FTC regulation of behavioral advertising



The United States Federal Trade Commission (FTC) has been involved in oversight of the behavioral targeting techniques used by online advertisers since the mid-1990s. These techniques, initially called "online profiling", are now referred to as "behavioral targeting"; they are used to target online behavioral advertising (OBA) to consumers based on preferences inferred from their online behavior. During the period from the mid-1990s to the present, the FTC held a series of workshops, published a number of reports, and gave numerous recommendations regarding both industry self- regulation  and Federal regulation of OBA. In late 2010, the FTC proposed a legislative framework for U.S. consumer data privacy including a proposal for a "Do Not Track" mechanism. In 2011, a number of bills were introduced into the United States Congress that would regulate OBA.

Early history
“The Federal Trade Commission has been involved in addressing online privacy issues for almost as long as there has been an online marketplace.” The FTC is now responsible for the enforcement of a number of sector-specific privacy statues, including the Gramm-Leach-Bliley Act, the Children's Online Privacy Protection Act, the CAN-SPAM Act of 2003, and the Telemarketing and Consumer Fraud and Abuse Prevention Act (“Do Not Call Rule”).

In 1995, 1996, and 1997 the FTC held public workshops exploring consumer data privacy issues. At these workshops, online advertising industry advocates pressed for self-regulation, while privacy advocates argued that self-regulation could only be successful when backed up by “legally enforceable rights to information privacy”. Industry lobbyists argued for opt-out, which allows companies to use personal information for the purposes stated in a privacy policy or other form of notification, unless the consumer “opts-out” and notifies the company not to use the personal information in a certain manner, such as for marketing. Privacy advocates argued for prior affirmative consent, and suggested that software could be used by consumers to communicate their privacy preferences automatically.

In 1998, the FTC released a report in which it undertook a comprehensive review of commercial websites’ disclosures of their privacy practices and laid out the Fair Information Practice Principles (FIPPs). The report concluded that, “[a]s evidenced by the Commission’s survey results, and despite the Commission’s three-year privacy initiative supporting a self-regulatory response to consumers’ privacy concerns, the vast majority of online businesses have yet to adopt even the most fundamental fair information practice (notice/awareness)”.

The FTC held a further public workshop in 1999, and in May 2000, released a report which for the first time recommended that Congress pass online privacy legislation to create a basic level of data privacy protection for consumer-oriented commercial web sites.

In July 2000, the FTC recommended for the first time that legislation should be passed to protect Internet user’s privacy vis-à-vis online profiling. The FTC further stated that “backstop legislation addressing online profiling is still required to fully ensure that consumers’ privacy is protected online” and recommended that [technology neutral] legislation be passed that created a basic level of privacy protection for users of “consumer-oriented commercial websites with respect to profiling”. Under the FTC’s 2000 proposal, all online advertising networks and consumer-oriented commercial websites that allowed the collection of information from or about consumers would be required to implement and comply with the FIPPs.

Congress did not enact the FTC’s recommended legislation, and another decade would pass before the FTC again proposed legislation to regulate OBA.

FTC Commissioner Timothy Muris turned the FTC’s attention away from online privacy and OBA regulation in 2001, stating, “[t]he slowing of the growth of the Internet emphasizes the need to understand the cost of online privacy legislation…At this time, we need more law enforcement, not more laws”.

Return to regulatory focus
In 2006 the FTC once again took up the mantle of online privacy protection at the November 2006 FTC forum, “Tech-ade”, which examined the “key technological and business developments that will shape consumers’ core experiences in the coming ten years”. Participants at the forum described how technological advances in online profiling (now called “behavioral” advertising, targeting, or marketing), had allowed the practice to become more widespread and efficient.

Building on the Tech-ade hearings, the FTC hosted a town hall meeting in November 2007 focused specifically on the privacy implications of behavioral advertising practices called, “Ehavioral Advertising: Tracking, Targeting, and Technology”. The public meeting was prompted, in part, by the growth of behavioral advertising and the interest of large Internet companies in using such techniques to deliver narrowly targeted ads. These developments included Google’s plans to acquire DoubleClick, AOL’s interest in Tacoda, and Microsoft and Yahoo’s continued expansion of their own behavioral advertising products. They also included a presentation by eBay with a live demonstration of the ebay.com website, highlighting the first on ad links enabling consumers to opt out of behavioral ads via an eBay program called AdChoice.

In December 2007, the FTC promulgated a set of proposed “Principles” intended to provide a basis for the online advertising industry’s self-regulatory efforts to address privacy concerns. The Principles “call for companies to obtain affirmative express consent from consumers before they use data in a manner that is materially different than promised at the time of collection and before they collect and use 'sensitive' consumer data for behavioral advertising”.

The FTC followed up this 2007 report with a further report in 2009, which further clarified the self-regulatory principles. At the time, a coalition of consumer groups proposed a “Do Not Track List” in their comments to the 2007 town hall meeting.

The FTC’s 2010 report
In a December 2010 report, the FTC proposed a new regulatory framework for consumer data privacy, including a proposal for a “Do Not Track” mechanism which would allow Internet users to opt out of OBA.

