Cookies, Advertising and the Federal Trade Commission
December 17, 2009
By: Kyle E. Conklin *
What is Online Behavioral Advertising?
Online behavioral advertising involves tracking a consumer's online activities over time to deliver tailored advertising. For example, a business may track the pages a consumer has visited or the searches the consumer has made to select which advertisements to display to that consumer. This practice allows a business to align its advertisements more closely to the inferred interests of the consumer.
This data collection is often invisible to the consumer and accomplished by a website placing a "cookie," a small text file, on a particular computer or device that tracks the pages and content viewed, the time and duration of the visit, search queries entered, and whether the consumer clicked on an advertisement. The following example illustrates one of the many ways online behavioral advertising works. A consumer visits a newspaper website that participates with network advertiser that selects and delivers advertisements across the internet. On the newspaper website, the consumer reads a sports article regarding a particular sports team. Subsequently, the consumer visits a sporting apparel website, and while on that website, an advertisement for the particular sports team's apparel appears, targeting the consumers inferred interest in the particular sports team.
FTC's Self-Regulatory Principles
Balancing the privacy concerns raised by collecting data on a consumer's online activities with the benefits of behavioral advertisements, the FTC staff issued a revised set of self-regulatory principles for online behavioral advertising (Principles) in February 2009.1 The Principles include the following:
- Provide transparency and consumer control: a website should be providing clear notice that data about a consumer's online activity is being collected, and consumers should be able to choose whether a website can collect such data;
- Provide reasonable data security: if a website collects consumer data, it should provide reasonable data security consistent with the federal and state laws and FTC policy, and it should only retain data as long as is necessary to fulfill a legitimate business;
- Obtain express consent for using sensitive data: a website should obtain express consent to collect data about children, health, and finances.
Notably, "first party" advertising — advertising by and within a single website — and "contextual" advertising — advertising that only uses a consumer's current visit to a single web page or a single search query — are expressly excluded from the Principles' scope.
Although these Principles are merely guidelines for self-regulation and there currently is no obligation to comply, the FTC has stated that it will continue to closely monitor the marketplace to ensure consumer protection, leaving the door open for future action. Additionally, a website must still comply with all applicable federal and state privacy and information laws even if the website's data collection practices fall outside of the Principles' scope.
1 FED. TRADE COMM'N, FTC STAFF REPORT: SELF-REGULATORY PRINCIPLES FOR ONLINE BEHAVIORAL ADVERTISING (2009), available at http://www.ftc.gov/os/2009/02/P085400behavadreport.pdf.
2 See, e.g., AM. ASSOC. OF ADVER. AGENCIES ET AL., SELF REGULATORY PRINCIPLES FOR ONLINE BEHAVIORAL ADVERTISING (2009), available at http://www.iab.net/media/file/ven-principles-07-01-09.pdf.
* Kyle E. Conklin is a former member of Ober|Kaler's Intellectual Property Group.