Legal Bytes : Advertising & Media Lawyer & Attorney : Reed Smith Law Firm : Marketing & Intellectual Property : Legal Bytes Law Blog

Just catching up with continuing efforts to educate the legal community on the implications of digital behavioral advertising and the importance of the industry self-regulatory efforts, as well as the dangers of legislation and regulation arising from insufficient or inaccurate information. In November of last year, Cyberspace Lawyer [Volume 14, Issue 10; November 2009], published "Advertising Industry Collaboration Releases Self-Regulatory Online Behavioral Advertising Principles," written by Joseph I. Rosenbaum.

The article follows the release, by the major advertising industry associations, of Self-Regulatory Principles for Online Behavioral Advertising, and Legal Bytes had numerous blog postings summarizing the individual principles, as well as an overview (see Self-Regulatory Online Behavioral Advertising Principle No. 7: Accountability that will link you to the others; or simply search "social media" in the keyword search box in the navigation column on the left side of the web page). The Cyberspace Lawyer article consolidates and integrates these summaries into a single article that you can read in that issue, or you can download the article here: "Advertising Industry Collaboration Releases Self-Regulatory Online Behavioral Advertising Principles" [PDF].

Joe Rosenbaum, who edits and publishes Legal Bytes, is general counsel of the Interactive Advertising Bureau (IAB), one of the major industry associations that participated in the development and release of the actual principles. Behavioral advertising can be viewed as another aspect of the social media phenomenon sweeping the digital world, and if you want (or need) to know more, you should know that Reed Smith's Advertising Technology & Media Law Group can help with integrated experience and legal skills, both nationally and internationally. Let us know if we can help you.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Stacy Marcus and Joe Rosenbaum.

The buzz over online behavioral advertising in the United States has been building since the 2008 hearings in Congress over deep packet inspection. The first class-action lawsuit targeting behavioral advertising, Valentine v. NebuAd (N.D. Cal., No. 3:08-cv-05113), was filed in November 2008, followed soon thereafter by Simon v. Adzilla (N.D. Cal., No. 3:09-c-00879) in February 2009.

In the first case, NebuAd and six other ISPs were accused of violating the Electronic Communications Privacy Act, the California Computer Crime Law, the California Invasion of Privacy Act, and the Computer Fraud and Abuse Act, by using deep packet inspection technology. Specifically, the NebuAd complaint alleged that customers were unaware their online activity was being monitored for marketing purposes; that either no notice or consent was provided; that any notice that may have been attempted was insufficient or misleading; and that their technology intentionally sought to negate customers’ efforts to remove tracking cookies. For their part, the defendants vigorously deny having violated customers’ privacy rights, noting that they did not collect personally identifiable information, and that the data collected was anonymized to protect the identities of customers.

Since its filing in November 2008, all of the defendants in the NebuAd case have moved to dismiss the action on various grounds, including lack of personal jurisdiction and failure to state a claim. Just a few days ago (Oct. 6, 2009), the court granted the motions in respect of five of the defendants, to dismiss for lack of personal jurisdictions, citing the fact that the ISPs that were not based in California did not provide a sufficient and constitutionally reasonable basis for a California court to assert jurisdiction. However, the ruling leaves NebuAd as the last defendant standing in the action. But wait. There’s more. In May 2009, NebuAd liquidated its assets and went out of business. In fact, on the day the court dismissed the action against the other five defendants, the court also granted NebuAd’s counsel’s motion to withdraw from the case. That said, the court refused the additional request to stay the proceedings against NebuAd until new counsel could be retained. Stay tuned . . . we’ll track this for you!

