That Face is Written All Over Your Expression – Facebook Adds Ads

Hi. Do you like Legal Bytes? Have you told friends about Legal Bytes? Shared the link with at least 10 friends and colleagues? Have you told anyone about an article, a Useless But Compelling Fact or perhaps a Light Byte on Legal Bytes? Well, have you? I mean do you REALLY like Legal Bytes? If you do, please click the icon now:

What? Nothing happened? Well, that’s right. Nothing happened. Sorry to disappoint you, but aside from the satisfaction of reading very exciting and timely postings; thoroughly enjoying the insights; admiring the wit and wisdom of the authors and editor; and, we hope, feeling enlightened and mildly entertained – this is, after all, a legal website, and you get nothing. We don’t even publish comments or invite debates – that’s not what Legal Bytes is about. Oh, and we don’t use your name or email address. We just want you to read, and we thank you!

Not so any more on Facebook; and although I have been given absolutely nothing and have had no contact with any of the following companies about this or any other blog posting, here goes:

Have you been posting nice things on your friends’ Facebook pages about your morning Starbucks coffee or perhaps checking in at Steamboat Springs, eager to hit the slopes? Have you felt compelled to comment to a Facebook friend that you just bought a new General Motors Cadillac and how great it now looks and drives? Has your Twitter feed, your LinkedIn comment, or your Digg dig shown up on Facebook, remarking about the lovely feel of Proctor and Gamble’s Charmin bathroom tissue? Perhaps you have been browsing the official Facebook pages of MTV or Coca-Cola, or marveling at Kellogg’s Cares? Like what you see? Well just click the "Like" icon at the top of those pages to let them and the world know.

Advertisers will now be able to take your nice posts, comments, remarks and words – those messages posted about brands – or your "like" clicks, and turn them into advertisements and "sponsored stories" for your friends to see. Although they won’t be edited – not even the advertiser will be able to do that – postings on your wall that now show up on your "friends’" news feeds will now also show up on your friends’ home page, right along with the other advertisements – more noticeable and conspicuous to be sure.

Although you won’t be notified it’s happening and you can’t opt out, don’t worry about someone stealing your words or preferences. The ad will have your name and profile photo, and will appear as an advertisement, along with the others, only now labeled as a "Sponsored Story." Going one better than "word of mouth," your posts, your check-ins and your likes will be as plain as the expression on your Facebook. According to what we have read, Facebook has stated that "A sponsored story never goes to somebody who’s not one of your friends."

So far the griping has not been whether Facebook has the right, or even about keeping the ads limited to Facebook "friends" who already can see your postings. It’s been about not being told that my "check-in," which enables me to connect with others while I’m on the move, is now going to be used to "promote" the places I check into – without my approval or without me necessarily knowing. If my neighborhood diner is going to get an endorsement (explicitly or implicitly), do I get royalties (or a complimentary egg-white omelet)? Listen up, Converse, I need a new pair of sneakers. 

Déjà vu All Over Again: Online Behavioral Advertising

Just catching up with continuing efforts to educate the legal community on the implications of digital behavioral advertising and the importance of the industry self-regulatory efforts, as well as the dangers of legislation and regulation arising from insufficient or inaccurate information. In November of last year, Cyberspace Lawyer [Volume 14, Issue 10; November 2009], published “Advertising Industry Collaboration Releases Self-Regulatory Online Behavioral Advertising Principles,” written by Joseph I. Rosenbaum.

The article follows the release, by the major advertising industry associations, of Self-Regulatory Principles for Online Behavioral Advertising, and Legal Bytes had numerous blog postings summarizing the individual principles, as well as an overview (see Self-Regulatory Online Behavioral Advertising Principle No. 7: Accountability that will link you to the others; or simply search “social media” in the keyword search box in the navigation column on the left side of the web page). The Cyberspace Lawyer article consolidates and integrates these summaries into a single article that you can read in that issue, or you can download the article here: “Advertising Industry Collaboration Releases Self-Regulatory Online Behavioral Advertising Principles” [PDF].

