In February, the U.S. Federal Trade Commission (FTC) revised its guidelines for companies that wish to perform targeted advertising (a/k/a behavioral advertising or behavioral targeting) programs:
"... a report describing its ongoing examination of online behavioral advertising and setting forth revisions to proposed principles to govern self-regulatory efforts in this area. The key issue concerns how online advertisers can best protect consumers’ privacy while collecting information about their online activities."
In 2008, I wrote a series of blog posts about targeted advertising, the FTC's request for feedback from consumers, the role of ISPs, and associated privacy and data breach concerns. Since then, the FTC has modified slightly its guidelines in this latest report. I am following the FTC's actions on this topic because it must balance the needs of businesses against the data security needs of consumers. It's not just a privacy issue, but also a data security issue.
In its press release, the FTC said:
"... most of the public comments the FTC received concern the scope of the proposed principles. For example, commenters discussed whether it is necessary to provide privacy protections for data that is not personally identifiable. In response, the report states that privacy protections should cover any data that reasonably can be associated with a particular consumer or computer or other device."
So far, okay. There's more:
"... commenters questioned the need to apply the principles to (1) “first party” behavioral advertising, in which a Web site collects consumer information to deliver targeted advertising at its site, but does not share any of that information with third parties, and (2) contextual advertising, which targets advertisements based on the Web page a consumer is viewing or a search query the consumer has made, and involves little or no data storage. The report concludes that fewer privacy concerns may be associated with “first-party” and “contextual” advertising than with other behavioral advertising, and concludes that it is not necessary to include such advertising within the scope of the principles... however... companies must still comply with all applicable privacy laws..."
So far, okay. There's more:
"The report also provides additional guidance regarding each of the four principles and sets forth revised principles reflecting this guidance. The first principle – transparency and consumer control – remains unchanged... Web sites are expected to provide clear and prominent notice regarding behavioral advertising, as well as an easily accessible way for consumers to choose whether to have their information collected... privacy policies posted on companies’ Web sites often are long and difficult to understand, the report encourages firms to design creative and effective disclosure mechanisms... the report continues to urge companies to provide reasonable security for any data they collect for behavioral advertising and to retain data only as long as it is needed to fulfill a legitimate business or law enforcement need."
So far, okay. The guidelines that changed:
The FTC is urging companies to use opt-in mechanisms and not opt-out mechanisms. That is, consumers only participate in a company's targeted advertising program after expressly opting into the program. Prior attempts by ISPs and others were automatic inclusion forcing consumers to opt-out. Opt-in is more consumer friendly and compatible. I wish that the FTC was stronger in its language. "Urge" does not seem compelling enoough. "Require" would have been far better.
Consumers interested in details should download the FTC report (PDF, 412k bytes).