Behavioral Advertising: What It Is And The Proposed FTC Rules (Part One)

This is a subject I probably should have written about sooner. On November 1 and 2, 2007, the FTC hosted a conference entitled “Ehavioral Advertising: Tracking, Targeting, and Technology.” The event included consumer advocates, industry representatives, technology experts, and academics to address consumer protection issues.

In December 2007, the U.S. Federal Trade Commission (FTC) released its proposed rules document for companies who wish to engage in behavioral advertising (also called behavioral targeting). I am not discussing in this post whether or not behavioral advertising works. There are several case studies where companies have evaluated how best to perform behavioral advertising. Rather, this post explores some of the consumer privacy and data security issues.

When you visit web sites today, many companies display ads related to the content of the site pages you view. Some companies include software that saves information to the HTTP cookies file on your computer, which is used by your web browser software. We consumers have the choice about how we surf the web. You can set your web browser software to accept or prohibit web sites from accessing the HTTP cookie file. It's been this way for many years.

Behavioral advertising is not new. A few companies and newspapers have used behavioral targeting for years. Of course, there also are advertising networks which focus on behavioral targeting, including NebuAd's offering for ISPs. You can read several blogs about behavioral advertising.

Previously, companies have used behavioral advertising based on the pages you visit within a single web site. What's changing is that companies plan to use behavioral advertising based on both the pages you visit within a single web site (e.g., On-site targeting) and across several web sites (e.g., Network targeting), plus the search keywords you enter at search engine web sites.

So participants at the above conference discussed with the FTC possible rules to keep things manageable. In its proposed rules document, the FTC defined behavioral advertising as:

"... the tracking of a consumer’s activities online – including the searches the consumer has conducted, the web pages visited, and the content viewed – in order to deliver advertising targeted to the individual consumer’s interests."

In my opinion, the Decision Science News blog offers a better definition:

"Behavioral Targeting is the ability to deliver ads to consumers based upon their recent behavior viewing web pages, shopping online for products and services, typing keywords into a search engine or a combination of all three. 'Interest-Based Targeting allows large-brand advertisers… to target more precisely the audience they are trying to reach with the message they are trying to convey'..."

In its proposed rules document, the FTC described the benefits as:

"... behavioral advertising provides benefits to consumers in the form of free web content and personalized ads that many consumers value... The benefits include, for example, access to newspapers and information from around the world, provided free because it is subsidized by online advertising; tailored ads that facilitate comparison shopping for the specific products that consumers want; and, potentially, a reduction in ads that are irrelevant to consumers’ interests and that may therefore be unwelcome."

The FTC proposed several rules to solve several concerns:

Concern	Proposed FTC Rule
1. Transparency and consumer control: many criticize existing disclosures as difficult to understand, inaccessible, and overly technical and long. They also stated that, with clearer disclosures, consumers can make more informed decisions about whether or not they want personalized advertising or, alternatively, whether they would prefer not to do business at particular websites.	Every website where data is collected for behavioral advertising should provide a clear, concise, consumer-friendly, and prominent statement that (1) data about consumers’ activities online is being collected at the site for use in providing advertising about products and services tailored to individual consumers’ interests, and (2) consumers can choose whether or not to have their information collected for such purpose. The website should also provide consumers with a clear, easy-to-use, and accessible method for exercising this option.
2a. Reasonable security, and limited data retention, for consumer data: many expressed concerns that data collected for behavioral advertising may not be adequately secured and could find its way into the hands of criminals or other wrongdoers.	Any company that collects and/or stores consumer data for behavioral advertising should provide reasonable security for that data. Consistent with the data security laws and the FTC’s data security enforcement actions, such protections should be based on the sensitivity of the data, the nature of a company’s business operations, the types of risks a company faces, and the reasonable protections available to a company.
2b. Reasonable security, and limited data retention, for consumer data: many expressed concerns about the length of time that companies retain consumer data collected for behavioral advertising. The longer that data is stored in company databases, the greater the risks to the data.	Companies should retain data only as long as is necessary to fulfill a legitimate business or law enforcement need. FTC staff commends recent efforts by some industry members to reduce the time period for which they are retaining data. However, FTC staff seeks comment on whether companies can and should reduce their retention periods further.
3. Affirmative express consent for material changes to existing privacy promises: the privacy policy – a set of commitments about how information is handled – not only is an important tool for providing information to consumers, but also serves to promote accountability among businesses.	A company must keep any promises that it makes with respect to how it will handle or protect consumer data, even if it decides to change its policies at a later date. Therefore, before a company can use data in a manner materially different from promises the company made when it collected the data, it should obtain affirmative express consent from affected consumers. This principle would apply in a corporate merger situation to the extent that the merger creates material changes in the way the companies collect, use, and share data.
4. Affirmative express consent to (or prohibition against) using sensitive data for behavioral advertising: the use of sensitive data (for example, information about health conditions, sexual orientation, or children’s activities online) to target advertising, particularly when the data can be traced back to a particular individual. They state that consumers may not welcome such advertising even if the information is not personally identifiable; they may view it as invasive or, in a household where multiple users access one computer, it may reveal confidential information about an individual to other members.	Companies should only collect sensitive data for behavioral advertising if they obtain affirmative express consent from the consumer to receive such advertising. FTC staff seeks specific input on (1) what classes of information should be considered sensitive, and (2) whether using sensitive data for behavioral targeting should not be permitted, rather than subject to consumer choice.
Using tracking data for purposes other than behavioral advertising: consumer tracking data collected and stored for behavioral advertising could be used for other potentially harmful purposes. To the extent that the collection of data for behavioral advertising is invisible to consumers, such secondary uses of the data may be especially so.	FTC staff seeks additional information about the potential uses of tracking data beyond behavioral advertising and, in particular: (1) which secondary uses raise concerns, (2) whether companies are in fact using data for these secondary purposes, (3) whether the concerns about secondary uses are limited to the use of personally identifiable data or also extend to non-personally identifiable data, and (4) whether secondary uses, if they occur, merit some form of heightened protection.

