Can New FTC Chair Sustain Light Touch for Oversight of Behavioral Advertising?

Will President Barack Obama's choice for Federal Trade Commission (FTC) chair, Commissioner Jon Leibowitz, maintain the FTC's recently revamped self-regulatory approach to the collection and use of information about consumers' online activities, i.e., behavioral advertising, which has come under increasing criticism from consumer rights advocates? Federal and state lawmakers are threatening to adopt legislation if online advertising industry self-regulation proves ineffective; Leibowitz himself, who appears frustrated by the lack of “meaningful, rigorous self-regulation,” recently urged the industry to do better or face legislation by Congress or actual regulation by the FTC.

The new FTC chair appears to favor more transparent notice and opt-in requirements for the collection and use of personal information than were recently adopted by the full commission, as well as a hands-off approach for targeting ads to children based on their online activities. With heightened regulation potentially on the horizon, now may be the last chance for the industry to craft effective consumer-friendly self-regulatory solutions.

FTC's revised self-regulatory approach

The FTC last month issued a report titled “Self Regulatory Principles for Online Behavioral Advertising” (“Principles”), in which the agency revised (but did not jettison) the self-regulatory principles it had proposed a year earlier. As explained in the report, the revised Principles are intended to balance the benefits of behavioral advertising to consumers, including free online content and personalization, against the privacy concerns that the practice raises, including the lack of transparency of the data collection process to consumers and the risk that certain sensitive information, including information related to a person's health, finances or children, could be obtained by the wrong entity or used for unanticipated purposes.

The revised Principles clarified that self-regulation should extend beyond traditional concepts of personally identifiable information to cover practices involving information that “could reasonably be associated with a particular consumer or computer or other device” (e.g., Internet Protocol (IP) addresses, cookie data). The essential requirement of the FTC's revised Principles is provision of clear and conspicuous notice concerning what data about the consumer's online activities is being collected and the ability of the consumer to choose not to have that information collected, i.e., the ability to “opt out.”

The Principles also establish a distinction in treatment of “sensitive data,” such as information about health conditions, sexual orientation or children's online activities, for which consumers have to provide express affirmative consent, i.e., the requirement for “opt-in.” The Principles call for reasonable security measures and limitations on the length of time that data is stored in company databases. In a separate concurring statement, Leibowitz acknowledged recent activities to reinvigorate efforts to protect consumer privacy but cautioned that “ it is uncertain whether these fledgling efforts will fulfill their promise.”

The most significant modifications adopted in the revised Principles include:

• The FTC's revised Principles include an expanded definition of “PII.” PII now covers (1) profiles that are so rich in detail that identity may be inferred, and (2) profiles that, while not associated with an individual, are stored and used to deliver targeted advertising “to a particular device.” In context, the immediate practical effect is to require at least an opt-out from profiles used to deliver online ads. However, the approach could eventually translate into applying full privacy requirements to set-top data stored by unique although anonymous identifiers, and to treating (at least static) IP addresses as PII.

• The FTC urged that privacy notices are not effective ways to communicate profiling activities or customer options, and encourages industry to develop notices that break through clutter, appear in context and present choices such as opt-out. The FTC warns that unless this approach is followed, it will be hard to show the “affirmative express consent” it proposes for collecting sensitive information (such as health-related data) and for retroactive changes in policies with respect to previously collected information. The FTC also reinforced its belief that prechecked consent boxes or disclosures in privacy policies or terms of use are unlikely to suffice as “affirmative express consent.”

• The FTC encouraged companies to retain data only for so long as needed for legitimate business purposes or law enforcement.

The FTC retreated from its earlier expansive reach, which would have applied the Principles to the collection of use records on a “first-party” site for customizing the users' experience and ads, and to the use of  nonstored (transitory) surfing patterns to deliver contextual ads. Moreover, the report states that even for first-party uses, if the entity that collects the data then shares it with third parties for purposes of behavioral advertising, compliance with the Principles would be required.

