Summary: Almost everyone with a website routinely copies and pastes a pre-existing Terms of Use (TOU) and privacy policy, using them as his or her own (with a few choice words and names changed).
Well, that’s a bad idea. The FTC has set forth new guidelines that should be followed. And almost No sites online currently follow those guidelines.
It is not illegal not to follow them but they do make sense–and the FTC is now paying close attention. Here’s why: Online advertising has been largely self-regulated, to the consternation of the FTC. Now they have laid down their expections, with the implied “or else.” Or else the threats of regulation may increase.
I. Introduction.
The staff of the United States Federal Trade Commission (FTC) recently released a report (February 12, 2009) that will directly affect the documents governing the relationship between an online content provider and viewers/consumers-Terms of Use (TOUs), End-User License Agreements (EULAs) and Privacy Policies. The report also suggests implications for the use of private information. Please email us at jcrext@globalcaplaw.com and a copy of the report will be sent to you, or you can find it on the site of the FTC.
The report sets forth principles for self-regulation for the online advertising industry relating to online “behavioral advertising.” (The report defines behavioral advertising, which is set forth below under “Definition”). Technically, it is a supplemental report, but it has the effect of finalizing the December 2007 draft “Self-Regulatory Principles for Online Behavioral Advertising.”
It should be emphasized that these are principles for self-regulation for the online advertising industry. Arguably, this means that they are not binding, and, indeed, the report makes that clear. However (and this is an important caveat), the principles will definitely guide the enforcement actions instituted by the FTC. Moreover, it seems that the FTC is pre-disposed to initiate legislation in this area, which will probably codify much of what is found in these principles. And states often look to such reports for guidance on their legislation on privacy.
In reading the footnotes, another point emerges from the report. The FTC staff appears to believe that those who draft TOUs and privacy policies have not been keeping a close eye on the enforcement actions and decisions that the FTC staff believes to be relevant-and these include decisions that do not involve online matters but do involve clear disclosure for consumers. In fact, the report footnotes include quotes from FTC commissioners that can be summed up as the following rule:
Policies that bury relevant information and choices for consumers in legalese will do so at their peril.
(Please note that the above rule is our language and not that of the FTC or its staff.)
II. So What?
1. Clean up These Documents. Dense legalese will probably not “pass muster” with the FTC. They are keeping a close eye on this area.
2. Consumers’ Choices Must Be Clear. Making the choices for the consumer–and then burying those choices in that dense legalese will not be acceptable. The report notes in particular that “Check boxes” already checked are a problem.
3. Certain Changes to Terms Must Be Affirmatively Accepted. Any material changes or “retroactive” changes (i.e., affecting policies on data already collected) must be affirmatively accepted by the site users. Prospective changes do not (yet) need such approval but it is pretty clear that the staff leans in that direction. This possibly means that the common technique of saying “Use of this site means acceptance of the terms” together with the “warning” that changes can be made at any time will not be acceptable by the FTC.
4. The PII/non-PII Distinction is Diminishing. The US approach has been to try to protect “personally identifiable information” at a higher level than that which is not personally identifiable. This differs from the European model. Now, the FTC is moving towards the European model and this is understandable. The staff understands that PII can often be gleaned from non-PII, which makes the distinction too porous. In particular, the report wishes to increase the protection of data that can identify an individual machine (PC, mobile phone, etc.), while the earlier approach was to preclude identification of an individual user.
5. Self Regulation is a Testbed and is on Probation. The FTC simply sidestepped resolving many issues, leaving it to the “industry” to try various methods. However, one can infer that “industry” has about a year before the FTC moves towards legislation.
III. The Report.
We have not included the entire (50+ page) Report, but we have quoted almost the entire conclusion, which summarizes the final version of the “Principles” of self-regulation. The numbering is directly from the Report:
A. Definition
For purposes of the Principles, online behavioral advertising means the tracking of a consumer’s online activities over time – including the searches the consumer has conducted, the web pages visited, and the content viewed – in order to deliver advertising targeted to the individual consumer’s interests. This definition is not intended to include “first party” advertising, where no data is shared with third parties, or contextual advertising, where an ad is based on a single visit to a web page or single search query.
B. Principles
1. Transparency and Consumer Control
Every website where data is collected for behavioral advertising should provide a clear, concise, consumer-friendly, and prominent statement that (1) data about consumers’ activities online is being collected at the site for use in providing advertising about products and services tailored to individual consumers’ interests, and (2) consumers can choose whether or not to have their information collected for such purpose. The website should also provide consumers with a clear, easy-to-use, and accessible method for exercising this option. Where the data collection occurs outside the traditional website context, companies should develop alternative methods of disclosure and consumer choice that meet the standards described above (i.e., clear, prominent, easy-to-use, etc.)
2. Reasonable Security, and Limited Data Retention, for Consumer Data
Any company that collects and/or stores consumer data for behavioral advertising should provide reasonable security for that data. Consistent with data security laws and the FTC’s data security enforcement actions, such protections should be based on the sensitivity of the data, the nature of a company’s business operations, the types of risks a company faces, and the reasonable protections available to a company. Companies should also retain data only as long as is necessary to fulfill a legitimate business or law enforcement need.
3. Affirmative Express Consent for Material Changes to Existing Privacy Promises
As the FTC has made clear in its enforcement and outreach efforts, a company must keep any promises that it makes with respect to how it will handle or protect consumer data, even if it decides to change its policies at a later date. Therefore, before a company can use previously collected data in a manner materially different from promises the company made when it collected the data, it should obtain affirmative express consent from affected consumers. This principle would apply in a corporate merger situation to the extent that the merger creates material changes in the way the companies collect, use, and share data.
4. Affirmative Express Consent to (or Prohibition Against) Using Sensitive Data for Behavioral Advertising
Companies should collect sensitive data for behavioral advertising only after they obtain affirmative express consent from the consumer to receive such advertising.
Global Startups 