Joe Rosenbaum, who edits and publishes Legal Bytes, is general counsel of the Interactive Advertising Bureau (IAB), one of the major industry associations that participated in the development and release of the actual principles. Behavioral advertising can be viewed as another aspect of the social media phenomenon sweeping the digital world, and if you want (or need) to know more, you should know that Rimon’s Advertising Technology & Media Law Group can help with integrated experience and legal skills, both nationally and internationally. Let us know if we can help you.

Buzz Over Behavioral Advertising – Listen, Do You Want to Know a Secret?

This post was also written by Stacy Marcus.

The buzz over online behavioral advertising in the United States has been building since the 2008 hearings in Congress over deep packet inspection. The first class-action lawsuit targeting behavioral advertising, Valentine v. NebuAd (N.D. Cal., No. 3:08-cv-05113), was filed in November 2008, followed soon thereafter by Simon v. Adzilla (N.D. Cal., No. 3:09-c-00879) in February 2009.

In the first case, NebuAd and six other ISPs were accused of violating the Electronic Communications Privacy Act, the California Computer Crime Law, the California Invasion of Privacy Act, and the Computer Fraud and Abuse Act, by using deep packet inspection technology. Specifically, the NebuAd complaint alleged that customers were unaware their online activity was being monitored for marketing purposes; that either no notice or consent was provided; that any notice that may have been attempted was insufficient or misleading; and that their technology intentionally sought to negate customers’ efforts to remove tracking cookies. For their part, the defendants vigorously deny having violated customers’ privacy rights, noting that they did not collect personally identifiable information, and that the data collected was anonymized to protect the identities of customers.

Since its filing in November 2008, all of the defendants in the NebuAd case have moved to dismiss the action on various grounds, including lack of personal jurisdiction and failure to state a claim. Just a few days ago (Oct. 6, 2009), the court granted the motions in respect of five of the defendants, to dismiss for lack of personal jurisdictions, citing the fact that the ISPs that were not based in California did not provide a sufficient and constitutionally reasonable basis for a California court to assert jurisdiction. However, the ruling leaves NebuAd as the last defendant standing in the action. But wait. There’s more. In May 2009, NebuAd liquidated its assets and went out of business. In fact, on the day the court dismissed the action against the other five defendants, the court also granted NebuAd’s counsel’s motion to withdraw from the case. That said, the court refused the additional request to stay the proceedings against NebuAd until new counsel could be retained. Stay tuned . . . we’ll track this for you!

Now in the second case, Adzilla (whose website is currently “under construction”) and three other defendants were parties to a joint venture that created a technology called the “ZILLAcaster.” According to the press release of Adzilla partner NetLogix, “[t]he ZILLAcaster technology resides within the service provider’s network, the closest point to the subscriber, and utilizes network data in combination with contextual and behavioral targeting to make decisions regarding the delivery of the most relevant ad content for network users. Content can be delivered down to individuals without the use of any desktop, software, or adware.” The plaintiffs claim that this ZILLAcaster oversees, inspects, copies, transmits and actually permits the alteration of the user’s Internet communications – all without any notice to the user. Although there is no allegation that any actual ads were served to Simon (the plaintiff) as a result of this ZILLAcaster, the plaintiffs argue that simply tracking them in this manner violates the Electronic Communications Privacy Act, the California Computer Crime Law, the California Invasion of Privacy Act, and the Computer Fraud and Abuse Act through the use of deep packet inspection. Adzilla has denied plaintiffs’ allegations and asserted numerous defenses.

Less than two months ago (Aug. 18, 2009), Continental Broadband was dismissed from the action, and on Oct. 2, 2009, a filing in the case seeks to voluntarily dismiss Core Communications d/b/a CoreTel as a defendant in the lawsuit. If the filing is granted, only Adzilla and its parent company, Conducive Corporation, will remain as defendants.

So why should you care? Because given the settlement of Facebook’s class action lawsuit over its Beacon technology, these two lawsuits are the only major ones we are aware of that are pending, that concern online behavioral advertising AND that could potentially yield decisions and opinions. Given Congress’ and the FTC’s interest in consumer privacy in general, and online behavioral advertising in particular, a decision in either of these two cases could set the stage for government regulation and policy – confirming with or reactive to these decisions – and may well set precedent for future online behavioral advertising cases in the months and years ahead. While it’s too soon to tell, we will keep you posted as they unfold. As always, you can contact the authors, Stacy Marcus and Joe Rosenbaum, or any Rimon attorney with whom you regularly work, for more information or assistance.