The FTC has extended the deadline for submissions to April 11, 2008. Comments can include any concerns you have, changes you feel are necessary to the proposed FTC rules, the types of consumers' personal data you believe should be considered sensitive, and anything else you feel is relevant. Send your comments to the FTC at:
Secretary
Federal Trade Commission
Room H-135 (Annex N)
600 Pennsylvania Avenue, NW
Washington, DC 20580

You can also submit comments to the FTC online via BehavioralMarketingPrinciples@ftc.gov. Some public comments are already available online at the FTC web site.

Credit Monitoring vs. Credit Restoration: What's The Difference?

Recently, a friend asked me what the difference is between "credit monitoring" and "credit restoration." While writing this blog, I kept some notes which morphed into the comparison chart below:

	Credit Monitoring	Credit Restoration
Definition	The process of reviewing a consumer's credit reports and credit scores at the three national credit bureaus. May also includes alerts when a credit bureau provides the consumer's credit report to potential lenders.	A process of notifying law enforcement, credit bureaus, banks, lenders, state and local government agencies, federal agencies, and other companies about the theft of a consumer's identity and/or money; and the process of correcting the information in the victim's credit reports.
Advantages	1. Includes alerts via cellphone and/or via e-mail 2. Timely alerts minimize the amount of money stolen or damage done by identity thieves 3. Almost always provided for free for 1 or 2 years by companies that have had a data breach 4. Service usually includes the full text of your credit report from all 3 national credit bureaus 5. Service may include tips on how to improve your credit score and manage your credit	1. Professionals do the work a consumer may not have the time or knowledge to complete 2. The better services include both credit/financial and non-credit/criminal work 3. The better services do most or all of the restoration work as the victim's agent 4. May include an insurance policy to cover expenses and legal fees incurred 5. Sometimes provided for free for 1 year by companies that have had a data breach
Disadvantages	1. Monthly fees vary widely 2. Can be difficult to compare services 3. Many credit monitoring services don't include credit restoration services	1. Monthly fees vary widely 2. Can be difficult to compare services 3. Usually, insurance doesn't cover actual money lost or stolen 4. Often not included in many credit monitoring services
Availability	Provided by many banks, credit bureaus, and independent companies	Provided by some banks, but mostly by independent companies

Which is best? It really depends upon your personal situation. If you are unfamiliar with identity theft, then a comprehensive credit monitoring service probably is best. Several resources are listed in the right column under "Credit Monitoring Services." If you are a DIYer (Do It Yourself) who gets your free credit reports at www.annualcreditreport.com, then a credit restoration service may be best.

As things change, I will update the above chart.

Want to learn more? Read prior posts about credit-monitoring services. You probably will want to read about the Security Freeze and C.L.U.E. insurance report topics. I urge everyone to consider opt-out resources to reduce your identity theft risk.

Fraud Alert or Credit Freeze: What's The Difference?

While discussing identity theft with a business acquaintance, the topic came up about how best to protect our identities. The person mentioned that they had a Credit Freeze in place, but that it was only good for 90 days. This was a clue to me that the person had a Fraud Alert in place and not a Credit Freeze. A comparison of the two options:

	Fraud / Security Alert	Credit / Security Freeze
Definition	A special message attached to a consumer's credit file that indicates the individual may be a victim of identity theft. The alert may require potential lenders to contact the consumer via phone before issuing credit.	A feature for national credit reports where all companies and potential lenders (except where exempted by law) cannot access a consumer's credit report without the consumer's permission.
Advantages	1. Free for consumers 2. Alert durations available for 90 days or 7 years. Military personnel: Active-Duty Alert (12 months) 3. After adding an alert at one credit bureau, the other 2 credit bureaus automatically add an alert	1. Generally, free only for identity theft victims (IL, NM, and RI: free for all residents 65+) 2. Stops identity thieves from opening new accounts or getting credit, loans, or mortgages in your name 3. Stops credit bureaus from distributing your credit report 4. Consumer can lift or remove the freeze when needed for potential lenders (PIN number provided)
Disadvantages	1. Credit bureaus still distribute your credit report 2. Identity thieves can apply for credit or loans and approval may still "sneak through"	1. If you are not an identity theft victim, fees apply to add, lift, or remove a freeze at each credit bureau 2. You must add, lift, and remove a freeze separately at each credit bureau 3. To apply for credit, you must temporarily lift the freeze on your credit reports. This may cause a delay getting credit approval 4. Banks and companies that provide consumer data to the credit bureau will not be allowed to update the name, address, SS#, and birth-date data on your credit reports
Availability	Nationwide	Nationwide, including Puerto Rico, Guam and the U.S. Virgin Islands
Other	1. Adults only	1. Adults only 2. Temporary freeze lift: 3 days minimum and 30 days maximum

Want to learn more? You should be aware of certain identity-theft situations where neither a Security Freeze nor a Fraud Alert will prevent. Also, the Security Freeze laws in many states do not cover consumers' C.L.U.E. insurance reports. You still should shred snail-mail and paper documents with sensitive personal data. And, for maximum protection you should also take advantage of the opt-out resources.