The FTC's Privacy Initiatives Pose a Threat to Online Behavioral Advertising, Despite the Lack of a Clear Congressional or Public Mandate
Digital media law update: The FTC has been working on Internet privacy policy since at least 1995. It is currently engaged in a series of roundtables focusing on privacy and behavioral advertising. However, the shape of any new regulations is very fuzzy. This may be because the data is conflicting on the public's true interest in the issue, as well as the lack of a clear Congressional mandate.
At the FTC's December 2009 privacy roundtable, panelists raised concerns that collection and third party use of browsing data invades private space by: (1) revealing a user's innermost thoughts, such as a search history that reflect a user's explorations of his sexual identity, (2) taking away a user's control over her identity, such as by broadcasting compromising photos of a user at a Cancun Spring Break party to a potential employer, (3) revealing sensitive identity or financial information that can be misused by third parties to perpetrate fraud, or (4) intruding on a user's seclusion by serving targeted ads during a browsing session that reveal that outsiders are listening in.
Survey data presented at the roundtable indicated that consumers are aware that information is being collected about them online and are uncomfortable with the idea that third parties are using this data. Alan Westin of a Columbia University stated that surveys indicate that "a majority ranging in numbers from low of 50% all the way up to 70% to 80% say they're uncomfortable with behavioral marketing and would want to have at a minimum a kind of notice, choice, security and ways of intervening that would give them some comfort if they were going to have their information tracked in that way."
A growing number of firms with online presences are offering users a chance to review the data being collected about them and to opt-out or the change the collection and use of that data. For example, Google's Dashboard and Ad Preferences Managers provide users with extensive details on the browsing history Google has collected about them. They also let users select or de-select ad categories they want served to them.
However, most users do not take advantage of these "notice and choice" systems. According to Google's head of U.S. public policy, Alan Davidson, Google gets "tens of thousands of unique visitors to these sites each week." However, "four times as many people who come as visitors to the site actually change their preferences rather than opting out. . . . [a]nd actually, ten times as many people actually do nothing." Rick Erwin of Experian Marketing Services stated that about 7200 consumers choose to opt-out of Experian's marketing data collection activities. Jennifer Barrrett from Acxiom stated that over the past ten years "about a half a million consumers" have asked to opt-out or correct information gathered by her site.
One explanation for the low level of consumer response to notice and choice systems is that these systems are simply too complex and confusing for consumers to navigate. Another explanation is that despite the survey data and a few incidents where use of private data led to personal woe, consumers are really not that concerned about the collection and use of their personal data.
The collection and use of browsing and other consumer data brings many benefits. Targeted advertising based on user browsing and demographic data eliminates ads that are irrelevant to users. It also lets advertisers be more responsible -- for example, enabling them to avoid serving up ads for alcohol to minors. Browsing, demographic and other data also drive Internet analytics, which helps site developers refine their sites and make them more useful and interesting to users.
Behaviorally targeted advertising is also far more effective for advertisers. According to panelist Omar Tawakol, CEO of BlueKAI, an online data brokerage firm, targeted advertising sells for around 10 times the price of non-targeted or "network" advertising: "Run[s] of network pricing tends to be in the tens of cents. And typically when you use reasonable behavioral data to sell a campaign to an advertiser, it's going to be anywhere from the $2 to $8 range. So you're lifting inventory that would be anywhere from like 10 cents to 50 cents to $2 to $8 when you're talking about applying data to a run of network buy." Since users respond far more frequently to targeted advertising, I would argue that they are far more satisfied with this form of advertising, as well.
Despite this market evidence, FTC officials insist that the current "notice and choice" (generally, opt-out) and "harm-based" (public or private right to sue for actual damages) approaches used to policing online privacy are not sufficient. At the December 9 roundtable, FTC chairman Jon Liebowitz stated "I've been a supporter of opt-in for quite some time."
However, going to a pure opt-in system would vastly decrease user participation in data collection -- likely dooming behavioral targeting. According to Berin Szoka, Director of the Center for Internet Freedom, a market-oriented advocacy group, moving to an all opt-in approach could result in "having 10% or less people opt-in." Given the low participation in the current opt-out systems, my guess is that participation could be far lower -- well under 1% -- perhaps unless users were given a serious financial incentive to opt-in.
While the FTC is making noises about imposing stricter online privacy rules, it is not clear that it has the statutory authority to do so. There are Federal laws mandating privacy for medical, financial, children's and educational records, but there is no general Federal statute requiring the other consumer data be kept private. (See our post of November 4, 2009). The FTC has statutory authority to prosecute businesses that engage in commercial activities that are unfair or that involve misrepresentations. But the FTC Act is not a general grant of jurisdiction to the FTC to "go out and do good" and enact prescriptive regulations -- that may or may not benefit consumers -- wherever it sees fit.
At present, businesses are probably on safe grounds if they comply with the "Self-Regulatory Principles for Online Behavioral Advertising" announced by the FTC in 2007. These require behavioral targeters to (1) disclose their data collection and use, and provide users with an opt-in or opt-out, (2) provide reasonable data security measures, (3) obtain affirmative express consent form users before using data in a materially different way than initially promised, and (4) obtain affirmative express consent -- that is compliant with COPPA, FCRA or GLB requirements -- before using "sensitive data" about children, finances or health. (FN1)
This does not mean that firms involved in behavioral targeting can be complacent about the current FTC efforts to increase over online privacy. Even though the FTC may lack statutory authority to enact more restrictive regulations, this doesn't mean that it won't attempt do so anyway, via rulemaking or prosecution. It can take years or decades -- if ever -- for the courts to step in and curb the regulatory excesses of Federal agencies.
David Johnson's practice focuses on complex litigation and science, technology and health law. David can be contacted at (415) 399-6032 or DJohnson@ebglaw.com.
Notes:
FN1 Businesses also need to comply with relevant state laws, such as California's OPPA, and international regulations, to the extent these apply.