Online Behavioral Advertising – Congress Poised to Act

Late last week, Rep. Rick Boucher (D-Va.), who chairs the Subcommittee on Communications, Technology and the Internet, released a statement indicating that despite industry collaboration and efforts at self-regulation, his belief is that government regulation remains necessary. Rep. Boucher intends to introduce legislation, regulating online behavioral advertising. His statement notes that the intention would be “to assure Internet users a high degree of privacy protection, including transparency about the collection, use and sharing of information about them and to give them control over that collection, use and sharing,” and that the advertising industry’s self-regulatory principles, “while proactive . . . . do not go far enough.”

In deference to the industry, however, Rep. Boucher’s statement also acknowledges that “online advertising supports much of the commercial content, applications and services that are available to Internet users today without charge,” and mentions that the intention of any legislation is not to disrupt well-established business models. The announcement asserts the legislation will have bipartisan support, and although it notes that actual draft legislation is not yet ready for prime time, it will be targeted primarily at privacy concerns, seeking to establish baseline standards relating to the disclosure, collection and use of consumer information, and safe harbors for advertisers that adhere to certain online practices in connection with these issues. In addition, the Federal Trade Commission will be given the authority to enforce the principles in the legislation and define the specific policies and practices that would allow advertisers to take advantage of the proposed safe harbor protections.

You can read all of Rep. Boucher’s statement right here. Fittingly, there is still time to register for tomorrow’s teleseminar “Are You Behaving Badly”, sponsored by the Advertising Technology & Media law practice at Rimon.

Self-Regulatory Online Behavioral Advertising Principles: What’s Déjà New?

In a speech in November 1942, Sir Winston Churchill remarked, “Now this is not the end. It is not even the beginning of the end. But it is, perhaps, the end of the beginning.”

So, if you have been following along with the original announcement and each of the following “principle summaries” posted on Legal Bytes:

. . . and, if you have read the actual report, then you will appreciate that “Self-Regulatory Principles for Online Behavioral Advertising”, consistent with the Federal Trade Commission’s support of industry self-regulation, are patterned after the highly successful record of the Council of Better Business Bureaus in regulating the traditional advertising industry for more than 30 years. A record that includes industry collaboration, self-regulatory principles and monitoring, and close collaboration with the Federal Trade Commission over the years, as the industry and advertising models evolved.

While one is always careful to ensure that at some point governmental intervention may be necessary to protect consumers from those who abuse the system or violate the law, the question to ask is whether and to what extent new or different regulation is required. That is certainly a question being asked (and being answered) by a coalition of 10 consumer advocacy and privacy groups in its recently released report, “Online Behavioral Tracking and Targeting Concerns and Solutions”, in response to the industry principles. More importantly, one may ask whether a concretized and codified piece of legislation is likely to remain relevant or even defensible in the face of innovation and technology that could not have been predicted five years ago and, I believe, will remain relatively unpredictable in the future.

That said, some aspects of advertising are predictable. Development, display and distribution mechanism will evolve dynamically as technology and innovation continue. Notions of consumer privacy and data protection will continue to evolve and be difficult to harmonize across nations, across cultural and local boundaries, and—because privacy is and has always been context specific—in time and space. What might have been considered private in 16th century France is very different from the concept of privacy that permeates the hearts and minds of citizens of Japan or Brazil today. Indeed, even the role of government in protecting one’s right to privacy and the use of information about oneself, is an ever-changing one. Advertising models and economics will continue to change, with metrics and quantification methodologies being sparred and argued over, recognizing that even the roles of advertisers, agencies, media buyers, and broadcast and publishing networks, as well as ISPs, search engine, browser and web hosting companies—the technology players—are and will continue to change. Wireless and mobile devices will continue to expand the domain of advertising and challenge our ability to capture consumers’ interest on tiny mobile screens, while the opposite is taking place in our living rooms—with the separation of desktop or laptop computing and home television and entertainment centers being increasingly irrelevant (and screens becoming larger). Oh, and did we forget to mention how online gaming and the interplay between gaming console, entertainment and product placement, virtual worlds and display advertising, are all blurring (pardon the pun) right before our eyes?