While the FTC's Principles do not establish the comprehensive legal framework at the federal level that some believe is necessary to address collection and disclosure of personal information on the Internet for advertising purposes, existing laws, rules and policies administered by the FTC do currently require clear and conspicuous disclosures to prevent deception and possible consumer harm.

Existing FTC rules also generally impose requirements governing data security. Still, as now Chairman Leibowitz observed in his concurring statement to the FTC Order approving the DoubleClick-Google merger, “online tracking and ad targeting have become more sophisticated, more pervasive, and more granular” and while he believes that the FTC Principles are a good first step, “industry participants must stop being coy and start being more forthcoming about their practices, the consumer information they collect, and how they use it.”

States propose enforceable regulation

Seemingly dissatisfied with the light touch federal regulators have thus far adopted for online advertising, legislators in four states—New York, Connecticut, Massachusetts and Ohio—proposed bills in 2008 governing online behavioral advertising (OBA) to regulate information collected about individual Web site visitors and used to customize advertisements. While many have called into question the authority of these states to regulate online activities, the bills likely will receive continued legislative consideration and may presage other state or even federal proposals in 2009. That the FTC now has adopted self-regulatory Principles seems unlikely to deter the legislative proposals.

In early spring of last year, legislators in New York and Connecticut, unsatisfied with the federal self-regulatory approach, proposed state legislation that would impose enforceable limitations on the collection and use of online consumer data. These laws would prohibit the use of sensitive PII (social security numbers, private medical information, sensitive financial information and sexual orientation) for targeted advertising without consent and would require online advertisers to provide consumers the ability to opt out of the collection and use of non-PII.

Sen. Richard Brodsky, a Democrat from Westchester County, proposed the New York bill in the wake of the proposed (now approved) DoubleClick-Google merger. Massachusetts and Ohio introduced legislation closely resembling the Connecticut bill later in the year. The Connecticut model is similar to the FTC Principles as modified by some of the parties commenting in that proceeding.

All but New York would regulate online advertisers directly but would regulate Web sites indirectly by requiring ad networks to include certain notice requirements in their contracts with Web sites. New York goes a step further and imposes nearly all of the same requirements on Web sites as it would impose on the advertising companies.

In essence, all four state bills would:

• Require ad networks to post clear and conspicuous notice on their Web sites about the type of information collected, how it will be used and procedures for opting out of such data collection and use, including information about when consumers would need to renew their opt-out preferences.

• Require any ad network that materially changes its data collection and use practices to post prior notice of such change on its Web site, and limit application of any material changes in data collection to information collected after the change in policy is publicized unless notice and ability to opt out are provided to consumers.

• Prohibit the collection or use of sensitive PII without the consumer's prior consent.

• Prohibit the merger of PII and non-PII without the consumer's prior consent.

• Require clear notice and an ability to opt out of the collection and use of non-PII. Consistent with recent case law, Ohio also defines IP addresses as non-PII.

• Empower the state attorney general to investigate and bring actions to enjoin violations and impose fines ranging from $250 (N.Y.) to $3,000 (Ohio) per violation, and provide for treble damages where a pattern of violations is established. Ohio's bill provides an alternative self-regulatory approach provided it is equivalent to the state law and approved by the attorney general.

The state legislation obviously gives rise to concerns that regulated entities could be subjected to widely varying and inconsistent standards for a service that is inherently interstate. It is inevitable that any state bills would be challenged in court as violating the Commerce Clause, because they would impede business that necessarily travels across state lines. Several courts already have concluded that the Commerce Clause commands that only Congress can pass legislation governing the Internet.

The bills proposed by New York, Connecticut, Ohio and Massachusetts are broader than any existing state privacy laws. Examples of existing state legislation include California's Online Privacy Act, and Nebraska and Pennsylvania laws that prohibit making false or misleading statements in privacy policies.

Congressional inquiry and class action targeting new behavioral ad model

A federal legislative fix also is not out of the question. On Aug. 1, 2008, the House Committee on Energy and Commerce sent to 33 Internet-based companies a letter inquiring into tailored online advertising practices. It cited a “growing trend” in this area and “questions” about potential applicability of privacy protections under the federal Electronic Communications Privacy Act (which, along with other, related parts of the U.S. Criminal Code, govern wiretaps and other “interceptions” of electronic communications, access to stored communications, and computer fraud and abuse) and the federal Cable Act.

