Summary: Online advertising has been self-regulated for some time but the FTC has made it clear that it is not happy with the resulting dense legalese of TOU’s and privacy policies. They set forth new guidelines that they expect publishers to use during the next year–at which time the FTC will consider new legislation. (Please note: Various ad industry associations offered their response, which is discussed in the post below at digitaldumonde.wordpress.com/2009/07/23/new-ideas-for-online-data-collection-use-the-industry-responds-to-the-ftc/.)
Although the guidelines are only just that–guidelines–they should “guide” your revisions to your TOU’s and your privacy policy. Here is a quick summary.
I. Introduction.
The staff of the United States Federal Trade Commission (FTC) recently released a report (February 12, 2009) that will directly affect the documents governing the relationship between an online content provider and viewers/consumers-Terms of Use (TOUs), End-User License Agreements (EULAs) and Privacy Policies. The report also suggests implications for the use of private information. Please email us atjcrext@globalcaplaw.com and a copy of the report will be sent to you, or you can find it on the site of the FTC.
The report sets forth principles for self-regulation for the online advertising industry relating to online “behavioral advertising.” (The report defines behavioral advertising, which is set forth below under “Definition”). Technically, it is a supplemental report, but it has the effect of finalizing the December 2007 draft “Self-Regulatory Principles for Online Behavioral Advertising.”
It should be emphasized that these are principles for self-regulation for the online advertising industry. Arguably, this means that they are not binding, and, indeed, the report makes that clear. However (and this is an important caveat), the principles will definitely guide the enforcement actions instituted by the FTC. Moreover, it seems that the FTC is pre-disposed to initiate legislation in this area, which will probably codify much of what is found in these principles. And states often look to such reports for guidance on their legislation on privacy.
In reading the footnotes, another point emerges from the report. The FTC staff appears to believe that those who draft TOUs and privacy policies have not been keeping a close eye on the enforcement actions and decisions that the FTC staff believes to be relevant-and these include decisions that do not involve online matters but do involve clear disclosure for consumers. In fact, the report footnotes include quotes from FTC commissioners that can be summed up as the following rule:
Policies that bury relevant information and choices for consumers in legalese will do so at the peril of the publisher.
(Please note that the above rule is our language and not that of the FTC or its staff.)
II. So What?
1. Clean up These Documents. Dense legalese will probably not “pass muster” with the FTC. They are keeping a close eye on this area.
2. Consumers’ Choices Must Be Clear. Just as dense legalese is for the FTC tantamount to unacceptable (and often illegal) “fine print,” obscuring consumers’ choices is frowned upon. In particular, the report mentions “check boxes” that are already checked–something frowned upon in the report.
3. Certain Changes to Terms Must Be Affirmatively Accepted. Any material changes or “retroactive” changes (i.e., affecting policies on data already collected) must be affirmatively accepted by the site users. Prospective changes do not (yet) need such approval but it is pretty clear that the staff leans in that direction. This possibly means that the common technique of saying “Use of this site means acceptance of the terms” together with the “warning” that changes can be made at any time will not be acceptable by the FTC.
4. The PII/non-PII Distinction is Diminishing. The US approach has been to try to protect “personally identifiable information” at a higher level than that which is not personally identifiable. This differs from the European model. Now, the FTC is moving towards the European model and this is understandable. The staff understands that PII can often be gleaned from non-PII, which makes the distinction too porous. In particular, the report wishes to increase the protection of data that can identify an individual machine (PC, mobile phone, etc.), while the earlier approach was to preclude identification of an individual user.
5. Self Regulation is a Testbed and is on Probation. The FTC simply sidestepped resolving many issues, leaving it to the “industry” to try various methods. However, one can infer that “industry” has about a year before the FTC moves towards legislation.
