FTC Proposes Online Behavioral Privacy Principles
“The purpose of this proposal is to encourage more meaningful and enforceable self-regulation to address the privacy concerns raised with respect to behavioral advertising,” the FTC said in its proposal. “In developing the principles, FTC staff was mindful of the need to maintain vigorous competition in online advertising as well as the importance of accommodating the wide variety of business models that exist in this area.”
The FTC proposal focuses on four major areas of concern: “transparency and consumer control, reasonable security and limited data retention for consumer data, affirmative express consent for material changes to existing privacy promises” and “affirmative express consent to [or prohibition against] using sensitive data for behavioral advertising.”
Concerning transparency and consumer control, the FTC proposal said that every website where data is collected for behavioral advertising purposes should “provide a clear, concise, consumer-friendly, and prominent statement that (1) data about consumers’ activities online is being collected at the site for use in providing advertising about products and services tailored to individual consumers’ interests, and (2) consumers can choose whether or not to have their information collected for such purpose.”
Websites also should offer consumers a “clear, easy-to-use, and accessible method” for opting out of having their data collected, the FTC said.
On the controversial subject of data retention, the FTC suggested that any company that collects data for behavioral advertising purposes should provide “reasonable security for that data.”
“Consistent with the data security laws and the FTC’s data security enforcement actions, such protections should be based on the sensitivity of the data, the nature of a company’s business operations, the types of risks a company faces, and the reasonable protections available to a company,” the FTC said.
Acknowledging the concerns of some data retention critics, who worry that the longer data is stored, the more likely it is that the data will be accessed inappropriately by hackers and other cyber-criminals, the FTC said that companies should retain data “only as long as is necessary to fulfill a legitimate business or law enforcement need.”
The FTC also made clear its position that affirmative consent from consumers should be a prominent aspect of behavioral advertising policies.
“As the FTC has made clear in its enforcement and outreach efforts, a company must keep any promises that it makes with respect to how it will handle or protect consumer data, even if it decides to change its policies at a later date,” the FTC said. “[B]efore a company can use data in a manner materially different from promises the company made when it collected the data, it should obtain affirmative express consent from affected consumers.”
Affirmative consent also should be obtained from a consumer up-front, before any data collection has been performed with respect to that consumer, the FTC said.
“Companies should only collect sensitive data for behavioral advertising if they obtain affirmative express consent from the consumer to receive such advertising,” the FTC said.
The FTC is seeking public comment on their proposals, including feedback on “what classes of information should be considered sensitive” and “whether using sensitive data for behavioral targeting should not be permitted, rather than subject to consumer choice.”
Comments on the FTC’s behavioral advertising privacy proposal must be submitted to the FTC by Friday, February 22. Comments can be submitted by mail to: Secretary, Federal Trade Commission, Room H-135 (Annex N), 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580. Comments also can be submitted via email to BehavioralMarketingPrinciples@ftc.gov
Comments will be posted on the FTC’s behavioral advertising web page for “possible use in the development of self-regulatory programs.”