The letter, which stated that the Committee sought “to better understand how companies may be engaged in efforts to target Internet advertising, the impact of such efforts on consumers, and broader public policy implications,” asked 11 detailed questions about the “hows,” “whens” and “under what circumstances” of OBA practices and gave companies a week to respond.

Service providers who received and responded to the letter include search engines such as Google and Yahoo!, and major and smaller cable-company and telco Internet Service Providers (ISPs). Google (and other large search portals) interpreted the questions as covering only “deep packet inspection” (DPI) by an ISP with a third party, and accordingly denied conducting any behavioral tracking. They went on to explain their known practices of tailoring ads based on search terms, which they link to IP records and cookies, while taking pains to note that ads are based on the immediate context of searches, rather than stored historical information, though they also described tracking usage on affiliated ad-supported sites to deliver “contextual” or “customized” ads.

Yahoo! acknowledged sending customized ads to broad categories (mostly), but not to sex- or health-related categories (around the time of the inquiry it had announced a user right to opt out from tracking, whereas Google did not allow opt-out from its Adwords process, though Google users can opt out of DoubleClick's ad-serving cookies). All the service providers endorsed self-regulatory efforts. Six ISPs indicated they had conducted trials of NebuAd's service for the purpose of providing anonymous tracking with no disclosure of personal information.

Not long after, in November 2008, a group of subscribers to the six ISPs' online services filed Valentine v. NebuAd as a putative class action against the ISPs and NebuAd in federal district court in San Francisco, alleging violations of federal and California wiretap, privacy and computer fraud laws, and related claims. Plaintiffs alleged that the online advertising trial resulted in unauthorized interceptions of and access to broadband subscribers' electronic communications, and that the ISPs participated in or were complicit with NebuAd's violations.

The complaint relies in large part on the academic study performed by Paul Ohm, a professor at the University of Colorado Law School, in which he concluded that the ISPs' participation in OBA means they are invading subscribers' privacy in order to deliver the ads. NebuAd has moved to dismiss the California claims and the six ISPs have all moved to dismiss for lack of jurisdiction (none had subscribers or activities in California) and for failure to state claims under the various counts in the complaint. The plaintiffs have counter-moved for leave to conduct jurisdictional discovery. Hearings have been tentatively scheduled on the plaintiffs' motions for late March.

DWT represents cable ISP Bresnan Communications in the NebuAd class action.

Online advertising industry adopts self-regulatory principles

In mid-December 2008, the National Advertising Initiative (NAI)—an organization of online advertising businesses—released a set of principles that are binding upon its members. Much like the FTC Principles and proposed state legislation, the NAI principles focus primarily upon providing notice and choice to consumers about the collection and use of information concerning their online behavior.

Under the NAI principles, all members must post notices describing their data collection, transfer and use practices. Such notice must include, among other things, the types of data collected, the use and transfer of data, and the types of non-PII that may be merged with PII. PII is defined to include a consumer's name, address, telephone number, email address, financial account number, Social Security number or any other data that can be used to identify, contact or precisely locate a person.

Much like the FTC, NAI initially published “draft” principles, on which it solicited public comment. The mid-December 2008 publication includes NAI's effort to incorporate these comments. Under the NAI principles, t he level of choice members must provide and honor to engage in OBA depends on the manner in which data is intended to be used, in order to make choice commensurate with any increased privacy implications of the data used.

In particular, use of non-PII for OBA purposes requires provision of consumer opt-out available on both the NAI member's Web site and on the NAI consumer Web site. For PII that is to be merged with non-PII for OBA purposes on a going -forward basis, provision of consumer opt-out accompanied by “robust notice” of such choice is required (with robust notice meaning clear and conspicuous notice about the scope of non-PII to be merged with the PII and how the merged data will be used for OBA, provided immediately above or before the mechanism used to authorize submission of PII), as is a choice mechanism available at the location where robust notice is provided.

