The United States Federal Trade Commission (FTC) has been involved in oversight of the behavioral targeting techniques used by online advertisers since the mid-1990s. These techniques, initially called "online profiling", are now referred to as "behavioral targeting"; they are used to target online behavioral advertising (OBA) to consumers based on preferences inferred from their online behavior. During the period from the mid-1990s to the present, the FTC held a series of workshops, published a number of reports, and gave numerous recommendations regarding both industry self-<u>regulation</u> and Federal regulation of OBA. In late 2010, the FTC proposed a legislative framework for U.S. consumer data privacy including a proposal for a "Do Not Track" mechanism. In 2011, a number of bills were introduced into the United States Congress that would regulate OBA.
âÂÂThe Federal Trade Commission has been involved in addressing online privacy issues for almost as long as there has been an online marketplace.â The FTC is now responsible for the enforcement of a number of sector-specific privacy statues, including the Gramm-Leach-Bliley Act, the Children's Online Privacy Protection Act, the CAN-SPAM Act of 2003, and the Telemarketing and Consumer Fraud and Abuse Prevention Act (âÂÂDo Not Call RuleâÂÂ).
In 1995, 1996, and 1997 the FTC held public workshops exploring consumer data privacy issues. At these workshops, online advertising industry advocates pressed for self-regulation, while privacy advocates argued that self-regulation could only be successful when backed up by âÂÂlegally enforceable rights to information privacyâÂÂ. Industry lobbyists argued for opt-out, which allows companies to use personal information for the purposes stated in a privacy policy or other form of notification, unless the consumer âÂÂopts-outâ and notifies the company not to use the personal information in a certain manner, such as for marketing. Privacy advocates argued for prior affirmative consent, and suggested that software could be used by consumers to communicate their privacy preferences automatically.
In 1998, the FTC released a report in which it undertook a comprehensive review of commercial websitesâ disclosures of their privacy practices and laid out the Fair Information Practice Principles (FIPPs). The report concluded that, âÂÂ[a]s evidenced by the CommissionâÂÂs survey results, and despite the CommissionâÂÂs three-year privacy initiative supporting a self-regulatory response to consumersâ privacy concerns, the vast majority of online businesses have yet to adopt even the most fundamental fair information practice (notice/awareness)âÂÂ.
The FTC held a further public workshop in 1999, and in May 2000, released a report which for the first time recommended that Congress pass online privacy legislation to create a basic level of data privacy protection for consumer-oriented commercial web sites.
In July 2000, the FTC recommended for the first time that legislation should be passed to protect Internet userâÂÂs privacy vis-à-vis online profiling. The FTC further stated that âÂÂbackstop legislation addressing online profiling is still required to fully ensure that consumersâ privacy is protected onlineâ and recommended that [technology neutral] legislation be passed that created a basic level of privacy protection for users of âÂÂconsumer-oriented commercial websites with respect to profilingâÂÂ. Under the FTCâÂÂs 2000 proposal, all online advertising networks and consumer-oriented commercial websites that allowed the collection of information from or about consumers would be required to implement and comply with the FIPPs.
Congress did not enact the FTCâÂÂs recommended legislation, and another decade would pass before the FTC again proposed legislation to regulate OBA.
FTC Commissioner Timothy Muris turned the FTCâÂÂs attention away from online privacy and OBA regulation in 2001, stating, âÂÂ[t]he slowing of the growth of the Internet emphasizes the need to understand the cost of online privacy legislationâ¦At this time, we need more law enforcement, not more lawsâÂÂ.
In 2006 the FTC once again took up the mantle of online privacy protection at the November 2006 FTC forum, âÂÂTech-adeâÂÂ, which examined the âÂÂkey technological and business developments that will shape consumersâ core experiences in the coming ten yearsâÂÂ. Participants at the forum described how technological advances in online profiling (now called âÂÂbehavioralâ advertising, targeting, or marketing), had allowed the practice to become more widespread and efficient.
Building on the Tech-ade hearings, the FTC hosted a town hall meeting in November 2007 focused specifically on the privacy implications of behavioral advertising practices called, âÂÂBehavioral Advertising: Tracking, Targeting, and TechnologyâÂÂ. The public meeting was prompted, in part, by the growth of behavioral advertising and the interest of large Internet companies in using such techniques to deliver narrowly targeted ads. These developments included GoogleâÂÂs plans to acquire DoubleClick, AOLâÂÂs interest in Tacoda, and Microsoft and YahooâÂÂs continued expansion of their own behavioral advertising products. They also included a presentation by eBay with a live demonstration of the ebay.com website, highlighting the first on ad links enabling consumers to opt out of behavioral ads via an eBay program called AdChoice.
In December 2007, the FTC promulgated a set of proposed âÂÂPrinciplesâ intended to provide a basis for the online advertising industryâÂÂs self-regulatory efforts to address privacy concerns. The Principles âÂÂcall for companies to obtain affirmative express consent from consumers before they use data in a manner that is materially different than promised at the time of collection and before they collect and use 'sensitive' consumer data for behavioral advertisingâÂÂ.
The FTC followed up this 2007 report with a further report in 2009, which further clarified the self-regulatory principles. At the time, a coalition of consumer groups proposed a âÂÂDo Not Track Listâ in their comments to the 2007 town hall meeting.
In a December 2010 report, the FTC proposed a new regulatory framework for consumer data privacy, including a proposal for a âÂÂDo Not Trackâ mechanism which would allow Internet users to opt out of OBA.