In the report the FTC describes the limitations of the existing notice and choice model, which it states, “have become increasingly apparent in recent years”. The FTC states that the notice and choice-based model, “encourages companies to develop privacy notices describing their information collection and use practices to consumers, so that consumers can make informed choices”. However, “the notice-and-choice model, as implemented, has led to long, incomprehensible privacy policies that consumers typically do not read, let alone understand. Likewise, the harm-based model has been criticized for failing to recognize a wider range of privacy-related concerns, including reputational harm or the fear of being monitored”.

In order to address the issues with the notice-and-choice-based model, the FTC’s proposed privacy framework calls on companies to provide consumers with a meaningful choice in regards to OBA tracking, but sets forth “a limited set of data practices for which choice is not necessary” called “commonly accepted practices”. The commonly accepted practices include: Product and service fulfillment, internal operations, fraud prevention, legal compliance and first-party marketing, including contextual marketing.

OBA, along with deep packet inspection (DPI), are specifically noted as not “commonly accepted practices”. Furthermore, the report states that the FTC supports prior “affirmative express consent” in regards to the collection of “sensitive information” (children, financial and medical information, precise geolocation data) for OBA.

Do Not Track
In the 2010 report, the FTC proposed a “uniform and comprehensive consumer choice mechanism” for OBA, referred to as “Do Not Track”. The FTC states, “[t]he most practical method of providing uniform choice for online behavioral advertising would likely involve placing a setting similar to a persistent cookie on a consumer’s browser and conveying that setting to sites that the browser visits, to signal whether or not the consumer wants to be tracked or receive targeted advertisements”. The FTC believes that a "Do Not Track" mechanism is preferable to the existing browser-based cookie opt-outs as it is more “clear, easy to locate and effective” and it conveys the user’s choice to opt out of tracking directly to websites.

FTC goes to Congress
On March 16, 2011, the FTC appeared before the United States Senate Commerce Committee. At the hearing, the FTC recommended imposing more stringent measures to protect Internet users against unauthorized tracking in support of behavioral advertising, including a universal Do Not Track browser setting.

The FTC also announced its first behavioral advertising case, filed against network advertiser Chitika for using a deceptive opt-out mechanism. As part of the settlement, the FTC required that Chitika link all its advertising to an effective opt-out mechanism in the future. It has been commented that, “[t]his requirement of a hyperlink embedded in online advertisements is a good indicator of the type of Do Not Track mechanism that will be acceptable to the FTC if 'Do Not Track' becomes mandatory”.

At the same Senate hearing, the Barack Obama administration called for a new “Internet user’s bill of rights”, which would give the FTC authority to regulate online behavioral advertising.

Do Not Track Me Online Act of 2011
Representative Jackie Speier (D-CA) introduced the “Do Not Track Me Online Act of 2011”, which would authorize the FTC to promulgate regulations requiring online advertisers and websites to allow users to opt out of having their online activities tracked through the creation of a do-not-track mechanism. The bill gives users the ability to block all collection of data for OBA but gives an exception for commonly accepted practices such as fraud prevention and inventory control. The bill authorizes the FTC to enforce the new regulations by conducting random audits of Web publishers, although the proposed regulations contain an exception for websites that have less than 10,000 visitors per year. The bill never reached a vote and died in Congress.

Commercial Privacy Bill of Rights Act of 2011
On April 12, 2011, Senator John Kerry introduced the “Commercial Privacy Bill of Rights Act of 2011”, co-sponsored by Senator John McCain. At the press conference to introduce the bill, Senators Kerry and McCain said that the bill struck a compromise between business and consumer interests, noting that the bill was supported by Microsoft, Intel, and eBay.

The bill tasks the FTC with developing rules specifically targeted at OBA, requiring companies to offer consumers “a robust, clear, and conspicuous” opt-out mechanism from the use of their personally identifiable information by third parties “for behavioral advertising or marketing”.

The bill calls for the FTC to create regulations requiring businesses collecting personally identifiable information, such as names and email addresses, to provide “clear, concise and timely notice” of data collection, use and transfer, along with “a clear and conspicuous mechanism for opt-out consent for any unauthorized use of [consumers'] personally identifiable information.”

The bill contains a provision which would require opt-in consent for the “collection, use or transfer of sensitive personally identifiable information”. Sensitive personally identifiable information is defined as “personally identifiable information which, if lost, compromised, or disclosed without authorization either alone or with other information, carries a significant risk of economic or physical harm” or is related to a particular medical condition, health record or the religious affiliation of an individual.

The bill also tasks the FTC with establishing a voluntary safe harbor program to review, approve, and monitor self-regulatory programs that provide consumers with “clear, conspicuous, persistent and effective” opt-out from online behavioral advertising or location-based advertising. Once a self-regulatory program is approved by the FTC and the members of that program are covered by the safe harbor, those members would be exempt from some of the provisions of the bill.

The bill does not include the FTC’s proposed Do Not Track mechanism, which Senator McCain stated at the press conference, “didn't seem to fit in our ability to get a balance for consumer and industry support”.

The bill also does not include a private right of action, leaving enforcement up to the FTC and State Attorneys General.

Consumer and privacy advocates have stated that the bill was not strong enough and should contain the FTC’s Do Not Track proposal.