Computers, Privacy & the Constitution

Online Behavioral Advertising and the Federal Trade Commission

-- By JonathanBonilla - 09 Mar 2009

As seen in O’Harrow’s No Place to Hide, online data aggregation can pose a real problem to consumers. One specific and pervasive form of data aggregation occurs as a result of “online behavioral advertising” (OBA). Essentially, any time a user visits a site, performs a search, purchases a product online, or otherwise submits personal information to a site that participates in such advertising, this information is stored in order to track the user’s “behavior” and tailor future online advertisements to fit the predicted desires of that user.

History and Current Regulatory System

Under the current system of US regulation, OBA is monitored by the Federal Trade Commission (FTC). 15 U.S.C. §45 (a) provides a broad statutory mandate for the FTC to prohibit “deceptive acts or practices in or affecting commerce”[1]. This has been interpreted by the FTC to implicate situations where companies collect or use customer data in a manner contrary to that company’s stated privacy policy, which is punishable as an unfair or deceptive practice. As a result of this interpretation, the FTC assumed jurisdiction in this area and has since been following the development of OBA.

Regulation in this field began in 1998, when the FTC presented to Congress a report containing the “core principles of privacy protection” to guide industry practice [2]. These core principles included notice to consumers regarding what is collected, choice to consumers as to how it will be used, consumer access to the collected data, security of the collected data, and several enforcement mechanisms for the principles. However, this report merely presented possibilities for regulation, and no further action was taken at the time, despite the report’s conclusion that there is “real need for implementing the basic fair information practices.” Further reports were sent to Congress, such as in 2000, when the FTC asked for legislation to support an otherwise self-regulatory scheme for OBA, based on the 1998 report’s core principles [3]. Notwithstanding Congress' failure to enact the requested legislation, the self-regulatory scheme took off, using the newly-created Network Advertising Initiative (NAI) to enforce core FTC principles. NAI represents roughly 90% of the advertising industry [4].

The FTC did not re-examine this issue until 2006, when it began holding hearings to determine future action relating to OBA. A series of updated principles were created and then altered over the next several years, based on input from privacy advocates and advertisers, alike [5]. Throughout this time period, as well, Congress failed to legislate on the issue. NAI now operates using its own series of principles, though they are similar to the FTC's.

Problems and Possible Solutions

One issue with the current system is apparent in the fact that NAI does not represent the entirety of online advertisers. As a result, NAI is powerless to enact sanctions against non-complying entities whom are not members. This was one of the reasons FTC sought congressional legislation in 2000. While it is true that FTC may still take action against those companies that do not follow the provisions of their privacy policies, under the “deceptive practices” mandate, that alone does not go far enough to ensure the privacy of online consumers. For example, a company might not have a privacy policy that clearly illuminates how the data is being used; in such a situation, it would be hard to find the company broke their agreement with the consumer, where the agreement itself was overly vague.

Along those lines, if Congress continues to fail to enact specific legislation for this issue, Congress could at the least expand on the FTC mandate to allow FTC to take direct action. Currently, FTC does not feel it has the statutory authority to issue regulations relating to OBA, which in itself is a problem since it results in FTC trying to find and justify a roundabout solution (self-regulation), instead of attempting direct regulation. Even if Congress did expand the FTC mandate to allow clear regulation, the cited FTC Staff Reports suggest FTC might yet maintain the self-regulatory scheme, based on the industry's insistence that giving up consumer privacy is crucial for keeping web content free.

Another issue with the current FTC guideline-based self-regulatory scheme is that it centers on a contract-theory of the privacy policy of the website being used, where the user is free to view the privacy policy, but need not expressly assent to the terms. The issue with this contract approach is that when using various websites during any given day, it is unlikely the average non-law-educated consumer will take the time to read through and understand each privacy policy of every website, prior to using the website. As a result, it seems much of the benefit of providing such transparency may be lost in the real world.

One possible solution would be to require express assent prior to collecting or using any personal information (FTC guidelines already require express assent for use of “sensitive data”). However, the same problem arises here as did before: much like it is common for users to click-through a EULA without reading it, prior to installing a computer program, it would seem likely that users would also not pay much attention to a large wall of text describing the details of a website’s privacy policy, when all the user wants to do is get to the content of the website as quickly and easily as possible.

In such a situation, where ease of computing is a large factor, it would appear that a statutory solution in limiting the specific uses of certain information would be warranted. Unfortunately, being that Congress has neglected to enact such on multiple occasions, the only remaining option would be a state-by-state approach. Indeed, several states in 2008 already proposed bills relating to the regulation of behavioral advertising. Massachusetts, for instance, was able to pass their version, though it primarily deals with safeguarding personal information once it has been obtained by the advertisers [6].

As OBA is becoming more widespread, these developments are noteworthy to all online consumers.

(Word Count: 997)

[1] http://www4.law.cornell.edu/uscode/15/45.html

[2] http://www.ftc.gov/reports/privacy3/priv-23a.pdf

[3] http://www.ftc.gov/os/2000/07/onlineprofiling.pdf

[4] http://www.networkadvertising.org/index.asp

[5] http://www.ftc.gov/os/2009/02/P085400behavadreport.pdf

[6] 201 CMR 17.00


# * Set ALLOWTOPICVIEW = TWikiAdminGroup, JonathanBonilla

Navigation

Webs Webs

r4 - 25 Mar 2009 - 23:22:24 - JonathanBonilla
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM