The U.S. Federal Trade Commission just came out with an important new report outlining its recommendations on how advertisers who use behavioral targeting—the tracking of individual consumers’ online activities in order to deliver targeted advertising tailored to each person’s interests—should regulate their own activities so that the government doesn’t step in and do it for them.
The 48-page report, "Self-Regulatory Principles for Online Behavioral Advertising," published Feb. 12, expands on a previous report published in December 2007 in response to privacy concerns raised by online behavioral advertising.
After following this story and reading the report, my non-legal read is that it does not target email marketers directly or by intent. (I am not a lawyer, so be sure to confirm my impressions for yourself and/or with your own counsel.) In a nutshell, the FTC doesn't appear to be taking aim at email marketers because:
- The FTC's guidelines don’t apply to "first-party" behavioral targeting. Most email marketers use first-party behavioral targeting—in which a Web site collects consumer information to deliver targeted advertising at its site, but does not share any of that information with third parties. The agency concluded that fewer privacy concerns are associated with first-party targeting than with other behavioral advertising, and that as a result, it is not necessary to include such advertising within the scope of its principles.
- The FTC is more focused on providing privacy protections to people surfing the Web with a reasonable expectation of privacy. Advertisers contended that it is unnecessary to provide privacy protections for data that is not personally identifiable. But the FTC disagreed, stating that privacy protections should cover any data that reasonably can be associated with a particular consumer or computer or other device.
The report cited hypothetical situations where certain items of information are anonymous by themselves, but can become identifiable when combined and linked by common identifier. For example a consumer's Internet activity might reveal the restaurants in the neighborhood where she eats, the stores at which she shops, the property values of houses recently sold on her block, and the medical conditions and prescription drugs she is researching. When combined, such information would constitute a highly detailed and sensitive profile that is potentially traceable to the consumer. The storage of such data also creates the risk that it could fall into the wrong hands or be used later in combination with even richer, more sensitive data
In the world of relationship email, marketers gather relevant details within the context of a specific marketing relationship so that they can provide the kinds of messages a person will find the most engaging and useful. Subscribers generally understand what a marketer knows about them, and trust that the information will be used appropriately. In many cases, they can update their personal profile or email preferences, or ask to be removed from all marketing going forward. People are much more apt to feel comfortable about sharing details when they know they are in control, and they are explicitly choosing to trust the site/brand they are providing their information to.
The FTC's report offers four guidelines for industry self-regulation. Again, be sure to check out the report for yourself, or with your own counsel, but paraphrased, they are:
- Transparency and consumer control. Web sites that collect data for behavioral advertising need to provide a clear, concise, consumer-friendly and prominent statement that behavioral data is being collected and that consumers can choose whether or not to have their information collected.
- Reasonable security and limited data retention for consumer data. Companies that collect and / or store consumer data for behavioral advertising should provide reasonable security for that data, and retain data only as long as it is necessary to fulfill a legitimate business or law enforcement need.
- Affirmative express consent for material changes to privacy promises. A company needs to keep its promises with respect to how it will handle or protect consumer data, even if it decides to change its policies at a later date. This means that before a company can use previously collected data in a manner that is different from the promises it made when it collected the data, it should obtain affirmative express consent from the affected consumers.
- Affirmative express consent to (or prohibition against) using sensitive data for behavioral advertising. Companies should collect sensitive data for behavioral advertising only after they obtain affirmative express consent from the consumer to receive such advertising.
The FTC says the goal of its report is to balance the potential benefits of behavior advertising against the privacy concerns it raises, and to encourage privacy protections while maintaining a competitive marketplace. But advertisers also play a key role in their destiny.
"Industry needs to do a better job of meaningful, rigorous self-regulation, or it will certainly invite legislation by Congress and a more regulatory approach by our Commission," said FTC Commissioner Jon Leibowitz in a Feb. 12 statement.
"Put simply, this could be the last clear chance to show that self-regulation can—and will—effectively protect consumers’ privacy in a dynamic online marketplace."