FTC to Online Advertising Industry: Clean Up the TOUs & Privacy Policies

Summary: Online advertising has been self-regulated for some time but the FTC has made it
clear that it is not happy with the resulting dense legalese of TOU’s and privacy policies. They
set forth new guidelines that they expect publishers to use during the next year–at which time
the FTC will consider new legislation. (Please note: Various ad industry associations offered
their response, which is discussed in the post below at
digitaldumonde.wordpress.com/2009/07/23/new-ideas-for-online-data-collection-use-the-
industry-responds-to-the-ftc/.)
Although the guidelines are only just that–guidelines–they should “guide” your revisions to
your TOU’s and your privacy policy. Here is a quick summary.
I. Introduction.
The staff of the United States Federal Trade Commission (FTC) recently released a report
(February 12, 2009) that will directly affect the documents governing the relationship
between an online content provider and viewers/consumers-Terms of Use (TOUs), End-
User License Agreements (EULAs) and Privacy Policies. The report also suggests
implications for the use of private information. Please email us
atjcrext@globalcaplaw.com and a copy of the report will be sent to you, or you can find it
on the site of the FTC.
The report sets forth principles for self-regulation for the online advertising industry
relating to online “behavioral advertising.” (The report defines behavioral advertising,
which is set forth below under “Definition”). Technically, it is a supplemental report, but it
has the effect of finalizing the December 2007 draft “Self-Regulatory Principles for Online
Behavioral Advertising.”
It should be emphasized that these are principles for self-regulation for the online
advertising industry. Arguably, this means that they are not binding, and, indeed, the
report makes that clear. However (and this is an important caveat), the principles will
definitely guide the enforcement actions instituted by the FTC. Moreover, it seems that the
FTC is pre-disposed to initiate legislation in this area, which will probably codify much of
what is found in these principles. And states often look to such reports for guidance on
their legislation on privacy.
In reading the footnotes, another point emerges from the report. The FTC staff appears to
believe that those who draft TOUs and privacy policies have not been keeping a close eye
on the enforcement actions and decisions that the FTC staff believes to be relevant-and
these include decisions that do not involve online matters but do involve clear disclosure for
consumers. In fact, the report footnotes include quotes from FTC commissioners that can
be summed up as the following rule:
Policies that bury relevant information and choices for consumers in legalese will do so at the
peril of the publisher.
(Please note that the above rule is our language and not that of the FTC or its staff.)
II. So What?
1. Clean up These Documents. Dense legalese will probably not “pass muster” with the
FTC. They are keeping a close eye on this area.
2. Consumers’ Choices Must Be Clear. Just as dense legalese is for the FTC tantamount to
unacceptable (and often illegal) “fine print,” obscuring consumers’ choices is frowned
upon. In particular, the report mentions “check boxes” that are already checked–
something frowned upon in the report.
3. Certain Changes to Terms Must Be Affirmatively Accepted. Any material changes or
“retroactive” changes (i.e., affecting policies on data already collected) must be
affirmatively accepted by the site users. Prospective changes do not (yet) need such
approval but it is pretty clear that the staff leans in that direction. This possibly means
that the common technique of saying “Use of this site means acceptance of the terms”
together with the “warning” that changes can be made at any time will not be acceptable
by the FTC.
4. The PII/non-PII Distinction is Diminishing. The US approach has been to try to protect
“personally identifiable information” at a higher level than that which is not personally
identifiable. This differs from the European model. Now, the FTC is moving towards the
European model and this is understandable. The staff understands that PII can often be
gleaned from non-PII, which makes the distinction too porous. In particular, the report
wishes to increase the protection of data that can identify an individual machine (PC,
mobile phone, etc.), while the earlier approach was to preclude identification of an
individual user.
5. Self Regulation is a Testbed and is on Probation. The FTC simply sidestepped resolving
many issues, leaving it to the “industry” to try various methods. However, one can infer
that “industry” has about a year before the FTC moves towards legislation.
III. The Report.
We have not included the entire (50+ page) Report, but we have quoted almost the entire
conclusion, which summarizes the final version of the “Principles” of self-regulation. The
numbering is directly from the Report:
A. Definition
For purposes of the Principles, online behavioral advertising means the tracking of a
consumer’s online activities over time – including the searches the consumer has
conducted, the web pages visited, and the content viewed – in order to deliver advertising
targeted to the individual consumer’s interests. This definition is not intended to include
“first party” advertising, where no data is shared with third parties, or contextual
advertising, where an ad is based on a single visit to a web page or single search query.
B. Principles
1. Transparency and Consumer Control
Every website where data is collected for behavioral advertising should provide a clear,
concise, consumer-friendly, and prominent statement that (1) data about consumers’
activities online is being collected at the site for use in providing advertising about products
and services tailored to individual consumers’ interests, and (2) consumers can choose
whether or not to have their information collected for such purpose. The website should
also provide consumers with a clear, easy-to-use, and accessible method for exercising this
option. Where the data collection occurs outside the traditional website context, companies
should develop alternative methods of disclosure and consumer choice that meet the
standards described above (i.e., clear, prominent, easy-to-use, etc.)
2. Reasonable Security, and Limited Data Retention, for Consumer Data
Any company that collects and/or stores consumer data for behavioral advertising should
provide reasonable security for that data. Consistent with data security laws and the FTC’s
data security enforcement actions, such protections should be based on the sensitivity of the
data, the nature of a company’s business operations, the types of risks a company faces,
and the reasonable protections available to a company. Companies should also retain data
only as long as is necessary to fulfill a legitimate business or law enforcement need.
3. Affirmative Express Consent for Material Changes to Existing Privacy Promises
As the FTC has made clear in its enforcement and outreach efforts, a company must keep
any promises that it makes with respect to how it will handle or protect consumer data,
even if it decides to change its policies at a later date. Therefore, before a company can
use previously collected data in a manner materially different from promises the company
made when it collected the data, it should obtain affirmative express consent from affected
consumers. This principle would apply in a corporate merger situation to the extent that
the merger creates material changes in the way the companies collect, use, and share data.
4. Affirmative Express Consent to (or Prohibition Against) Using Sensitive Data for
Behavioral Advertising
Companies should collect sensitive data for behavioral advertising only after they obtain
affirmative express consent from the consumer to receive such advertising.