Behavioural Advertising and the Potential Advent of Regulation in the United States
Andrew D Lipman
Ronald W Del Sesto Jr -
Recently, regulators in the United States have demonstrated a renewed interest in issues relating to online privacy. First, the uproar over Facebook's Beacon feature - which reports on users' visits to third-party websites - drew significant press attention in late 2007. Second, the size of the online advertising market generally - and behavioural advertising in particular - continues to grow by leaps and bounds.
One estimate indicates that spending for internet advertising with a behavioural-targeting component will soar from $575 million this year to $1 billion in 2008, and that still represents only 11 per cent of the US display, rich media, and video market. Finally, in April 2007, Google announced that it would acquire DoubleClick. The acquisition was opposed by a number of parties on the grounds that the combination of their consumer information data sets could be exploited in some manner and that federal regulators in the United States needed to address risks associated with behavioural advertising by the companies.
The historical development and the current state of the law in the United States with respect to gathering and maintaining the privacy of data obtained from customers and potential customers might best be summarised as an evolving debate over the merits of regulation and self-regulation. Indeed, a mix of the two - with a heavier emphasis on self-regulation in the United States - has been the favoured approach for at least a decade, if not longer.
As discussed further on, however, a number of federal statutes address privacy protection in the United States, including many that are industry specific. There are also numerous state laws that establish privacy rights for their residents. Yet implementation of these legal requirements comes most often in the form of individually developed, self-policing privacy policies that communicate to consumers the processes and principles pursuant to which companies collect, use, store, and share data collected from individuals. With the exception of a handful of states that have mandated development and posting of privacy policies, there is no specified requirement that companies maintain (or post) such policies nor, with the exception of a few states, is there any specific form of privacy policy that must be adopted. Enforcement with respect to privacy principles, in turn, often comes in the form of action by the Federal Trade Commission (FTC) or a state regulator or state attorneys general considering whether the company in question has complied with the self-regulating privacy policy that it has developed.
Even as businesses make increased use of customer data in forms such as behavioural advertising, it is clear that federal and state regulators, privacy and consumer advocates, and businesses and advertising firms continue to debate the degree to which a regulatory or self-regulatory approach provides the appropriate mechanism for addressing concerns about such data collection, use, storage, and disclosure. In turn, for businesses attempting to navigate these waters, the lack of regulatory certainty, the patchwork of regimes that may apply between federal and state (and even international) jurisdictions, and the ongoing and evolving nature of the debates with respect to self-regulation present both significant opportunities and substantial challenges in determining how best to collect and make use of consumer data in their advertising efforts.
One potential use of consumer data that has attracted a significant amount of attention lately is so-called "behavioural advertising", which the FTC has defined as "the practice of tracking consumers' activities online to target advertising". Of course, the practice of gathering information about consumers' online activities - and the debate over whether and how to regulate such practices - has been going on for years. Although Congress has periodically enacted laws addressing concerns relating to health information, children's privacy, or industry-specific data practices - and while many states have enacted laws relating to the protection of personally identifiable information - the FTC has historically avoided broad ex ante proscriptions with respect to specific online advertising practices. Instead, the FTC has articulated general principles and encouraged self-regulatory best practices, with ex post enforcement efforts arising from time to time to address "unfair and deceptive" conduct by bad actors in violation of the FTC's general mandates.
Now, however, the FTC appears poised to consider the continuing efficacy of self-regulation. Self-described consumer advocacy groups have pilloried the FTC for what they deem to be a decade of neglect in addressing "online profiling" or "behavioural advertising". Concerns relating to such practices dominated public hearings in late 2006, convened to address a wide variety of consumer protection issues, prompting the FTC staff to undertake a year-long examination of such practices. In addition, even as the FTC renews its consideration of such issues, the state legislatures and state regulators continue to impose their own requirements with respect to collection, maintenance, and use of consumer data within their respective boundaries. The Federal Communications Commission (FCC) may also assert broader jurisdiction over data services provided over interstate telecommunications and cable television facilities.
The FTC is the leading federal agency with respect to regulation of privacy protection. It does so in part pursuant to its statutory mission to protect consumers from "unfair and deceptive practices" - which may include, for example, a company's violation of its own privacy policy. The FTC also has statutory authority with respect to privacy-related matters pursuant to several other federal statutes, including the Children's Online Privacy Protection Act (regulating information concerning children), the Health Insurance Portability and Accountability Act (regulating health information), the Gramm-Leach-Bliley Act (financial information), the Telemarketing and Consumer Fraud Abuse Act (telemarketing), and the Fair Credit Reporting Act (consumer credit information). Depending upon the scope of operations and the specific type of information that a business collects, each of these statutes may impose various obligations with respect to the crafting of privacy policies, the disclosures that must be made with respect to specific kinds of data gathering, the kinds of information that may be received from consumers, the ways in which that information must be retained, protected or disposed, and rules concerning how information is shared with third parties.
