non-PII are clearly different and will require further study, he said.

Google’s statement, which said self-regulation is the best approach but also advocated comprehensive privacy legislation, was met with contempt by Chester, who said Google pushes for the least restrictive privacy requirements. There’s a danger its close relationship with the Obama administration could enable weak legislation to make its way through Congress, he said.

The principles’ treatment of children, “sensitive information,” contextual advertising and first-party advertising particularly galled privacy advocates. Coriell Wright, of the Institute for Public Representation at Georgetown Law, said the principles didn’t address the unique vulnerability of children and teenagers. Youth are both unable to understand the dangers involved when their information is collected and are especially attractive to marketers, she said. She commended Leibowitz, who said in his statement that “perhaps more companies should simply say ‘hands off’ when it comes to targeting ads to children based on their online activities.”

Weiss said the advertising to children debate is a fairly narrow topic for the NAI, which doesn’t cover contextual ads. The NAI’s new guidelines, released in December, say that members won’t create categories targeting children under the age of 13 without verifiable parental consent -- the NAI’s first attempt to articulate a principle in this area, he said. It’s unclear how consent would work, especially with non-PII, but the NAI decided to model itself on COPA language, he said. Whether that guideline would ever be extended to teenagers remains to be seen. The NAI continues to monitor the public debate on advertising to children and teens, Weiss said, but “at this stage we thought the best anchor for us was to try to use the COPA ‘13 or under’ concept.”

After industry comments objected to including first- party advertising in the principles, the FTC reviewed the subject and determined that first-party advertising didn’t raise the same concerns as network or third-party advertising and could be excluded from the principles. First-party data collection and use would include product recommendations and other personalized content that consumers receive when they return to the same Web site. “Given the direct relationship between the consumer and the website, the consumer is likely to understand why he has received the targeted recommendation or advertisement and indeed may expect it,” the FTC said. The clear relationship also makes it easier for a consumer to raise concerns or opt out, it said. Similarly, the FTC determined that contextual advertising didn’t need to be included in the principles because the practice is more transparent, often expected and poses fewer privacy concerns.

The question of what constitutes sensitive information has been thorny, and the FTC didn’t help clarify matters, said Pam Dixon, executive director of the World Privacy Forum. “We were looking to the Federal Trade Commission to set specific standards,” she said. Instead, it punted by encouraging industry and advocates to develop specific standards, she said.

In her statement, Harbour said she hopes the report reinvigorates “serious dialogue.” She also asked fellow commissioners to consider requiring a staff report by summer 2010 examining the efficacy of self-regulation and suggested a series of roundtable discussions on effective privacy notices.