III. The Report.
We have not included the entire (50+ page) Report, but we have quoted almost the entire conclusion, which summarizes the final version of the “Principles” of self-regulation. The numbering is directly from the Report:
A. Definition
For purposes of the Principles, online behavioral advertising means the tracking of a consumer’s online activities over time – including the searches the consumer has conducted, the web pages visited, and the content viewed – in order to deliver advertising targeted to the individual consumer’s interests. This definition is not intended to include “first party” advertising, where no data is shared with third parties, or contextual advertising, where an ad is based on a single visit to a web page or single search query.
B. Principles
1. Transparency and Consumer Control
Every website where data is collected for behavioral advertising should provide a clear, concise, consumer-friendly, and prominent statement that (1) data about consumers’ activities online is being collected at the site for use in providing advertising about products and services tailored to individual consumers’ interests, and (2) consumers can choose whether or not to have their information collected for such purpose. The website should also provide consumers with a clear, easy-to-use, and accessible method for exercising this option. Where the data collection occurs outside the traditional website context, companies should develop alternative methods of disclosure and consumer choice that meet the standards described above (i.e., clear, prominent, easy-to-use, etc.)
2. Reasonable Security, and Limited Data Retention, for Consumer Data
Any company that collects and/or stores consumer data for behavioral advertising should provide reasonable security for that data. Consistent with data security laws and the FTC’s data security enforcement actions, such protections should be based on the sensitivity of the data, the nature of a company’s business operations, the types of risks a company faces, and the reasonable protections available to a company. Companies should also retain data only as long as is necessary to fulfill a legitimate business or law enforcement need.
3. Affirmative Express Consent for Material Changes to Existing Privacy Promises
As the FTC has made clear in its enforcement and outreach efforts, a company must keep any promises that it makes with respect to how it will handle or protect consumer data, even if it decides to change its policies at a later date. Therefore, before a company can use previously collected data in a manner materially different from promises the company made when it collected the data, it should obtain affirmative express consent from affected consumers. This principle would apply in a corporate merger situation to the extent that the merger creates material changes in the way the companies collect, use, and share data.
4. Affirmative Express Consent to (or Prohibition Against) Using Sensitive Data for Behavioral Advertising
Companies should collect sensitive data for behavioral advertising only after they obtain affirmative express consent from the consumer to receive such advertising.
Summary: In response to the FTC Staff Report (on which we blogged earlier), online advertising industry associations joined together and came out with their own principles to improve the data collection and use principles of the online experience. In essence, it is a last-ditch effort by the industry to keep its role of self-regulation. You can read the entire report atwww.iab.net/behavioral-advertisingprinciples.
The online advertising industry has responded to the February 2009 FTC Staff Report on the topic (which is called “behavioral advertising”). Here is a summary of the main principles in our words (not theirs):
- The Education Principle—an 18-month campaign to educate consumers.
- The Transparency Principle—which mandates clear and easily accessible data collection and use practices and changes to websites.
- The Consumer Control Principle—enhanced options for determining which and how data are collected. It is expected that a “data consent” toolbar will be created for a broad range of online providers (ISPs, browsers, publishers) that will enable consumers to consent to data collection. There will also be steps to “de-identify” the data.
- The Data Security Principle—essentially a data security and retention policy to improve security of the data and limit the period such data are retained.
- The Material Changes Principle—requiring consumer consent to any material changes to privacy and use policies. If successful, this will address one of the principal concerns of the FTC, which is the now-current practice of empowering online providers (e.g., publishers) to change their TOUs, etc., with retroactive application. This is something courts have now found invalid in such online agreements, too.
- The Sensitive Data Principle—addresses concerns for data from sensitive groups—e.g., children—and sensitive data—e.g., health and financial records.
- The Accountability Principle—should be the implementing programs for these principles and disciplinary procedures.
So What?
One thing is clear: the online agreements that govern the use of websites are now in the crosshairs—meaning that those agreements should be revised now. The FTC Staff Report provides pretty good guidance on what to include and what to exclude.
The industry report is something more abstract but it also has some gems that can provide some great innovations for new practices. Among them, the “data consent” toolbar is a good idea.