In the report the FTC describes the limitations of the existing notice and choice model, which it states, âÂÂhave become increasingly apparent in recent yearsâÂÂ. The FTC states that the notice and choice-based model, âÂÂencourages companies to develop privacy notices describing their information collection and use practices to consumers, so that consumers can make informed choicesâÂÂ. However, âÂÂthe notice-and-choice model, as implemented, has led to long, incomprehensible privacy policies that consumers typically do not read, let alone understand. Likewise, the harm-based model has been criticized for failing to recognize a wider range of privacy-related concerns, including reputational harm or the fear of being monitoredâÂÂ.
In order to address the issues with the notice-and-choice-based model, the FTCâÂÂs proposed privacy framework calls on companies to provide consumers with a meaningful choice in regards to OBA tracking, but sets forth âÂÂa limited set of data practices for which choice is not necessaryâ called âÂÂcommonly accepted practicesâÂÂ. The commonly accepted practices include: Product and service fulfillment, internal operations, fraud prevention, legal compliance and first-party marketing, including contextual marketing.
OBA, along with deep packet inspection (DPI), are specifically noted as not âÂÂcommonly accepted practicesâÂÂ. Furthermore, the report states that the FTC supports prior âÂÂaffirmative express consentâ in regards to the collection of âÂÂsensitive informationâ (children, financial and medical information, precise geolocation data) for OBA.
In the 2010 report, the FTC proposed a âÂÂuniform and comprehensive consumer choice mechanismâ for OBA, referred to as âÂÂDo Not TrackâÂÂ. The FTC states, âÂÂ[t]he most practical method of providing uniform choice for online behavioral advertising would likely involve placing a setting similar to a persistent cookie on a consumerâÂÂs browser and conveying that setting to sites that the browser visits, to signal whether or not the consumer wants to be tracked or receive targeted advertisementsâÂÂ. The FTC believes that a "Do Not Track" mechanism is preferable to the existing browser-based cookie opt-outs as it is more âÂÂclear, easy to locate and effectiveâ and it conveys the userâÂÂs choice to opt out of tracking directly to websites.
On March 16, 2011, the FTC appeared before the United States Senate Commerce Committee. At the hearing, the FTC recommended imposing more stringent measures to protect Internet users against unauthorized tracking in support of behavioral advertising, including a universal Do Not Track browser setting.
The FTC also announced its first behavioral advertising case, filed against network advertiser Chitika for using a deceptive opt-out mechanism. As part of the settlement, the FTC required that Chitika link all its advertising to an effective opt-out mechanism in the future. It has been commented that, âÂÂ[t]his requirement of a hyperlink embedded in online advertisements is a good indicator of the type of Do Not Track mechanism that will be acceptable to the FTC if 'Do Not Track' becomes mandatoryâÂÂ.
At the same Senate hearing, the Barack Obama administration called for a new âÂÂInternet userâÂÂs bill of rightsâÂÂ, which would give the FTC authority to regulate online behavioral advertising.
Representative Jackie Speier (D-CA) introduced the âÂÂDo Not Track Me Online Act of 2011âÂÂ, which would authorize the FTC to promulgate regulations requiring online advertisers and websites to allow users to opt out of having their online activities tracked through the creation of a do-not-track mechanism. The bill gives users the ability to block all collection of data for OBA but gives an exception for commonly accepted practices such as fraud prevention and inventory control. The bill authorizes the FTC to enforce the new regulations by conducting random audits of Web publishers, although the proposed regulations contain an exception for websites that have less than 10,000 visitors per year. The bill never reached a vote and died in Congress.
On April 12, 2011, Senator John Kerry introduced the âÂÂCommercial Privacy Bill of Rights Act of 2011âÂÂ, co-sponsored by Senator John McCain. At the press conference to introduce the bill, Senators Kerry and McCain said that the bill struck a compromise between business and consumer interests, noting that the bill was supported by Microsoft, Intel, and eBay.
The bill tasks the FTC with developing rules specifically targeted at OBA, requiring companies to offer consumers âÂÂa robust, clear, and conspicuousâ opt-out mechanism from the use of their personally identifiable information by third parties âÂÂfor behavioral advertising or marketingâÂÂ.
The bill calls for the FTC to create regulations requiring businesses collecting personally identifiable information, such as names and email addresses, to provide âÂÂclear, concise and timely noticeâ of data collection, use and transfer, along with âÂÂa clear and conspicuous mechanism for opt-out consent for any unauthorized use of [consumers'] personally identifiable information.âÂÂ
The bill contains a provision which would require opt-in consent for the âÂÂcollection, use or transfer of sensitive personally identifiable informationâÂÂ. Sensitive personally identifiable information is defined as âÂÂpersonally identifiable information which, if lost, compromised, or disclosed without authorization either alone or with other information, carries a significant risk of economic or physical harmâ or is related to a particular medical condition, health record or the religious affiliation of an individual.
The bill also tasks the FTC with establishing a voluntary safe harbor program to review, approve, and monitor self-regulatory programs that provide consumers with âÂÂclear, conspicuous, persistent and effectiveâ opt-out from online behavioral advertising or location-based advertising. Once a self-regulatory program is approved by the FTC and the members of that program are covered by the safe harbor, those members would be exempt from some of the provisions of the bill.
The bill does not include the FTCâÂÂs proposed Do Not Track mechanism, which Senator McCain stated at the press conference, âÂÂdidn't seem to fit in our ability to get a balance for consumer and industry supportâÂÂ.
The bill also does not include a private right of action, leaving enforcement up to the FTC and State Attorneys General.
Consumer and privacy advocates have stated that the bill was not strong enough and should contain the FTCâÂÂs Do Not Track proposal.