FTC Guidelines: Drilling The Details
Overall, the "Self-Regulatory Principles for Online Behavioral Advertising" reiterates most of the principles and guidance issued last year. The FTC continues to stress four main principles of "Transparency and Consumer Control," "Reasonable Security," "Affirmative Express Consent for Material Changes" and "Affirmative Express Consent for to Using Sensitive Data for Behavioral Advertising." In the actual "Principles" section of the 48-page report, only a handful of sentences have been added or changed, although the bulk of the report does establish how the FTC officers processed over 60 responses to the original guidelines from industry and privacy advocates.
For instance, the most obvious revision involves an exception for first-party data collectors and contextual advertising. For the purposes of the guidelines, the FTC defines behavioral advertising as "the tracking of a consumer's online activities over time - including the searches the consumer has conducted, the web pages visited, and the content viewed - in order to deliver advertising targeted to the individual consumer's interests." The revision goes on to say, "This definition is not intended to include 'first party' advertising, where no data is shared with third parties, or contextual advertising, where an ad is based on a single visit to a web page or single search query." Earlier in the report, the FTC explains that "first party" behavioral advertising, in which single-site data are used for recommendations or personalization, "are more likely to be consistent with consumer expectations and less likely to lead to consumer harm." Similarly, they exclude contextual advertising from the basic definition of BT because it "provides greater transparency than other forms of behavioral advertising, is more likely to be consistent with consumer expectations, and presents minimal privacy intrusions when weighted against the potential benefits to consumers." The FTC does not leave quite as clear, however, how much first party and contextual approaches are excluded from other aspects of the guidelines governing personally identifiable and sensitive information -- let alone the amount of disclosure and opt-in/opt-out the FTC expects from publishers.
Speaking for the Online Publishers Association, President Pam Horan issued a statement that the OPA "was pleased" with this new exclusion of first party and contextual advertising from the definition. In a note to us, Collective Media's CEO Joe Apprendi agrees that the revised scope of the BT definition helps clarify things. But he also warns publisher against taking this part of the report as a pass. "The distinction between 1st party vs. 3rd party behavioral marketing on the surface may seem to give online publishers more freedom relative to their behavioral marketing practices vs. ad agencies, advertisers and ad networks per se, but in reading further, it seems clear that the FTC expects all parties to apply the same standards relative to disclosure, sensitive data and consumer choice."
Murkier still will be the core definition of PII (personally identifiable information). The FTC believes that PII is data "that could reasonable be associated with a particular consumer or computer or other device, regardless of whether the data is 'personally identifiable' in the traditional sense." In the long run, the most challenging part of the revised guidelines for the industry may not come in the official principles themselves so much as in the evolving thinking at the FTC about PII. The Commission officers indicate throughout the document that changing technologies "have made the line between personally identifiable and non-personally identifiable information increasingly unclear."
In an otherwise critical assessment of the FTC's report, Jeff Chester, Executive Director, Center for Digital Democracy, finds a positive note in his reading of the FTC's ruminations on PII. "The FTC has finally recognized that given today's contemporary marketing practices, the distinction between so-called personally identifiable information and non-PII is no longer relevant." No doubt there will be room for interpreting what the FTC means by an "unclear" distinction between PII and non-PII, let alone how to determine when someone's data can "reasonable be associated with a particular consumer or computer or other device." The last part of the FTC's phrasing seems to include IP addresses on desktop and mobile Internet connections. At the Future of Privacy Forum, Jules Polonetsky abstracts the FTC's revisions in an interesting way. He said in a blog post yesterday "The Commission has sent a clear message that a low bar of 'do no harm' isn't acceptable for online privacy and that transparency and user control are essential features for any company using data in a robust way."
Exactly what the FTC means by some of these revisions may become more apparent in the next year. Perhaps the most significant detail in the new report comes on the last page. The Commission promises that in the next year it will "evaluate the development of self-regulatory programs and the extent to which they serve the essential goals set out in the Principles" and conduct investigations of some practices. They will be watching the industry's own behavior.