An industry wake-up call

  • Previous
  • 1 of 2
  • View as single page

For several years, websites, ad servers and marketing companies have been tracking the online activity of millions of internet users. These companies compile and analyze this information, and then use it to help advertisers deliver ads to those most likely to be interested in their product or service. Most consumers may not have been aware that their online activities were being monitored and analyzed -- until now.

Consumer and privacy groups are challenging online targeted advertising, usually claiming that websites and advertisers should not be able to track online activity without providing notice to consumers and getting consumers' consent. Privacy advocates are also worried about the possibility that companies will combine anonymous online data with personally identifiable data, which seems increasingly likely as more marketing and database companies merge. 

Currently and generally speaking, the use of targeted advertising online does not violate any privacy laws in the United States, except in the following circumstances: It involves the collection of personal information about children under 13 without parental consent; it violates a site's own privacy promises to its users; or it involves the use of spyware. However, the Federal Trade Commission, state lawmakers and consumer groups are closely watching this issue and are proposing changes to the regulatory landscape. 

History in the making
In late 2007, the FTC hosted a town hall meeting to discuss privacy and online targeted advertising, and one of the FTC commissioners who spoke at the meeting suggested that the parties involved in targeted advertising provide better information about their practices and meaningful choices for consumers and consider using standardized privacy policies and shorter notices. 

A few weeks after the town hall meeting, the FTC issued proposed privacy guidelines for online targeted advertising, and called for comments from consumer and business groups as to the appropriateness and feasibility of the principles. The FTC's guidelines propose that:

  • Every website where data is collected for online targeted advertising should provide a clear, consumer-friendly and prominent statement that data is being collected to provide ads targeted to the consumer and give consumers the ability to choose whether or not to have their information collected for such purpose.

  • Any company that collects or stores consumer data for online targeted advertising should provide reasonable security for that data and should retain data only as long as is necessary to fulfill a legitimate business or law enforcement need.

  • Companies should obtain "affirmative express consent" from consumers before using data in a manner materially different from promises the company made when it collected the data (i.e., in its Privacy Policy).

  • Companies should obtain "affirmative express consent" to collect and use "sensitive data" for purposes of targeting advertising. "Sensitive data" is not defined in the proposed principles but would include, at a minimum, information about health conditions, sexual orientation and children's online activities.

Also in 2007, several privacy groups filed a petition with the FTC requesting, among other things, that the FTC consider establishing a "do not track" registry, similar to the federal "do not call" registry that prevents telemarketers from calling those phone numbers on the list.

Most recently, at least two states -- New York and Connecticut -- proposed bills that would establish rules and privacy policies with respect to how third party online advertisers collect and disseminate online activity data of consumers. The bills, New York Assembly Bill 9275 and Connecticut House Bill 5765, would require that consumers be given adequate notice of how third party advertisers operate as well as a clear and conspicuous mechanism on websites for consumers to opt-out of online preference marketing. The bills also would prohibit the merging of anonymous online data with personally identifiable data without prior consent.

Next page >>