Now in the second case, Adzilla (whose website is currently “under construction”) and three other defendants were parties to a joint venture that created a technology called the “ZILLAcaster.” According to the press release of Adzilla partner NetLogix, “[t]he ZILLAcaster technology resides within the service provider's network, the closest point to the subscriber, and utilizes network data in combination with contextual and behavioral targeting to make decisions regarding the delivery of the most relevant ad content for network users. Content can be delivered down to individuals without the use of any desktop, software, or adware.” The plaintiffs claim that this ZILLAcaster oversees, inspects, copies, transmits and actually permits the alteration of the user’s Internet communications – all without any notice to the user. Although there is no allegation that any actual ads were served to Simon (the plaintiff) as a result of this ZILLAcaster, the plaintiffs argue that simply tracking them in this manner violates the Electronic Communications Privacy Act, the California Computer Crime Law, the California Invasion of Privacy Act, and the Computer Fraud and Abuse Act through the use of deep packet inspection. Adzilla has denied plaintiffs’ allegations and asserted numerous defenses. 

Less than two months ago (Aug. 18, 2009), Continental Broadband was dismissed from the action, and on Oct. 2, 2009, a filing in the case seeks to voluntarily dismiss Core Communications d/b/a CoreTel as a defendant in the lawsuit. If the filing is granted, only Adzilla and its parent company, Conducive Corporation, will remain as defendants.

So why should you care? Because given the settlement of Facebook’s class action lawsuit over its Beacon technology, these two lawsuits are the only major ones we are aware of that are pending, that concern online behavioral advertising AND that could potentially yield decisions and opinions. Given Congress’ and the FTC’s interest in consumer privacy in general, and online behavioral advertising in particular, a decision in either of these two cases could set the stage for government regulation and policy – confirming with or reactive to these decisions – and may well set precedent for future online behavioral advertising cases in the months and years ahead. While it’s too soon to tell, we will keep you posted as they unfold. As always, you can contact the authors, Stacy Marcus and Joe Rosenbaum, or any Reed Smith attorney with whom you regularly work, for more information or assistance.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Late last week, Rep. Rick Boucher (D-Va.), who chairs the Subcommittee on Communications, Technology and the Internet, released a statement indicating that despite industry collaboration and efforts at self-regulation, his belief is that government regulation remains necessary. Rep. Boucher intends to introduce legislation, regulating online behavioral advertising. His statement notes that the intention would be “to assure Internet users a high degree of privacy protection, including transparency about the collection, use and sharing of information about them and to give them control over that collection, use and sharing,” and that the advertising industry’s self-regulatory principles, “while proactive . . . . do not go far enough.”

In deference to the industry, however, Rep. Boucher’s statement also acknowledges that “online advertising supports much of the commercial content, applications and services that are available to Internet users today without charge,” and mentions that the intention of any legislation is not to disrupt well-established business models. The announcement asserts the legislation will have bipartisan support, and although it notes that actual draft legislation is not yet ready for prime time, it will be targeted primarily at privacy concerns, seeking to establish baseline standards relating to the disclosure, collection and use of consumer information, and safe harbors for advertisers that adhere to certain online practices in connection with these issues. In addition, the Federal Trade Commission will be given the authority to enforce the principles in the legislation and define the specific policies and practices that would allow advertisers to take advantage of the proposed safe harbor protections.

You can read all of Rep. Boucher’s statement right here. Fittingly, there is still time to register for tomorrow’s teleseminar “Are You Behaving Badly”, sponsored by the Advertising Technology & Media law practice at Reed Smith.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In a speech in November 1942, Sir Winston Churchill remarked, “Now this is not the end. It is not even the beginning of the end. But it is, perhaps, the end of the beginning.”

So, if you have been following along with the original announcement and each of the following “principle summaries” posted on Legal Bytes:

• Education
• Transparency
• Consumer Control
• Data Security
• Material Changes
• Sensitive Data
• Accountability

. . . and, if you have read the actual report, then you will appreciate that “Self-Regulatory Principles for Online Behavioral Advertising”, consistent with the Federal Trade Commission’s support of industry self-regulation, are patterned after the highly successful record of the Council of Better Business Bureaus in regulating the traditional advertising industry for more than 30 years. A record that includes industry collaboration, self-regulatory principles and monitoring, and close collaboration with the Federal Trade Commission over the years, as the industry and advertising models evolved.

