New Privacy Policy Wrinkles: Online Behavioral Advertising; and Potential new EU Data Protection Policy

Last year, Google proposed a $3.1 billion acquisition of Doubleclick, which prompted consideration of the acquisition by the Federal Trade Commission and a hearing before the Senate Judiciary Committee’s subcommittee on Antitrust, Competition Policy and Consumer Rights. Both the FTC and the Senate were addressing not only anti-trust risks for competition but also the implications for consumer privacy of a merger of the leading Web search engine and leading behavioral advertising provider.

The discussion led the FTC to suggest last month that Web advertisers using behavioral targeting consider adopting several privacy principles, called "Governing Principles For Online Behavioral Advertising" (The Principles are excerpted below). The FTC has suggested that these should be considered for implementation as private sector self-regulation in the same way that earlier online privacy principles had been adopted by the US private sector self-regulation in response to the Safe Harbor agreement to meet the privacy mandates of the European Union’s Data Protection Directive. The FTC is presently soliciting private sector comment on these principles and their impact on online commerce.

FTC-proposed Governing Principles For Online Behavioral Advertising Privacy

To address the need for greater transparency and consumer control regarding privacy issues raised by behavioral advertising, the FTC staff proposes:

  • Every Web site where data is collected for behavioral advertising should provide a clear, consumer-friendly, and prominent statement that data is being collected to provide ads targeted to the consumer and give consumers the ability to choose whether or not to have their information collected for such purpose.

To address the concern that data collected for behavioral advertising may find its way into the hands of criminals or other wrongdoers, and concerns about the length of time companies are retaining consumer data, the FTC staff proposes:

  • Any company that collects or stores consumer data for behavioral advertising should provide reasonable security for that data and should retain data only as long as is necessary to fulfill a legitimate business or law enforcement need.

To address the concern that companies may not keep their privacy promises when they change their privacy policies, FTC staff proposes:

  • Companies should obtain affirmative express consent from affected consumers before using data in a manner materially different from promises the company made when it collected the data.

To address the concern that sensitive data – medical information or children’s activities online, for example – may be used in behavioral advertising, FTC staff proposes:

  • Companies should only collect sensitive data for behavioral advertising if they obtain affirmative express consent from the consumer to receive such advertising.
  • FTC staff also seeks comment on what constitutes “sensitive data” and whether the use of sensitive data should be prohibited, rather than subject to consumer choice.

The staff is seeking additional information about whether tracking data is being used for purposes other than behavioral advertising and whether such secondary uses, if they occur, merit some form of heightened protection.

These principles and the US self-regulatory approach to the issue of behavioral advertising were presented this month to the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs. The committee was considering the privacy policy implications of   

"..."behavioural marketing" founded on computerized data collection and on targeted advertising which are creeping into nearly every aspect of the social and commercial transactions – searching, browsing, networking, emailing and telephoning. This new situation, however, raises some critical issues about the sufficiency of  companies’ disclosures, the level of consumers’ understanding and control of their personal information as well as the security and confidentiality of the massive amount of sensitive personal data. Moreover, behavioral marketing directed at vulnerable individuals, such as young people and teens, clearly raises the question of the degree of privacy protection."

These discussions are preparatory to the pending update of EU Directive 2002/58/EC on data and consumer protection in the telecommunication domain by the Article 29 Working Party of the EU Directorate General for Justice, Freedom and Security. This group also is currently preparing a report on how well the privacy policies of the search engines of Google, Yahoo!, Microsoft, and others comply with the mandates of the EU’s Data Protection Directive.

A comment made by the chair of this group during the parliamentary meeting this month suggested that the Article 29 Working Party is considering implementing into EU policy that the Internet Protocol (IP) addresses associated with a specific person will be considered to be "personal data" and thus subject to the legal protections provided under the EU Data Protection Directive.

If this position should in fact become the basis for EU privacy policy, it could have enormous implications for Internet search engine operations within EU nations and may also impact the provisions of the US Safe Harbor agreement with the EU. This blog will track this activity as it unfolds and update events as they occur. Stay tuned.

Categories: