In our last blog entry on Behavioral Advertising, we asked you to watch this space, noting new Congressional concern that the FTC’s self-regulation Principles alone will be sufficient to protect consumers. In that piece, we reviewed in passing the latest effort by one industry group to convince legislators and regulators more attention is not always better, the IAB’s “Self-Regulatory Principles for Online Behavioral Advertising”. Since then, while others have come forward attempting to interpret the IAB’s Guidelines in a more user friendly way, we have not seen a comparison of the IAB’s Guidelines and the NAI’s revisions to its Code late last year, either to each other or the FTC’s Principles.
The first question that comes to mind is “why would anyone do so?” and we have either three sound reasons, or at least three reasons that sound good. First, there’s no guarantee anything new will emerge from either Congress or the FTC without another “DPI” scare or unauthorized data breach fiasco to spur them along, leaving the two industry regimes as the only “guidance” companies have other than the Principles (and what the Commission may occasionally say the Principles relate to). Second, even if something new does emerge, good money is on the option where the FTC or Congress craft something that operates on top of self-regulatory programs rather than replacing them, making any differences between the Principles and those programs more important. Finally, some moves last week by a coalition of consumer privacy organizations may have upped the ante a bit. By offering detailed suggestions to address holes they see in the industry regimes, and urging Congress to plug these holes (and more), it becomes more important to know if holes really exist, and how big they might be.
As space is limited, we’ll tackle a review of the privacy organizations’ proposals in a companion piece, and focus here on the industry guidelines and the FTC’s Principles. This task is challenging enough given the size of the guidelines, inconsistent commentary or explanations, and the tendency of their drafters to use different terms, define the same terms differently, and consequently make life a bit more difficult for anyone attempting to do what we’re doing for you.
THE FTC’s PRINCIPLES: A REVIEW AT LIGHT SPEED
The Principles track the FTC’s approach in deceptive statements and data security protections: it’s all about the data and the disclosures. Data is big in the principles, defined as information that supports BA and can be linked to a person or computer, regardless of whether its “PII”, “Non-PII”, or for that matter “Brent-Spiner Data”. At the same time, practices commonly used by companies consistent with consumers’ expectations, or raising fewer privacy concerns, are exempt. First-parties (i.e., websites consumers directly interact with) are exempt unless they sell or share data with others, or participate in BA networks. Contextual Advertising (targeting ads based on a single session) is exempt, as long as session data isn’t combined with a user’s previous browsing history, or kept around for future use. Disclosures should be “clear, concise, consumer-friendly, and prominent”, but can live inside a site privacy policy (whether visited frequently, sporadically or with the regularity of passes from Halley’s Comet). Choices can be either opt-in or opt-out, unless data raises “heightened privacy concerns” (material changes to how companies use already collected data, and use of sensitive information require prior opt-in). Whether data is sensitive depends on context, but “financial data, data about children, health information, precise geographic location information, and Social Security numbers” are pretty good examples. Lastly, data should be protected, and retained only as long as business “needs” it.
THE NAI’s CODE: WHAT YOU NEED TO KNOW IN 10 SENTENCES
NAI’s Code addresses a “traditional” advertising network model (cookies and tracking browsing habits at thousands of sites), and ignores other practices. It defines BA differently - OBA (Online BA) is only done by third parties, and a practice isn’t OBA unless data is put into consumer interest segments - collection and use of data outside those segments isn’t OBA at all. First parties get a complete free pass, even if they sell or share data, and participate in ad networks. Different practices are exempt, including “Ad Delivery & Reporting” (ADR). ADR can occur across thousands of web sites just like OBA, and continue even after a user opts-out of OBA, but ADR isn’t really OBA because data isn’t put into “consumer interest segments,” and besides, it’s less important data anyway. PII and Non-PII data each get their own provisions for notice, protection, choice, and ostensibly separate dressing rooms (although “merging” the two is a sensitive subject in the Code). PII is anything protected by law, or that can precisely locate or identify a person, but not her computer, which remains only Non-PII. The Code protects PII as zealously as a chaperone at a tween dance, but acts as though Non-PII is already heading down the path of spinsterhood and not worth the effort. The Code defines Notice and Robust Notice, but neither are required near where information is collected. Consumers are given different choices depending on data and how it’s used: opt-out for use of non-PII for OBA, and merging PII with Non-PII companies haven’t collected yet but really want to; opt-in before companies use sensitive data, or merge PII with Non-PII they already have. For compliance, the Code provides some detail on how NAI will internally resolve issues with members, but has limits for consumers who submit complaints, or wish to track the status of what they submit.
