Posted on

Self-Regulatory Online Behavioral Advertising Principle No. 5: Material Changes

Here is the fifth in our installments of summarizing the seven principles contained in the Self-Regulatory Online Behavioral Advertising Principles released by the Association of Advertising Agencies, the Association of National Advertisers, the Direct Marketing Association, and the Interactive Advertising Bureau, in concert with the Council of Better Business Bureaus, For reference, the seven enumerated principles are:

The Material Changes principle requires an organization engaged in behavioral advertising to obtain consent before applying any material changes to its existing online behavioral advertising policies and practices – specifically, to the data collection-and-use policies and practices that apply to data collected prior to the effective date of any material change to these policies and practices.

This principle also makes it clear that a change in policy or practice that would result in less data collection or more restrictive use of the data (i.e., less or more restrictive use of the data than existing usage) is NOT a material change that would require prior consent. This makes sense considering that the purpose of the principle, when coupled with Transparency and Consumer Control, is not to merely give consumers an absolute right to consent or to reject any and all changes, but only those that would broaden, deepen or alter in an expansive or materially different manner, the existing collection-and-use practices of the organization. If a change would result in less data being collected or more constrained use of the data being collected, a consumer would likely be notified of the change, but consent would not be required.

Legal Bytes will be bringing you a summary of the remaining two principles in the next week. And now, as always, if you have any questions or need help, please feel free to contact me or any of the Rimon attorneys with whom you regularly work.

Posted on

Self-Regulatory Online Behavioral Advertising Principle No. 4: Data Security

The Association of Advertising Agencies, the Association of National Advertisers, the Direct Marketing Association, and the Interactive Advertising Bureau, in concert with the Council of Better Business Bureaus, recently released its Self-Regulatory Online Behavioral Advertising Principles. When we announced these principles, we also promised to provide you with a bit more detail regarding each of these principles, which are listed below; so here is a brief summary of the fourth – Data Security. For reference, the seven enumerated principles are:

The Data Security principle requires entities to provide reasonable security for, and limited retention of, data collected and used for online behavioral advertising purposes. Consistent with the FTC standard, entities must maintain appropriate physical, electronic and administrative safeguards based upon the sensitivity of the data. Further, data collected and used may not be retained any longer than necessary to fulfill a legitimate business need (e.g., testing and auditing) or as required by law. In addition, the principle sets forth the steps that service providers (e.g., entities that provide Internet service, toolbars, web browsers or comparable desktop applications) must take in connection with data collection and use, including alteration, anonymization or randomization (e.g., hashing) of personally identifiable information; enhanced notice and disclosure at the time the data is collected; and the protection of the non-identifiable nature of data shared with non-affiliates. Under the Data Security principle, service providers will be held accountable for compliance with these principles in connection with their collection and use of data for online behavioral advertising purposes. Thanks to Stacy Marcus for her analysis.

We can now also report to you that yesterday a coalition of 10 consumer and privacy advocacy groups (i.e., Center for Digital DemocracyConsumer Federation of America, Consumers UnionConsumer WatchdogElectronic Frontier FoundationPrivacy LivesPrivacy Rights ClearinghousePrivacy Times, U.S. Public Interest Research Group, and The World Privacy Forum, has released a draft of their own principles, in the form of a Legislative Primer, entitled Online Behavioral Tracking and Targeting Concerns and SolutionsLegal Bytes will have a more detailed report for you on this new development in the next day or two, and in the meantime – or any time – feel free to contact me, Stacy Marcus, or any of the Rimon attorneys with whom you regularly work.  

Posted on

Self-Regulatory Online Behavioral Advertising Principle No. 3: Consumer Control

Last month we promised to provide you with a bit more detail regarding each of the self-regulatory principles that form the basis of the Self-Regulatory Online Behavioral Advertising Principles, announced by the Association of Advertising Agencies, the Association of National Advertisers, the Direct Marketing Association, and the Interactive Advertising Bureau, in concert with the Council of Better Business Bureaus. The principles are intended to provide a framework for industry participants to adopt, implement and adhere to standards of conduct applicable to their online behavioral advertising practices. Seven basic principles are contained in the report, and Legal Bytes is briefly summarizing each one, although we urge you to read the full report.

We previously reported on the Education and Transparency principles; those links in the outline below will take you to the summaries, or you can read the overview posted when we reported on the initial release of the Self-Regulatory Online Behavioral Advertising Principles.