In addition to that idea, we really like the idea of steps to “de-identify” the data. In fact, we think that this is probably the most important step forward. Those data can be tremendously powerful in that form. That is the fulcrum point—and where fortunes will be made. And some lost, too.
(See some TOUs, etc., we have drafted: www.npbn.com and www.photospin.com for some examples.)
Smart Meters Go Wireless
May, 2009
Summary: T-Mobile USA has hooked up with Echelon, a provider of smart meters, to make those meters wireless. Smart meters are a key to upgrading the power grid and the wireless feature will simplify connection to the utility companies.
Echelon and T-Mobile recently announced that Echelon will embed a wireless SIM into its smart meters. T-Mobile’s value-add is also that the chips will be more durable than current deployments.
The wireless connection will improve the link into the utilities, providing them with real-time information on power usage, as well as problems with their networks.
So What?
This is a “shovel-ready” project to upgrade the grid that also seems to have a knock-on, or multiplier effect, not to mention improving efficiency of the power network. Apparently, the embedding has already begun. Echelon has already delivered some 100,000 of its smart meters in the US (to Duke Energy) and more than 1.6m around the world—though without the wireless connection.
The Knock-on Effect
The knock-on effect suggests that companies can provide data management applications for the utilities. The obvious starting point is the incoming data on power usage and network reliability. However, data miners could work with the utilities to monetize those data—with obvious and very careful attention to privacy matters.
Finally, imagine an app on your smartphone and/or your laptop, telling you your immediate usage. One the data are available on a wireless basis, then they can be delivered to any number of platforms (taking into account that the data are initially broadcast in cellular radio format).
Google Adds Powerful Data Analytic Tools
April, 2009
Summary: It is true that we will continue to pound on one of our more popular themes–the ever-increasing value of the ever-increasing piles of data from Internet usage. Now comes research on the value of Google Trends, in this case to track changes in consumer preferences as they happen.
File this not under “We told you so” but “We will continue to tell you so.” This is about data–how Internet usage data can be mined, sliced, diced and mashed up for valuable insights. Next, of course, someone will address the (trickier) question of making money from it. (Oh, details, details, details.)
First, a goldmine of a resource. Go to Google Trends (http://www.google.com/trends) to see what search terms people are using (your own name will probably not register, unless you are, oh, Steve Jobs). You can also use more advanced analytic techniques at Google Insights for Research (http://www.google.com/insights/search/#). This is real-time stuff. And, get ready for this: You can download it as a CSV file.
Berkeley professor Hal Varian (also wearing a second hat of Chief Economist at Google) and Google colleague Hyunyoung Choi wrote a paper on predicting the present (clever twist, that) and on their blog, happily quoting Yoga Berra as to predicting the future. (The article can be found at the Google Research blog at http://googleresearch.blogspot.com/2009/04/predicting-present-with-google-trends.html.)
They correlated search term volume with statistics gathered on economic activity by other sources unrelated to search engines. For example, they matched the search for certain real estate terms against home sale volumes (reported from another source). Another example is the search for travel destinations against reported arrivals. True, their model requires a certain amount of “re-jiggering” but not so much as to make the results suspect. Their “modifications” look to be within the norm of statistical analysis. Nonetheless, the results are stunning.
The point is not so much getting data that are exceptionally precise but rather to give relatively accurate directional results and to improve the reliability and precision of subsequent models. For the corporate user, then, the directional results can be compelling because they are certainly accurate enough for strategic purposes. In other words, the predictive power is sufficient to understand probable upturns or downturns within a few percentage points but not so great that you can get an accuracy of, say, three per cent. Hence the use of the word “strategic” above. In addition, it should be emphasized that it looks like the predictive power is very short term.
We are trying an experiment here. Rather than rewrite a post we have made on another of our blogs we have set forth the link below. That blog is for general counsel but the point is applicable to digital matters.
Here is a summary:
An article in The New York Times Magazine on Sunday March 14th on basketball provides an object lesson that you should own whatever data may emerge from any digital initiatives memorialized in a legal agreement.