While one is always careful to ensure that at some point governmental intervention may be necessary to protect consumers from those who abuse the system or violate the law, the question to ask is whether and to what extent new or different regulation is required. That is certainly a question being asked (and being answered) by a coalition of 10 consumer advocacy and privacy groups in its recently released report, “Online Behavioral Tracking and Targeting Concerns and Solutions”, in response to the industry principles. More importantly, one may ask whether a concretized and codified piece of legislation is likely to remain relevant or even defensible in the face of innovation and technology that could not have been predicted five years ago and, I believe, will remain relatively unpredictable in the future.

That said, some aspects of advertising are predictable. Development, display and distribution mechanism will evolve dynamically as technology and innovation continue. Notions of consumer privacy and data protection will continue to evolve and be difficult to harmonize across nations, across cultural and local boundaries, and—because privacy is and has always been context specific—in time and space. What might have been considered private in 16th century France is very different from the concept of privacy that permeates the hearts and minds of citizens of Japan or Brazil today. Indeed, even the role of government in protecting one’s right to privacy and the use of information about oneself, is an ever-changing one. Advertising models and economics will continue to change, with metrics and quantification methodologies being sparred and argued over, recognizing that even the roles of advertisers, agencies, media buyers, and broadcast and publishing networks, as well as ISPs, search engine, browser and web hosting companies—the technology players—are and will continue to change. Wireless and mobile devices will continue to expand the domain of advertising and challenge our ability to capture consumers’ interest on tiny mobile screens, while the opposite is taking place in our living rooms—with the separation of desktop or laptop computing and home television and entertainment centers being increasingly irrelevant (and screens becoming larger). Oh, and did we forget to mention how online gaming and the interplay between gaming console, entertainment and product placement, virtual worlds and display advertising, are all blurring (pardon the pun) right before our eyes?

So if you have ever attempted to change a tire on a moving automobile, you have a vision of what the “industry” is and will look like in the future. Under these circumstances, traditional regulation as we knew it, may not make sense. What might make sense is a more dynamic system of regulation. One that is more flexible, more adaptable and more capable of interacting and reacting to changing circumstances, mechanisms, technology and the environment. Perhaps allowing the industry and the Federal Trade Commission, in conjunction with other agencies already tasked with the mission of protecting consumers within their particular areas of authority (e.g., FDA, FCC, FAA, and the list goes on) to develop self-regulatory enforcement mechanisms, referral mechanisms, and a track record, may be the best way to determine what, where and when regulation may be needed.

In the meantime, you may want to ask yourself if you are misbehaving as an advertiser or marketing professional, and register and listen in to our “Are You Behaving Badly” Teleseminar Sept. 30, which will tackle current issues in global regulation of behavioral advertising.

As always, I and my colleagues in the Advertising Technology & Media law practice at Reed Smith are ready to assist in guiding, advising and providing legal support where and when you need it. We’ve been changing tires for more than a century!

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Reed Smith will host the next brown bag lunch meeting of the Federal Communications Bar Association’s joint Privacy/Data Security and Legislative Committees. The meeting will be held on October 13, 2009 between 12:00 noon – 2:00 p.m. at Reed Smith’s Washington, D.C. offices (1301 K Street, NW, Suite 1100 East Tower). The Committees will discuss the legislative priorities for the 111th Congress with special emphasis on behavioral marketing and data security legislation. The following speakers are confirmed to-date: Amy Levine, Legislative Counsel to Congressman Rich Boucher; and Paul Cancienne, Legislative Aide to Congresswoman Mary Bono Mack. We also have invited staff from the U.S. Senate. Please RSVP to Desiree Logan at dlogan@reedsmith.com to attend.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Adam Snukal and Joseph Rosenbaum.