For reference, here are the seven enumerated principles:

Today, Keri S. Bruce highlights the Consumer Control principle that relates to the practice recommended by the report of providing consumers with additional control over whether data is collected about them and whether it is shared with others. The principle applies to third parties that collect or use behavioral advertising data and the websites from which the data is collected. The principle also applies to “service providers” (i.e., parties that provide Internet access services, toolbars, Internet browsers or comparable services, and who are engaged in online behavioral advertising). Through notices that are described under the Transparency principle, with respect to third parties and websites, consumers should be able to control the use and collection of their personally identifiable information by opting-out of having data collected or shared with non-affiliate websites. With respect to service providers, because they potentially can, by the nature of the services they provide, gain access to all or substantially all online behavioral data of a particular user when that user is online with or through the service provider, the Consumer Control principle requires industry participants to follow practices that require consumers to opt-in to data collection for online behavioral advertising purposes by the service provider. Further, even after consent is given, service providers must provide a means for the consumer to withdraw her or his consent.

Thanks to Keri S. Bruce for her analysis. For further information, you can also call me or the Rimon attorney you regularly work with. Stay tuned for summaries of the remaining principles.

Posted on

Self-Regulatory Online Behavioral Advertising Principle No. 2: Transparency

Last month, Legal Bytes reported to you that the Association of Advertising Agencies, the Association of National Advertisers, the Direct Marketing Association, and the Interactive Advertising Bureau, in concert with the Council of Better Business Bureaus, released its Self-Regulatory Online Behavioral Advertising Principles. As reported, the major participants in the online advertising industry have proposed to apply these principles to their practices related to online behavioral advertising: “the collection of data from a particular computer or device regarding Web viewing behaviors over time and across non-Affiliate Web sites for the purpose of using such data to predict user preferences or interests to deliver advertising to that computer or device based on the preferences or interests inferred from such Web viewing behaviors.”

We promised to provide you with a bit more detail regarding each of these principles. We previously reported on Education, and today we summarize Transparency. As we go through each one, we’ll use the outline below to enable you to link to all the prior principles covered in Legal Bytes, while highlighting the one covered today. The seven enumerated principles are:

  • Education
  • Transparency
  • Consumer Control
  • Data Security
  • Material Changes
  • Sensitive Data
  • Accountability

The Transparency principle seeks clear and accessible consumer disclosures regarding the type of data collected and how the data will be used to conduct behavioral advertising. Because behavioral advertising is often conducted by third-party advertising networks that lease space on a website, the principle applies to both third-party entities collecting and/or using the data, and the websites from which such data is being collected. Under this principle, these parties would provide “enhanced notice” on the page where data is collected through links embedded in or around advertisements, or on the web page itself. Customers will have the ability to read these notices and use the information to enable themselves to take control over the use of their personal information, choosing whether they would like to permit their information to be used for online behavioral advertising purposes.

Thanks to Amy S. Mushahwar for her analysis. Stay tuned for summaries of each of the remaining principles.

Posted on

Self-Regulatory Online Behavioral Advertising Principle No. 1: Education

Last month, Legal Bytes reported to you that the Association of Advertising Agencies, the Association of National Advertisers, the Direct Marketing Association, and the Interactive Advertising Bureau, in concert with the Council of Better Business Bureaus, released its Self-Regulatory Online Behavioral Advertising Principles. As reported, the major participants in the online advertising industry have proposed to apply these principles to their practices related to online behavioral advertising: “the collection of data from a particular computer or device regarding Web viewing behaviors over time and across non-Affiliate Web sites for the purpose of using such data to predict user preferences or interests to deliver advertising to that computer or device based on the preferences or interests inferred from such Web viewing behaviors.”

Since we promised to provide you with a bit more detail regarding each of these principles, which are listed below, here is our first installment in fulfilling that commitment. The seven enumerated principles are:

  • Education
  • Transparency
  • Consumer Control
  • Data Security
  • Material Changes
  • Sensitive Data
  • Accountability

The Education principle requires everyone in the online behavioral environment to participate in meaningful efforts to educate consumers and businesses about behavioral advertising, the purpose of the Self-Regulatory Online Behavioral Advertising Principles, and the potential benefits and consumer choices that are available when these principles are followed, and to explain to consumers the means and implications of exercising their rights and the choices they may have. While the specifics of all of the proposed educational outreach are yet to be established within the framework of the industry groups that have formulated these principles, the one thing that was agreed on as a tangible, quantitative objective is that through industry-developed website(s) and a major online education campaign, the initial educational outreach would be developed to achieve at least 500,000,000 (yes, that’s five hundred million) impressions over the next 18 months. Thanks to Keri Bruce for her input. Stay tuned for highlights of the six other principles.