IAB’s GUIDELINES: BIGGER, BETTER, BUT WILL IT BE ENOUGH?
The Guidelines add “service providers” (ISPs, Browser Toolbar-makers & Application Builders) to the list of parties, but exempt both contextual advertising and ADR. The result? More clarity on who is covered, but less on what they can and can’t do. Disclosures depend on which party is performing which activity - generally everyone except first parties provides “clear, meaningful, and prominent notice” from their own websites and a way consumers can opt-out of collection, use, and transfer. First parties only have to provide a link to disclosure notices in privacy policies, from the bottom of pages where data is collected or used. Third parties provide “enhanced notice” by linking to disclosures in or around an ad, or at the bottom of the page, but only if first parties let them. Only third parties and service providers offer choice - third parties offer an opt-out, and service providers have to get an opt-in. Like the NAI, everyone has to get prior consent before merging PII with already-collected Non-PII. The Guidelines address data security slightly differently (same result), but keep to the theme that service providers have to do more (requiring them to hash their data, so others can’t tell who it refers to). First parties are still relatively free to share or sell data with third parties or service providers, although those groups have to get consent before they further share or sell data to anyone else. Compliance mechanisms are a work in-progress, but include a rough scheme that keeps referrals to “appropriate government agencies” as the hammer waiting to be dropped.
SO WHAT ARE THE DIFFERENCES ALREADY?
1. Data: What’s in a name? Unlike the Principles, the Code and Guidelines treat PII and Non-PII data differently. While protections for PII are generally equal to or better than those in the principles, Non-PII data is largely the red-headed step child of both. The NAI and IAB insist PII only relates to specific people, and not specific computers, so many practices that use data to target computers or mobile phones fall through the cracks, one of the main reasons the FTC decided in the first place not to make such a distinction.
2. Consent - who, me? The Principles require “affirmative express consent” (AEC) before companies can do several things, the Code requires a user “expressly consent” through “some affirmative action”, and the IAB says “Consent”. The Principles require AEC before material changes to privacy policies that affect previously-collected data. ‘Fine’ responds the Code and Guidelines, but a change is only material if it involves merging PII with previously-collected Non-PII. Neither suggest other changes to privacy policies, like the selling or sharing of data with new parties, are material and trigger heightened consent.
3. First parties are not all created equally. The Principles allow first parties to continue practices within their families of websites as long as they don’t sell or share data with third parties or participate in BA ad networks. Not so for either the Code or Guidelines. Under both, unless a first party itself starts practicing BA, by collecting data across foreign sites (not those within a family) and placing ads, it’s still exempt and free to sell / share data and participate in networks.
4. Whaddya mean I can’t use this data? The Principles only exempt contextual advertising which uses data from a single session, and doesn’t keep anything afterwards. Both the IAB and NAI also largely exempt historical data that comes from webserver log files, saying this information is needed to perform metrics and show whether users are clicking on ads. Although the FTC staff would probably agree on that point, they probably wouldn’t say you can still use this data to target ads to computers or phones after a user has opted out. Both the IAB and NAI though seem to think since data is being collected anyway in webserver log files, and it’s going to be used anyway for other purposes, companies should be able to use it to target ads as long as they don’t go overboard.
For those who prefer a visual, see attached chart for these differences spelled out in a different format. And, stay tuned to this space for further developments in the evolving great BA debate.