So if you have ever attempted to change a tire on a moving automobile, you have a vision of what the “industry” is and will look like in the future. Under these circumstances, traditional regulation as we knew it, may not make sense. What might make sense is a more dynamic system of regulation. One that is more flexible, more adaptable and more capable of interacting and reacting to changing circumstances, mechanisms, technology and the environment. Perhaps allowing the industry and the Federal Trade Commission, in conjunction with other agencies already tasked with the mission of protecting consumers within their particular areas of authority (e.g., FDA, FCC, FAA, and the list goes on) to develop self-regulatory enforcement mechanisms, referral mechanisms, and a track record, may be the best way to determine what, where and when regulation may be needed.

In the meantime, you may want to ask yourself if you are misbehaving as an advertiser or marketing professional, and register and listen in to our “Are You Behaving Badly” Teleseminar Sept. 30, which will tackle current issues in global regulation of behavioral advertising.

As always, I and my colleagues in the Advertising Technology & Media law practice at Rimon are ready to assist in guiding, advising and providing legal support where and when you need it. We’ve been changing tires for more than a century!

Rimon DC Office Hosting Next FCBA Privacy/Data Security & Legislative Committees Meeting

Rimon will host the next brown bag lunch meeting of the Federal Communications Bar Association’s joint Privacy/Data Security and Legislative Committees. The meeting will be held on October 13, 2009 between 12:00 noon – 2:00 p.m. at Rimon’s Washington, D.C. offices (1301 K Street, NW, Suite 1100 East Tower). The Committees will discuss the legislative priorities for the 111th Congress with special emphasis on behavioral marketing and data security legislation. The following speakers are confirmed to-date: Amy Levine, Legislative Counsel to Congressman Rich Boucher; and Paul Cancienne, Legislative Aide to Congresswoman Mary Bono Mack. We also have invited staff from the U.S. Senate. Please RSVP to Desiree Logan at to attend.

Self-Regulatory Online Behavioral Advertising Principle No. 7: Accountability

This post was also written by Adam Snukal.

Well, here it is. A summary of the last of the seven principles contained in the Self-Regulatory Online Behavioral Advertising Principles released by the Association of Advertising Agencies, the Association of National Advertisers, the Direct Marketing Association, and the Interactive Advertising Bureau, in concert with the Council of Better Business Bureaus. The seven principles are:

The Accountability principle is the one concerned with the “effect,” rather than the “cause” and calls upon the industry to establish and implement programs to monitor its online behavioral advertising activities and take steps to ensure compliance with the principles within a self-regulatory framework. In the context of the self-regulatory principles, Accountability means – monitoring, transparency, reporting and compliance.

  • Monitoring: Both random and systematic, depending on the circumstances;
  • Transparency: Widely available, easy to use communication tools and channels so that the public, competitors and government agencies can file complaints when the Principles are violated;
  • Reporting: Violators will be publicly reported, including the reason for a finding of violation, a description of the violation, and the actions taken in response to, and to correct, the non-compliance; and
  • Compliance: The establishment of mechanisms and procedures to bring any publicly-reported entity into compliance with the principles, or, if necessary, to refer the violation to the appropriate government agency.

The Accountability principle also notes the importance of coordination and consistency among programs to promote efficiencies in implementation, so as to avoid multiple enforcement actions against the same entity for the same violation.

While the blueprint for the specifics surrounding the proposed monitoring, transparency, reporting and compliance initiatives under this principle are yet to be drawn, the Direct Marketing Association (“DMA”) and National Advertising Review Council of the Council of Better Business Bureaus (“CBBB”), have agreed to cooperate and collaborate, with the stated goal of having something in place by early 2010. Both the DMA and the CBBB were called upon to provide leadership in this area because of their widely respected existing self-regulatory accountability programs. The DMA also has agreed to integrate the principles into its longstanding DMA Self-Regulatory and Compliance Tools.