Likewise, Congress continues to consider legislation relating to such matters, including bills that would address the use of mechanisms such as spyware to track or collect consumer information. It is essential that any company developing a privacy policy and identifying its practices with respect to collection, use, retention, and sharing of customer data consider how these statutory obligations may affect its operations and remain updated on subsequently adopted legal requirements.
In addition to those statutes under which the FTC has authority, there are a number of industry-specific federal statutory provisions that affect data gathering or usage practices by certain kinds of companies. For example, section 222 of the Communications Act of 1934, as amended, and rules promulgated by the FCC, impose substantial obligations on regulated telephone companies with respect to the use and sharing of customer proprietary data internally or with third parties, particularly for marketing purposes. Similar statutes exist with respect to other industries and types of records. Although these statutes are not the focus of this article, and although they only apply with respect to certain kinds of data, these provisions too must be considered by firms in establishing proper practices and procedures with respect to collection, use, retention, and sharing of such data.
We note that international privacy and data retention issues must also be considered by companies that conduct business overseas. For example, the European Union has established stringent data protection principles, including restrictions on the transfer of certain data between the EU and the United States, which are embodied in the laws of individual member states. Canada has enacted similar legislation, and many countries in Latin America, Asia, and Australia also have privacy regulations in place or are considering implementation of such requirements. An understanding of and compliance with these requirements should be a central part of the privacy policies adopted by any firm that transacts any material international business or receives personal data from countries outside the United States.
Although numerous statutes and rules have been adopted with respect to the means by which data may be collected from consumers online, and used and maintained by businesses - and although the FTC and other federal and state regulators and law enforcement agencies play significant roles in the establishment and enforcement of these legal requirements - much of the implementation of these requirements is ultimately left to the discretion of individual companies through the application of self-regulatory principles.
In 1998, the FTC released a report that identified "notice, choice, access, and security" as key elements of online fair information practice principles. This report also identified "enforcement" as a critical component of any governmental or self-regulatory programme to protect privacy online, but stopped short of proscribing any specific requirements for privacy policies and practices. The FTC noted that it had for several years "encouraged industry to address consumer concerns regarding online privacy through self-regulation" on the basis that effective self-regulation would better permit "firms to respond quickly to technological changes and employ new technologies to protect consumer privacy". The FTC found, however, that this self-regulatory approach had failed to yield practices consistent with the principles it had articulated, and that enforcement mechanisms were particularly lacking. Still, in 1999, the FTC continued to recommend to Congress that self-regulation be given more time to prove effective, even as it called upon the industry to make greater efforts in implementing the fair information practice principles set forth in the 1998 report.
In May 2000, the FTC released an update to the 1998 report, detailing "continued improvement" in website privacy disclosures and the nascent development of "online privacy seal programs" that would measure companies' efforts to implement fair information practices. The FTC, however, noted that industry compliance with such principles was not yet widespread enough for its liking. Moreover, although it noted that "there will continue to be a major role for industry self-regulation in the future", the FTC recommended for the first time that Congress enact legislation to require implementation of the standards identified in the 1998 report. In a separate report to Congress specifically addressing "online profiling" issued shortly thereafter, the FTC reiterated that industry proposals were laudable, but that "backstop legislation" addressing online profiling would be required "to fully ensure that consumers' privacy is protected online". Yet, at the same time, the FTC effectively endorsed a self-regulatory approach.
This issue did not assume a high regulatory or legislative profile again until November 2006, when the question of the use of data collected online in targeted marketing efforts generated substantial debate during FTC-initiated public hearings. These debates led in turn to a year-long examination of online behavioural advertising by the FTC, and ultimately to the issuance of an FTC staff statement that calls for consideration yet again of the proper role of self-regulation in the context of online privacy and behavioural advertising.
One can speculate as to a variety of economic, structural, technological, regulatory, or political reasons why potential regulation of targeted advertising generated such substantial debate in 1999 and 2000 but then failed to attract any significant attention from the FTC until it again became a focus during the 2006 hearings. Regardless of the reasons for this gap in time, however, it is clear the issue has obtained a higher profile since being resurrected by the FTC. Arising out of the debate at these hearings, the FTC staff "held many dozens of meetings with consumer representatives, industry members, academics, technologists, and others to gain a better understanding of current and anticipated online advertising models". The FTC then scheduled a "town hall" in November 2007 to address specifically how behavioural advertising had changed in recent years and the effectiveness of regulatory and self-regulatory measures aimed at consumer protection.
It remains to be seen in which direction the FTC will go with respect to behavioural advertising - whether it will maintain a "self-regulatory" course or whether the urgings of consumer advocacy groups that have reignited the debate will drive adoption of a stricter regulatory framework. But the FTC appears to have acknowledged that benefits can flow from behavioural advertising, and it is therefore essential that the FTC also understands how potential new requirements applicable to behavioural advertising practices could complicate or even eliminate the ability of businesses to utilise such advertising efforts.