Posted on

Advertising Industry Collaboration Releases Self-Regulatory Online Behavioral Advertising Principles

A group of the nation’s largest media and marketing trade associations today released self-regulatory principles to protect consumer privacy in ad-supported interactive media that will require advertisers and websites to clearly inform consumers about data collection practices, and enable them to exercise control over that information.

In an extraordinary show of industry cooperation and collaboration, the American Association of Advertising Agencies, the Association of National Advertisers, the Direct Marketing Association, and the Interactive Advertising Bureau last week released a series of self-regulatory principles, intended to be implemented by 2010 and designed to protect consumer privacy in advertising-supported interactive media. As part of the announcement, the Council of Better Business Bureaus along with the DMA, has agreed to implement accountability programs relative to these principles.

These self-regulatory guidelines come on the heels of a recently released study commissioned by the IAB entitled “Economic Value of the Advertising-Supported Internet Ecosystem,” which reported that the advertising-supported Internet represents 2.1 percent of the total U.S. gross domestic product (GDP), contributing $300 billion to the economy, and has created 3.1 million U.S. jobs.

“Guided by the seven Principles we have announced today, the advertising community is developing one of the most comprehensive self-regulatory programs ever undertaken by the business community. The fast-changing online marketing environment is best addressed by a self-regulatory framework that is transparent, flexible and accountable to consumers’ needs and concerns. On behalf of our 360 members, who collectively invest more than $200 billion annually in marketing communications, we look forward to jointly developing a comprehensive business system that respects and honors these Principles,” said Bob Liodice, President and CEO, (ANA).

“This historic collaboration represents businesses and trade associations working together to advance the public interest,” said Randall Rothenberg, President and CEO, IAB. “Although consumers have registered few if any complaints about Internet privacy, surveys show they are concerned about their privacy. We are acting early and aggressively on their concerns, to reinforce their trust in this vital medium that contributes so significantly to the U.S. economy.”

The seven Principles designed to address consumer concerns about use of personal information without wreaking havoc to advertising that subsidizes and supports the vast array of free online content relate to:

  • Education
  • Transparency
  • Consumer Control
  • Data Security
  • Material Changes
  • Sensitive Data
  • Accountability

We will be highlighting each of these principles separately in Legal Bytes over the weeks ahead, but if you would like to read the “Self-Regulatory Principles for Online Behavioral Advertising” report now, in its entirety, just follow the link.

Posted on

France: Online Ads Could Lead to User Data ‘Merchandising’

In a report entitled “Targeted Online Advertising” (La Publicité Ciblée en Ligne), presented in February and recently released publicly, the French data protection regulatory authority (CNIL) has expressed concern that targeted online advertising could be a conduit for the merchandising of personally identifiable information about online users. 

The CNIL has been examining context-sensitive, behavioral marketing and targeted advertising mechanisms online, and is concerned about privacy implications. The report notes that analyzing online user data for the purpose of serving more relevant advertising involves the collection of Internet protocol addresses, what websites a user arrived from or subsequently visited, and even key words entered by the user. In case you haven’t thought about it, definitions are hardly uniform in laws and regulations around the world, i.e., an IP address is considered personal data in the EU, but is not personally identifiable information in the United States. 

The report raises an alarm over what could be a means of “systematic profiling” and examines what it believes are growing risks to privacy in this context. In France, and many jurisdictions, targeted advertising must comply with the same data protection rules that apply to the use of personal data online. The French authorities have consistently maintained that users should be specifically informed about how their data will be used, and should be given the opportunity to opt out of these uses—even if it means they can no longer use the services available on the site.

The report also specifically notes that many free services on the Internet are actually subsidized by advertising. While “free” is an accurate financial description in a literal sense, consumers often don’t appreciate they are actually paying a “price”—the value of personal information provided in exchange for “free” services they receive online. 

While the report does not attempt to cover mobile or wireless advertising broadly, it does note that adding information about a user’s location through GPS and other technology, adds tracking capability that the CNIL fears will allow for even greater intrusion and profiling of individual behavior. You can read the entire CNIL report in French on their website at “La publicité ciblée en ligne” (Targeted Online Advertising).

Posted on

FTC Testimonial and Endorsement Guides Stimulate Industry Comment

Rimon acts as counsel to many of the advertising industry’s leading trade and membership associations – The Association of National Advertisers, The Word of Mouth Marketing Association, the Interactive Advertising Bureau, to name only a few. As you may have notices, a recent Legal Bytes blog post noted that just last month the FTC supplemented its December 2007 “Self-Regulatory Principles for Online Behavioral Advertising” report.

