On February 12 the U.S. Federal Trade Commission (FTC), the most actively aggressive oversight agency in the U.S. with regard to enforcing privacy protections, released new behavioral advertising principles…
“FTC Staff Report: February 2009 Self-Regulatory Principles For Online Behavioral Advertising”
This is a good and interesting read; check it out. See how it aligns with your organization’s marketing activities and plans.
This report fundamentally supports the FTC’s many activities related to protecting consumer privacy, and holding organizations responsible for not only providing appropriate safeguards, but also to following their own (legally binding) posted privacy policies.
Giving clear “notice,” a fundamental privacy principle, is indeed an important activity, but one that too many organizations overlook or simply do not invest the time in doing. Thus the criticism from a wide variety of privacy oversight groups with regard to self-regulation. Obtaining consent, providing choice, and de-identification of personal information are also important activities.
As stated in the FTC’s press release about the new principles:
“The report notes, however, that regardless of the scope of the principles, companies must still comply with all applicable privacy laws, some of which may impose requirements that are similar to those established by the principles.
The report also provides additional guidance regarding each of the four principles and sets forth revised principles reflecting this guidance. The first principle – transparency and consumer control – remains unchanged from the proposed principles. Accordingly, Web sites are expected to provide clear and prominent notice regarding behavioral advertising, as well as an easily accessible way for consumers to choose whether to have their information collected for such purpose. Noting that privacy policies posted on companies’ Web sites often are long and difficult to understand, the report encourages firms to design creative and effective disclosure mechanisms that are separate from their privacy policies. The report also states that companies that collect information outside the traditional Web site context – for example, through a mobile device or by an Internet Service Provider – should develop disclosure mechanisms that are meaningful and effective for these contexts.
In addition, the report continues to urge companies to provide reasonable security for any data they collect for behavioral advertising and to retain data only as long as it is needed to fulfill a legitimate business or law enforcement need.
Finally, due to the heightened privacy concerns raised by the collection and use of consumers’ sensitive data, the report continues to urge companies to obtain affirmative express consent before collecting such data for behavioral advertising. The report states that FTC staff has traditionally considered financial information, information about children, health information, and Social Security numbers to be sensitive, but encourages stakeholders to develop more specific standards to address this issue.
Today’s report is the next step in an ongoing process to examine online behavioral advertising that involves the FTC, industry, consumer and privacy organizations, and individual consumers. The report notes that significant work in this area remains, and that FTC staff will continue the public dialogue regarding the privacy issues raised by behavioral advertising. In the coming year, staff also will evaluate self-regulatory programs and will conduct investigations, where appropriate, to determine whether practices in this industry violate Section 5 of the FTC Act. The Commission vote to approve the report was 4-0, with separate concurring statements from Commissioners Jon Leibowitz and Pamela Jones Harbour:
“This staff report, while commendable, focuses too narrowly,” Harbour said. “Threats to consumer privacy abound, both online and offline, and behavioral advertising represents just one aspect of a multifaceted privacy conundrum surrounding data collection and use. I would prefer that the Commission take a more comprehensive approach to privacy, and evaluate behavioral advertising within that broader context.”
“Industry needs to do a better job of meaningful, rigorous self-regulation, or it will certainly invite legislation by Congress and a more regulatory approach by our Commission,” Leibowitz said. “Put simply, this could be the last clear chance to show that self-regulation can – and will – effectively protect consumers’ privacy in a dynamic online marketplace.”"
So, U.S. businesses had better start proactively protecting personally identifiable information (PII) and performing all the recommended privacy principles, such as giving notice, obtaining clear consent, and so on, which are already required by many laws worldwide. Otherwise, you will likely get not only fines and penalties from the FTC, but the government may very well inact tougher and more restrictive privacy legal requirements.
It makes sense that if self-regulation does not work, that laws will be put in place to make sure businesses do the right thing with regard to PII privacy protection.
Tags: awareness and training, behaviorial advertising, compliance, FTC, Information Security, IT compliance, IT training, policies and procedures, privacy, privacy principles, privacy training, risk management, security training