If you would like to read the entire “Self-Regulatory Principles for Online Behavioral Advertising” report now, in its entirety, just follow the link, but stay tuned for next week, when we will post a short consolidated summary of all seven principles and you can always read the entire “Self-Regulatory Principles for Online Behavioral Advertising” report here. So now, as always, if you have any questions or need help, please feel free to contact Adam Snukal or me, or any of the Rimon attorneys with whom you regularly work.

Are You Behaving Badly? Global Regulation of Behavioral Marketing

On Wednesday, September 30, 2009, from 12 noon – 1 p.m. (U.S. EDT), Rimon will be hosting a teleseminar as part of its “Doing Business Globally” series. Entitled Global Regulation of Behavioral Marketing, this seminar will be presented by Rimon partners Douglas J. Wood and Joseph I. Rosenbaum from New York, and Gregor Pryor from London. The seminar will explore the legal implications to advertisers, marketing professionals and brands associated with the labyrinth of global regulation increasingly applicable, or newly enacted, in connection with the targeting of consumers — on and off the web — through behavioral marketing.

Privacy and consumer groups object to such sophisticated techniques, fearful it further erodes what little privacy protection remains. Regulators are concerned such practices may violate privacy and data protection laws, or worse, are simply not covered by existing law and regulation. Marketers respond that such advances allow for a far more efficient, consumer-friendly marketplace, and that self-regulation has been a successful model in the advertising industry for more than 30 years. In this interconnected, networked age of social networking and global communication, understanding the implications and the legal and regulatory landscape is critical for every advertising professional and marketer, and the brands they represent. The camps remain far apart. Advertising industry associations call for self-regulation, recently releasing a report entitled Self-Regulatory Principles for Online Behavioral Advertising. Only about two months later, as previously reported in Legal Bytes, a coalition of 10 consumer advocacy and privacy groups released a fresh call for new regulation in a report referred to as a Legislative Primer, entitled Online Behavioral Tracking and Targeting Concerns and Solutions. The dividing lines remain drawn, tensions remain high, and the balance unclear – perhaps because the technology environment keeps rewriting the rules of engagement. Want to know more? Don’t miss this informative presentation.

Join us for this exciting and timely Rimon Teleseminar. You can view the Invitation to obtain more information, or go right to the Registration page. We look forward to your participation.

Self-Regulatory Online Behavioral Advertising Principle No. 6: Sensitive Data

This post was also written by Anthony S. Traymore.

Almost down to the wire, here is the next installment summarizing the sixth of the seven principles contained in the Self-Regulatory Online Behavioral Advertising Principles released by the Association of Advertising Agencies, the Association of National Advertisers, the Direct Marketing Association, and the Interactive Advertising Bureau, in concert with the Council of Better Business Bureaus. For reference, the seven enumerated principles are:

The Sensitive Data principle segments sensitive data into two basic categories – personal information of children under the age of 13, and financial and health-related information, regardless of the age of the individual.

The Sensitive Data principle segments sensitive data into two basic categories – personal information of children under the age of 13, and financial and health-related information, regardless of the age of the individual.

With respect to the collection and use of data for online behavioral marketing purposes, if you have actual knowledge that any of the information being collected is from individuals under the age of 13, or if your website is targeted at children under the age of 13, the Sensitive Data principle states you should not be collecting any personal information from or be engaged in any online behavioral advertising with regard to that individual, unless you comply with the Children’s Online Privacy Protection Act (COPPA), and then, only to the extent specifically allowed by COPPA.

In case you’ve forgotten, COPPA requires you to have “verifiable parental consent” prior to collecting any personal data from children under the age of 13. The Federal Trade Commission routinely enforces COPPA, and violations may carry fines in excess of $1 million, in addition to the damage to goodwill and public image that can result. Compliance with the provisions of COPPA is tricky. While this post will not belabor the ambiguities that have already been reported about what constitutes “verifiable parental consent“, suffice it to say that when dealing with children under the age of 13, it is best to exercise considerable caution in connection with online marketing efforts – behavioral or otherwise – and to always consult an attorney well-versed in guiding you through the compliance maze.