Well the FTC has been busy in re-examining it’s policies regarding testimonials and endorsements in this digital age. As previously reported in Legal Bytes, the FTC indicated it was revising it’s Testimonial and Endorsement Guides (the first time since the 1980s). Well comments have now been submitted and we strongly recommend that anyone in the advertising and marketing business take a look at some of them. In fact, to help you, Legal Bytes has a couple you can look at right now – Comments for The Association of National Advertisers and Comments for The Word of Mouth Marketing Association – and when you finish reading them ask yourself:

  • Now that public comments are in, what do we think will happen?
  • What is in front of the FTC that might affect its decision making?
  • How would self-regulation differ from the way the FTC has been operating?
  • What does the new FTC Chairman think about self-regulation?
  • Do we expect the new administration to shift direction? If so, which way?
  • How is all this likely to affect advertising and marketing using product placements, branded entertainment, blogs, consumer generated content, buzz, viral and word of mouth marketing?

If you need to know, you need to contact John Feldman, Douglas Wood or Joseph Rosenbaum – or your favorite Rimon attorney – who will be more than happy to help you.

Posted on

Behave Yourself – FTC Behavioral Ad Guidelines Promote Self Regulation, BUT . . .

FTC Releases Revised Ad Guidelines: Are New Marketing Practices in Your Wallet?

On February 12, 2009, the FTC supplemented its December 2007 “Self-Regulatory Principles for Online Behavioral Advertising” report, highlighting the FTC’s voluntary best practices for the behavioral advertising industry. While continuing to support self-regulation, that should not be taken as a vote of confidence for continuing the status quo. Change is in the air and you may well need to:

  • develop more consumer education concerning behavioral advertising;
  • develop internal privacy protections for anonymous data profiles;
  • create opt-in notice mechanisms for collection of sensitive information; and
  • create opt-in notice mechanisms for retroactive changes to privacy practices.

. . . and if you think your privacy policies are ok, as is, think again. The FTC has taken a broad brush to paint a picture of what it considers personally identifiable information (PII) and what ‘sharing’ of that information may require. Our experts Amy S. Mushahwar and John P. Feldman have written an alert that describes what you need to know in more detail. To read the full alert, with links to the FTC releases, click here.

Posted on

It’s Often the Little Things that Count – Here are Two

Last month, we brought you information about outsourcing—a topic making news daily. This month, we bring you smaller news with potentially bigger implications.

In the biblical prophecy of Isaiah, the wolf lives with the lamb, the leopard lies down with the kid and a little child shall lead them. You can draw your own conclusions as to who are lions, lambs and the little child, but a few days ago, the unthinkable occurred. Sun Microsystems and Microsoft reached peace by dropping most claims, cross-claims and the vitriolic debate raging since 1997 when Sun sued Microsoft alleging violations of its Java license terms. With a trail of litigation which includes U.S. and European antitrust regulators, the announcement is nothing short of astounding. Yes, it remains to be seen whether years of mistrust will dissipate and lead to true cooperation, but this is not simply a truce between two rivals. The Wall Street Journal quotes Tony Scott, Chief Technology Officer for General Motors, as saying “What we try to do is educate them on the real pain customers go through when you have multiple incompatible standards and technologies.” Instead of customers being forced to figure out (and pay for) solutions to interoperability and compatibility problems, vendors are now being pressured to do so. Is this the beginning of a trend? Too soon to tell, but this truce is a big deal—Mr. Scott represents a customer!

And now, number 2. Perhaps we have become less concerned about providing information to “friendly sites,” but Yahoo! has introduced a “paid inclusion” product which allows advertisers to guarantee their sites will show up in searches—although payments do not change the order in which results are displayed. Not to be outdone, Google’s new “G-mail” will have context-based advertising derived from—are you ready—a scan of key words in G-mail received by subscribers, which customizes advertising based on information in the e-mail. G-mail a friend about bowling and you may see a pop-up coupon for a local bowling alley. Marketing professionals and advertisers point to the fact that G-mail is an opt-in service and consumers have shown they are willing to give up privacy to obtain greater levels of convenience.

For the record, cookies were invented to allow you to have a shopping cart and accumulate items when going web shopping. Fast-forward past cookies to
spammers, phishing, pop-ups, invisible GIFs, web bugs, intelligent bots and spyware to this latest announcement. Google can now accumulate a detailed
dossier of individual consumer preferences and the contents of e-mails. No one is suggesting Google would abuse such information or that subscribing is not
truly voluntary, but not only do we know what you did last summer, soon we may also be able to tell you what you are planning next summer.