Cookies, Advertising and the Federal Trade Commission

IP Watch Newsletter

December 17, 2009

By: Kyle E. Conklin *

Considering that the Federal Trade Commission (FTC) has been active this year protecting consumers in the online world, a business should evaluate its current online data collection practices and its website's terms of use and privacy policy. Just this month the FTC's updated Guides Concerning the Use of Endorsements and Testimonials in Advertising that expanded the scope of protection to include websites, blogs, and social media became effective, and the FTC hosted a roundtable to discuss risks and benefits of information-sharing practices, consumer expectations regarding such practices, behavioral advertising, information brokers, and the adequacy of existing legal and self-regulatory frameworks. With the FTC's recent action, a review, or perhaps for some a first examination, of the FTC Staff Report: Self-Regulatory Principles for Online Behavioral Advertising is warranted. Particularly, this article will discuss what is online behavioral advertising and the FTC's self-regulatory principles.

What is Online Behavioral Advertising?

Online behavioral advertising involves tracking a consumer's online activities over time to deliver tailored advertising. For example, a business may track the pages a consumer has visited or the searches the consumer has made to select which advertisements to display to that consumer. This practice allows a business to align its advertisements more closely to the inferred interests of the consumer.

This data collection is often invisible to the consumer and accomplished by a website placing a "cookie," a small text file, on a particular computer or device that tracks the pages and content viewed, the time and duration of the visit, search queries entered, and whether the consumer clicked on an advertisement. The following example illustrates one of the many ways online behavioral advertising works. A consumer visits a newspaper website that participates with network advertiser that selects and delivers advertisements across the internet. On the newspaper website, the consumer reads a sports article regarding a particular sports team. Subsequently, the consumer visits a sporting apparel website, and while on that website, an advertisement for the particular sports team's apparel appears, targeting the consumers inferred interest in the particular sports team.

FTC's Self-Regulatory Principles

Balancing the privacy concerns raised by collecting data on a consumer's online activities with the benefits of behavioral advertisements, the FTC staff issued a revised set of self-regulatory principles for online behavioral advertising (Principles) in February 2009.1 The Principles include the following:

  • Provide transparency and consumer control: a website should be providing clear notice that data about a consumer's online activity is being collected, and consumers should be able to choose whether a website can collect such data;
  • Provide reasonable data security: if a website collects consumer data, it should provide reasonable data security consistent with the federal and state laws and FTC policy, and it should only retain data as long as is necessary to fulfill a legitimate business;
  • Obtain express consent for material changes to existing privacy policy: a website must obtain the express consent of the consumer before it can use previously collected data in a manner materially different from the policy under which the data was collected; and
  • Obtain express consent for using sensitive data: a website should obtain express consent to collect data about children, health, and finances.

Notably, "first party" advertising — advertising by and within a single website — and "contextual" advertising — advertising that only uses a consumer's current visit to a single web page or a single search query — are expressly excluded from the Principles' scope.

Although these Principles are merely guidelines for self-regulation and there currently is no obligation to comply, the FTC has stated that it will continue to closely monitor the marketplace to ensure consumer protection, leaving the door open for future action. Additionally, a website must still comply with all applicable federal and state privacy and information laws even if the website's data collection practices fall outside of the Principles' scope.

In light of these Principles, the evolving federal and state privacy and information laws, and developing industry standards,2 it is important that each business evaluate its own data collection practices and its website's terms of use and privacy policy. Ober|Kaler offers its clients WEBSCAN®, a comprehensive audit of a website's intellectual property, terms of use, privacy policy, data collection practices, and related issues.




* Kyle E. Conklin is a former member of Ober|Kaler's Intellectual Property Group.