For PII to be merged with previously collected non-PII for OBA purposes, consumer opt-in is required at the time the PII is collected online or, if collected offline, first used online. And consumer opt-in consent also is required for any use of “sensitive consumer information,” i.e., Social Security numbers and other government-issued identifiers, financial account and insurance plan numbers, precise real-time geographic location of an individual, and precise information about past, present or potential future health or medical conditions.

Significantly, in establishing restrictions, responsibilities and allowances for those following the NAI principles, the principles distinguish between OBA, which is limited to collection of data across multiple Web domains owned or operated by different entities to categorize likely consumer interest segments for use in advertising online, and “marketing purposes,” which is any collection, aggregation, analysis, maintenance, updating or sale of information to tailor content or services that allows or induces consumers to take action to purchase, rent or exchange products, property or services, to solicit a charitable donation, to utilize market research or market surveys, or to provide verification services to marketers. That is, the principles distinguish between uses of PII (and even more “sensitive” information) for tailoring ads compared to uses for audience measurement.

The NAI principles also include a category of “ad delivery and reporting” separate and distinct from OBA, which involves logging of page views or collection of other information about a browser for purposes of delivering ads or providing advertising-related services, including but not limited to providing a specific advertisement based on a particular type of browser or time of day; statistical reporting in connection with the activity on a Web site; and tracking the number of ads served on a particular day to a particular Web site.

A specific subcategory of “ad delivery and reporting” exists for “multi-site advertising,” consisting of ad delivery and reporting across multiple Web domains owned or operated by different entities. Many of the restrictions embedded in the NAI principles target only OBA, or only OBA and multi-site advertising, while other activities, such as ad delivery and reporting and marketing purposes, are not subject to some of the guidelines' requirements.

Moreover, it should be noted that other industry participants also have developed self-regulatory proposals, such as the State Privacy and Security Coalition (which consists of some of the same members as NAI—e.g., Yahoo!, Google—but also several significant others such as AOL, AT&T, Comcast and others), and the Consumer Privacy Legislative Forum (whose members include Microsoft and Hewlett-Packard), which is focusing not only on data use, but data breach protection as well.

As required by the proposed state bills, under the NAI principles, NAI members must also require (and police) any Web sites with which they have contracts to post notice of their OBA practices. In addition to notice, the NAI also requires that its members provide consumers with a choice concerning whether to allow the collection and use of information about its online behavior. The type of choice depends upon the type of data being collected. Sensitive PII, for example, requires affirmative consent, and parental consent is required when using behavioral targeting techniques on children younger than age 13.

More to come

It remains to be seen whether Chairman Leibowitz or other federal and state regulators will be willing to rely upon industry self-regulation or will feel the need to adopt new laws or regulations restricting the collection and use of information concerning online behavior. Some privacy groups and legislators already have said self-regulation is insufficient. Moreover, the NebuAd case will not likely provide a timely answer to the question of whether existing OBA practices violate wiretap and computer fraud laws or whether new legislation would be necessary to require different forms of notice or consent.

The issue may be at the forefront for the new administration, but with pressing economic issues it may not receive much attention, especially given that other privacy issues related to data breaches, spyware and identity theft dominate the headlines. Rep. Rick Boucher (D-Va.), the new chairman of the House Energy and Commerce Subcommittee on Communications, Technology, and the Internet, has indicated an interest, along with Rep. Cliff Stearns (R-Fla.), in reintroducing a bill that did not make it out of the last session called the “Consumer Privacy Protection Act” (H.R. 1636), which would require businesses to notify Internet users whenever they collect their personal data.

Boucher said the main purpose of that bill was to ensure that individuals receive notice of what personal information may be collected and how that information is used along with an opportunity to opt out of having their information gathered. It may be well into the next year before the tension between a uniform federal model and multiple inconsistent state models is resolved or before privacy advocates can persuade the FTC or legislators to require express consent for the collection of data and delivery of behavioral ads. One thing is certain: With Leibowitz at the helm of the FTC and Congressional action looming in the background, the issue is not going away anytime soon.