On December 10 the U.S. Federal Trade Commission (FTC) announced that the FTC commissioners voted unanimously to have principles to govern online behavioral advertising. At the same time they released their proposed principles to guide the development of self-regulation in this area.
The FTC is accepting comments on the proposed principles up until February 22, 2008. All comments received will be posted on the FTC site established for this topic.
The proposed principles will impact the privacy, information security, marketing and IT areas within organizations, so if you are in any of these areas it is worth your time to read through the proposal!
This proposal is important because it highlights that privacy goes beyond safeguarding specific pieces of personally identifiable information (PII). It addresses how tracking individuals’ activities, web site visits and purchasing records can also be an invasion of privacy.
As indicated within the FTC document:
“In examining the practices, the FTC has applied a broad definition of online ‚Äúbehavioral advertising,‚Äù one meant to encompass the various tracking activities engaged in by diverse companies across the Web. Thus, for purposes of this discussion, online ‚Äúbehavioral advertising‚Äù means the tracking of a consumer’s activities online including the searches the consumer has conducted, the web pages visited, and the content viewed in order to deliver advertising targeted to the individual consumer’s interests.”
The FTC document makes three important points about behavioral advertising:
“First, while behavioral advertising provides benefits to consumers in the form of free web content and personalized ads that many consumers value, the practice itself is largely invisible and unknown to consumers. The benefits include, for example, access to newspapers and information from around the world, provided free because it is subsidized by online advertising; tailored ads that facilitate comparison shopping for the specific products that consumers want; and, potentially, a reduction in ads that are irrelevant to consumers‚Äô interests and that may therefore be unwelcome. Although many consumers value these benefits, few appear to understand the role that data collection plays in providing them.
Second, business and consumer groups alike cherish the values of transparency and consumer autonomy, and view them as critical to the development and maintenance of consumer trust in the online marketplace.
Third,regardless of whether one views behavioral advertising as beneficial, benign, or harmful, there are reasonable concerns about the possibility of consumer data collected for this purpose falling into the wrong hands or being used for unanticipated purposes.”
It is critical to point out that most consumers do not understanding the type of information that is being tracked about them when they are visiting web sites and making purchases.
The third point is key; the possibility is great that the collected consumer activity information could be used in ways that are harmful to consumers, or that, taken out of context, will lead to erroneous judgment and interpretation by investigators, law enforcement, government or others.
Organizations now widely use web bugs and cookies, in addition to other technologies, within web applications in support of behavioral advertising. These principles will impact how these technologies can be used, and it is likely organizations will need to make significant application changes to be in compliance with the principles.
These principles will also provide one more reason for organizations to visit their data retention practices and implement processes to completely delete certain consumer and customer records. Even though retention laws exist, most organizations still retain much consumer and customer information “forever.”
At a high level the principles include:
1. Transparency and consumer control
2. Reasonable security, and limited data retention, for consumer data
3. Affirmative express consent for material changes to existing privacy promises
4. Affirmative express consent to (or prohibition against) using sensitive data for behavioral advertising
5. Using tracking data for purposes other than behavioral advertising
Read the details that accompany these proposed principles.
Think about how this will impact organizations.
Think about how this will impact individuals.
Make your concerns known.
If you have suggestions for improvements, get your comments back to the FTC by February 22!
Tags: awareness and training, behavioral advertising, cookies, FTC, FTC Act, Information Security, IT compliance, policies and procedures, privacy, privacy policy, privacy principles, risk management, security awareness, security training, web bugs