Well, here it is. A summary of the last of the seven principles contained in the Self-Regulatory Online Behavioral Advertising Principles released by the Association of Advertising Agencies, the Association of National Advertisers, the Direct Marketing Association, and the Interactive Advertising Bureau, in concert with the Council of Better Business Bureaus. The seven principles are:

• Education
• Transparency
• Consumer Control
• Data Security
• Material Changes
• Sensitive Data
• Accountability

The Accountability principle is the one concerned with the “effect,” rather than the “cause” and calls upon the industry to establish and implement programs to monitor its online behavioral advertising activities and take steps to ensure compliance with the principles within a self-regulatory framework. In the context of the self-regulatory principles, Accountability means – monitoring, transparency, reporting and compliance.

• Monitoring: Both random and systematic, depending on the circumstances;
• Transparency: Widely available, easy to use communication tools and channels so that the public, competitors and government agencies can file complaints when the Principles are violated;
• Reporting: Violators will be publicly reported, including the reason for a finding of violation, a description of the violation, and the actions taken in response to, and to correct, the non-compliance; and
• Compliance: The establishment of mechanisms and procedures to bring any publicly-reported entity into compliance with the principles, or, if necessary, to refer the violation to the appropriate government agency.  

The Accountability principle also notes the importance of coordination and consistency among programs to promote efficiencies in implementation, so as to avoid multiple enforcement actions against the same entity for the same violation. 

While the blueprint for the specifics surrounding the proposed monitoring, transparency, reporting and compliance initiatives under this principle are yet to be drawn, the Direct Marketing Association (“DMA”) and National Advertising Review Council of the Council of Better Business Bureaus (“CBBB”), have agreed to cooperate and collaborate, with the stated goal of having something in place by early 2010. Both the DMA and the CBBB were called upon to provide leadership in this area because of their widely respected existing self-regulatory accountability programs. The DMA also has agreed to integrate the principles into its longstanding DMA Self-Regulatory and Compliance Tools.

If you would like to read the entire “Self-Regulatory Principles for Online Behavioral Advertising” report now, in its entirety, just follow the link, but stay tuned for next week, when we will post a short consolidated summary of all seven principles and you can always read the entire “Self-Regulatory Principles for Online Behavioral Advertising” report here. So now, as always, if you have any questions or need help, please feel free to contact Adam Snukal or me, or any of the Reed Smith attorneys with whom you regularly work.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On Wednesday, September 30, 2009, from 12 noon – 1 p.m. (U.S. EDT), Reed Smith will be hosting a teleseminar as part of its “Doing Business Globally” series. Entitled Global Regulation of Behavioral Marketing, this seminar will be presented by Reed Smith partners Douglas J. Wood and Joseph I. Rosenbaum from New York, and Gregor Pryor from London. The seminar will explore the legal implications to advertisers, marketing professionals and brands associated with the labyrinth of global regulation increasingly applicable, or newly enacted, in connection with the targeting of consumers — on and off the web — through behavioral marketing.

Privacy and consumer groups object to such sophisticated techniques, fearful it further erodes what little privacy protection remains. Regulators are concerned such practices may violate privacy and data protection laws, or worse, are simply not covered by existing law and regulation. Marketers respond that such advances allow for a far more efficient, consumer-friendly marketplace, and that self-regulation has been a successful model in the advertising industry for more than 30 years. In this interconnected, networked age of social networking and global communication, understanding the implications and the legal and regulatory landscape is critical for every advertising professional and marketer, and the brands they represent. The camps remain far apart. Advertising industry associations call for self-regulation, recently releasing a report entitled Self-Regulatory Principles for Online Behavioral Advertising. Only about two months later, as previously reported in Legal Bytes, a coalition of 10 consumer advocacy and privacy groups released a fresh call for new regulation in a report referred to as a Legislative Primer, entitled Online Behavioral Tracking and Targeting Concerns and Solutions. The dividing lines remain drawn, tensions remain high, and the balance unclear – perhaps because the technology environment keeps rewriting the rules of engagement. Want to know more? Don’t miss this informative presentation.

