Skip to main content

How to Respond to Recent Developments in Consumer Information Regulation

March 23, 2011

Earlier this year, a Client Bulletin was published alerting companies that engage in online commerce to the growing threat from recent class action lawsuits over the use of targeted advertisements on the Web. In addition to the ongoing private litigation, this week there was new action in Congress on the issue. If your company engages in internet commerce, you should be aware of these latest developments.

On Wednesday, March 16, the Federal Trade Commission appeared before the Senate Commerce Committee to recommend more stringent procedures protecting against unauthorized data mining of consumer information to support behavioral advertising. At the same hearing, the Obama administration called for new legislation regulating behavioral advertising, including an internet users’ “bill of rights.” Senator John Kerry has already circulated proposed legislation drafted with Senator John McCain that would enact a common “code of conduct” of companies collecting user data, including mechanisms for users to stop collection of their data. This is in addition to internet privacy bills introduced into Congress last month by Representatives Jackie Speier and Bobby Rush.

In its Senate testimony and staff report, the FTC recommended a universal “Do Not Track” browser setting, which would allow users to easily and effectively avoid tracking of their Web activity. In its testimony, the FTC stated that it was encouraged by recent industry efforts to self-regulate behavioral advertising, but that such efforts may not be enough to prevent new legislation.

The Commission highlighted the recent efforts of browser vendors Microsoft and Mozilla to provide their users with greater transparency and control of behavioral advertising practices as promising examples of self-regulation. The FTC also noted with approval the self-regulatory guidelines and behavioral advertising opt-out mechanism developed by industry coalition Digital Advertising Alliance.

The FTC also signaled that it will be vigilant about industry failures to protect privacy, announcing its first behavioral advertising case, filed against a network advertiser for its use of a deceptive opt-out mechanism. As part of the settlement, the FTC mandated that Chitika link an effective opt-out mechanism in all of its advertisements going forward. This requirement of a hyperlink embedded in online advertisements is a good indicator of the type of Do Not Track mechanism that will be acceptable to the FTC if “Do Not Track” becomes mandatory.

If you engage in internet commerce, you should determine whether your company or any of your vendors host or support targeted advertising. It is also imperative that you determine whether such advertising potentially will touch anyone in the European Union. The European Union is even further along than the U.S. in enacting stringent regulations for purveyors of online ads, which will require explicit consent from consumers before their personal information can be accessed and tracked.

If your company is engaged in online advertising, or does business with any company that utilizes online advertising, you should develop a comprehensive behavioral advertising strategy. You should perform an initial audit which identifies: (1) all mechanisms by which your company collects and stores consumer information, including the use of cookies or Flash cookies; (2) all notices and policies posted to the public concerning your company’s collection of consumer information and use of behavioral advertising; and (3) all mechanisms by which users can consent to and/or control the collection and use of their information. Once this information is collected and your company has a thorough understanding of all aspects of its advertising practices, a comprehensive strategy can be crafted to ensure that your company is in compliance with: (1) all federal and state laws and regulations; (2) all relevant industry standards; and (3) all relevant European laws and standards. We recommend that companies develop a user-choice “opt-out” mechanism that is: (1) transparent (easy to find, understand and implement); (2) universal (allowing consumers to opt out of all tracking with one activation); and (3) persistent (settings will not be cleared when cookies are deleted or browsers are upgraded).

In addition to staying abreast of the government’s latest activity, we recommend that any company engaged in Internet commerce continue to monitor the ongoing (and growing) private litigation activity. As we described in our last Client Bulletin on the subject, plaintiff’s attorneys have seized upon existing laws such as the Computer Fraud and Abuse Act and similar state laws to target companies’ use of behavioral advertising. These lawsuits even ensnare companies that do not conduct their own online advertising but rely on third parties to do so. For that reason, it is important that companies identify which of its third party partners and vendors engage in behavioral advertising (and any mechanisms by which those companies collect user information), and perform an audit of all agreements with such third parties to ensure that the agreements mandate compliance with all applicable laws and standards and provide sufficient indemnity and insurance for violations thereof.

The hiring of a lawyer is an important decision that should not be based solely on advertisements. Prior results do not guarantee a similar outcome.