Practical Wisdom. Trusted Advice.

HomeAttorneys & Other ProfessionalsPracticesCareersDiversityNewsAbout

News & Events

Locke Lord QuickStudy: Scope Broadens for Regulation of Online Data Collection for Behavioral Advertising

12/13/2011

Click here for pdf

Scope Broadens for Regulation of Online Data Collection for Behavioral Advertising

The Digital Advertising Alliance (“DAA”) has recently announced an expansion of its self-regulatory principles for online behavioral advertising (“OBA”) to include Principles for Multi-Site Data (the “Multi-Site Principles”). The Multi-Site Principles might apply to your company if (1) your company (or its service providers) tracks consumer behavior and collects personal information on the Internet, or (2) your company’s contracts and/or website terms of use permit or restrict the tracking of Internet user behavior and the collection of personal information across the Internet.

The DAA is a consortium of the Interactive Advertising Bureau, the Association of National Advertisers and other advertising groups that seeks to develop self-regulatory solutions to consumer choice in OBA. Until the Federal Trade Commission (“FTC”) or Congress takes more specific action, the DAA principles can be signposts to best practices and compliance models for evolving legal requirements affecting the collection and use of data for behavioral advertising.

Although the FTC has relatively recently issued new privacy guidelines for how companies should protect consumers’ privacy, those guidelines do not provide specific insight on Multi-Site Data Collection as do the Multi-Site Principles. Some highlights of the Multi-Site Principles and related considerations are summarized below to help you determine whether and how these new principles may affect your business.

What is Multi-Site Data?
The Multi-Site Principles define Multi-Site Data as “data collected from a particular computer or device regarding Web viewing over time and across non-Affiliate Web sites.” The collection, use or transfer of Multi-Site Data is prohibited (except by permission) for purposes such as:

  • determining eligibility for employment, credit, or health care treatment; and
  • determining adverse terms and conditions or ineligibility for insurance, including, but not limited to, health insurance.

The term “non-Affiliate Web Sites” is not defined. Presumably, this term may refer to the common Internet understanding of Affiliate Marketing, meaning the practice of paying another website upon its referral of prospective customers to your e-commerce website.

How is Multi-Site Data used?
As an illustration, suppose an individual logs on to a website to check fares and flight schedules to New York. When the individual next moves to another website to check on the schedule for the Washington Nationals’ baseball games in DC, he may be shown an ad for airfare from New York to Washington, ads for New York Yankees’ games, or even ads for local hotels or rental cars. These seemingly instantaneous connections between the individual’s subjective task and what is perceived to be the individual’s logical needs in relation to that task are most likely the result of Multi-Site Data collection.

Overview of the Multi-Site Principles
To be implemented in 2012, the Multi-Site Principles purport to augment the existing Self-Regulatory Principles for Online Behavioral Advertising (the “OBA Principles”) adopted by the DAA by covering the prospective collection of website data beyond that collected for OBA. While the seven OBA Principles apply specifically to data collected for behavioral advertising purposes, the new Multi-Site Principles encompass all collection, use and disclosure of data – regardless of purpose – from a particular computer or device pertaining to Web viewing over time and across non-Affiliate Web sites.

In a nutshell, the Multi-Site Principles set out to accomplish two non-OBA-related goals: (i) limiting the purposes for which data is collected without providing consumers with transparency and control; and (ii) restricting the use of any data that is collected.

Limitations on Purpose
According to the Multi-Site Principles, a collector of Multi-Site Data should provide consumers with transparency and control unless the data:

  • is collected for operations and system management purposes, such as IP protection, consumer safety, fraud prevention or the like;
  • is collected for market research or product development purposes; or
  • will go through a de-identification process within a reasonable time from collection.

Limitations on Use
Except with permission, the new Multi-Site Principles prohibit the collection, storage, transfer or use of Multi-Site Data:

  • for purposes of determining eligibility for employment, credit, health care treatment or insurance; or
  • which contains “sensitive data” such as financial account numbers, Social Security numbers, pharmaceutical prescriptions and medical records that are not made anonymous as set forth in HIPAA, or personal information from children under age 13 that is not covered by COPPA.

FTC Criticism of the OBA Principles
The FTC has criticized the OBA Principles for various shortcomings, including the fact that the opt-out mechanism did not sufficiently allow consumers to block ads based on their browsing habits, did not allow consumers to stop data collection or the placement of cookies on their computers, and that they only allowed consumers to opt-out of receiving targeted advertising and to manage their behavioral advertising interest categories.

The FTC further complained that consumers using the DAA’s opt-out mechanism may mistakenly believe that they are altogether opting out of being tracked and not just opting out of receiving targeted advertising. Presumably in response to critiques such as the FTC’s, the DAA developed the new Multi-Site Principles to allow consumers to block additional types of Internet data collection, beyond OBA.

Implications
Until the FTC adopts guidelines for collecting Multi-Site Data, companies may wish to consider using consumer opt-out mechanisms like the Do Not Track (“DNT”) feature available in Safari, Internet Explorer and Firefox. DNT is controlled by a simple checkbox in the browser’s interface and, when activated, sends a special value along with every Web request in order to inform websites that the user does not wish to be tracked.

The DAA says it believes that self-regulatory programs cannot replace proper legislation and points out that multiple bills have been introduced in the U.S. Congress that deal with data protection, online privacy, consumer choice and commercial accountability. Nonetheless, the Multi-Site Principles are a good starting point for drafting agreements and adopting procedures for reducing liability and avoiding class action litigation until the FTC adopts more specific guidelines, or Congress adopts more specific legislation, to add a little bite to the bark.

For more information on the matters discussed in this Locke Lord QuickStudy, please contact the authors:

Paul C. Van Slyke | T: 713-226-1406 | pvanslyke@lockelord.com
Gregory T. Casamento | T: 212-812-8325 | gcasamento@lockelord.com
Cole Mackey | T: 713-226-1142 | cmackey@lockelord.com
 
 

Search |Extranets |Site Map |Offices |Disclaimer & Trademark Notice |Privacy |Contact | Attorney Advertising | © 2012 Locke Lord LLP