With respect to personal information related to an individual’s financial or health status, age is not relevant to this sixth principle. What is relevant is the requirement that you obtain the consent of the individual if you are collecting the information online and you intend to use it. Prudent practice would indicate you should affirmatively obtain the individual’s consent in advance – whether during the process of registration, through formal acceptance of terms of use that clearly solicit consent, or through any other means. Clearly, if you plan to share this information with third parties in connection with online behavioral marketing efforts, you should indicate that to the individual. In all cases, the principle notes that you should always provide the individual with the right and an option, at any time, to opt-out of the use of his or her information for such purposes.

As mentioned, this is the sixth of the seven principles being highlighted, but if you would like to read the entire “Self-Regulatory Principles for Online Behavioral Advertising” report now, in its entirety, just follow the link. Legal Bytes will be bringing you a summary of the remaining principle next week. And now, as always, if you have any questions or need help, please feel free to contact Anthony S. Traymore or me, or any of the Rimon attorneys with whom you regularly work.

Privacy and Consumer Groups Want More Than Just Self-Regulation

This post was also written by Adam Snukal.

As previously reported in Legal Bytes, it seems that not everyone is satisfied with the Self-Regulatory Principles for Online Behavioral Advertising recently promulgated by several leading advertising associations. A group of 10 consumer and privacy advocacy organizations (i.e., Center for Digital Democracy, Consumer Federation of America, Consumers Union, Consumer Watchdog, Electronic Frontier Foundation, Privacy Lives, Privacy Rights Clearinghouse, Privacy Times, U.S. Public Interest Research Group and The World Privacy Forum called on Congress earlier this week to enact legislation in response to what they feel are genuine threats to privacy arising from online behavioral tracking and targeting.

The guiding principles the coalition wants Congress to follow in its enactment of privacy legislation are substantively contained in the following Fair Information Practices (“FIP”), which the coalition claims has been the foundation of U.S. privacy policies for decades: collection limitations, data quality, purpose specification/communication, use limitation, security safeguards, appropriate openness, individual participation and knowledge rights, accountability, and redress. FIP was coined by a U.S. government advisory committee in 1973 in response to the use of automated data systems that contained information about individuals. The U.S. Privacy Act of 1974 established a code of fair information practices, and the FTC refers to these practices in a report entitled, Privacy Online: Fair Information Practices in the Electronic Marketplace (May 2000).

A sample of the principles contained in the coalition’s Legislative Primer, entitled Online Behavioral Tracking and Targeting Concerns and Solutions, includes:

  • A definition of “sensitive information,” along with guidelines as to the kinds of data that should not be collected or used for behavioral tracking/targeting
  • A prohibition on the collection or use of data from anyone under the age of 18
  • The right of an individual to obtain access to his/her personal or behavioral data
  • Personal and behavioral data collected must be relevant for the purposes for which they are to be used
  • A private right of action given to each individual whose data is collected and tracked, along with liquidated damages and appropriate federal/state regulation and oversight

Given the July release of self-regulatory principles, crafted and widely embraced by the advertising industry, with explicit support for self-regulation from the FTC itself, and three decades of successful self-regulation in the advertising industry (guided by the Council of Better Business Bureaus), it is not clear why a spokesperson for the Privacy Rights Clearinghouse would take the position that “The record is clear: self-regulation doesn’t work. It is time for Congress to step in and codify the principles into law.” Or why a spokesperson for Consumer Watchdog commented: “We’ve seen in industry after industry what happens when the fox is left to guard the chicken coop – consumers lose.”

With Congressman Boucher (D-Va.), Chairman of the Subcommittee on Communications, Technology and the Internet, indicating that his Subcommittee intends to visit this issue in the fall, it is not clear whether Congress will allow the industry and the FTC an opportunity to give self-regulation time to work, or if a perceived need to “do something” and change the status quo remains. One thing has not changed: the positions of the industry and consumer and privacy advocacy groups.

Legal Bytes will keep you posted on developments in this area as they evolve, but if you need help or want further information, feel free to contact Adam Snukal, me, or any of the Rimon attorneys with whom you regularly work.