Join us for this exciting and timely Reed Smith Teleseminar. You can view the Invitation to obtain more information, or go right to the Registration page. We look forward to your participation. 

• Email This
• Print
• Comments
• Trackbacks (1)
• Share Link

This post was written by Anthony S. Traymore and Joseph I. Rosenbaum.

Almost down to the wire, here is the next installment summarizing the sixth of the seven principles contained in the Self-Regulatory Online Behavioral Advertising Principles released by the Association of Advertising Agencies, the Association of National Advertisers, the Direct Marketing Association, and the Interactive Advertising Bureau, in concert with the Council of Better Business Bureaus. For reference, the seven enumerated principles are:

• Education
• Transparency
• Consumer Control
• Data Security
• Material Changes
• Sensitive Data
• Accountability

The Sensitive Data principle segments sensitive data into two basic categories - personal information of children under the age of 13, and financial and health-related information, regardless of the age of the individual.

The Sensitive Data principle segments sensitive data into two basic categories - personal information of children under the age of 13, and financial and health-related information, regardless of the age of the individual.

With respect to the collection and use of data for online behavioral marketing purposes, if you have actual knowledge that any of the information being collected is from individuals under the age of 13, or if your website is targeted at children under the age of 13, the Sensitive Data principle states you should not be collecting any personal information from or be engaged in any online behavioral advertising with regard to that individual, unless you comply with the Children's Online Privacy Protection Act (COPPA), and then, only to the extent specifically allowed by COPPA.

In case you’ve forgotten, COPPA requires you to have "verifiable parental consent" prior to collecting any personal data from children under the age of 13. The Federal Trade Commission routinely enforces COPPA, and violations may carry fines in excess of $1 million, in addition to the damage to goodwill and public image that can result. Compliance with the provisions of COPPA is tricky. While this post will not belabor the ambiguities that have already been reported about what constitutes "verifiable parental consent", suffice it to say that when dealing with children under the age of 13, it is best to exercise considerable caution in connection with online marketing efforts – behavioral or otherwise – and to always consult an attorney well-versed in guiding you through the compliance maze.

With respect to personal information related to an individual’s financial or health status, age is not relevant to this sixth principle. What is relevant is the requirement that you obtain the consent of the individual if you are collecting the information online and you intend to use it. Prudent practice would indicate you should affirmatively obtain the individual’s consent in advance – whether during the process of registration, through formal acceptance of terms of use that clearly solicit consent, or through any other means. Clearly, if you plan to share this information with third parties in connection with online behavioral marketing efforts, you should indicate that to the individual. In all cases, the principle notes that you should always provide the individual with the right and an option, at any time, to opt-out of the use of his or her information for such purposes.

As mentioned, this is the sixth of the seven principles being highlighted, but if you would like to read the entire “Self-Regulatory Principles for Online Behavioral Advertising” report now, in its entirety, just follow the link. Legal Bytes will be bringing you a summary of the remaining principle next week. And now, as always, if you have any questions or need help, please feel free to contact Anthony S. Traymore or me, or any of the Reed Smith attorneys with whom you regularly work.

• Email This
• Print
• Comments
• Trackbacks (2)
• Share Link

This post was written by Adam Snukal and Joseph Rosenbaum.

As previously reported in Legal Bytes, it seems that not everyone is satisfied with the Self-Regulatory Principles for Online Behavioral Advertising recently promulgated by several leading advertising associations. A group of 10 consumer and privacy advocacy organizations (i.e., Center for Digital Democracy, Consumer Federation of America, Consumers Union, Consumer Watchdog, Electronic Frontier Foundation, Privacy Lives, Privacy Rights Clearinghouse, Privacy Times, U.S. Public Interest Research Group and The World Privacy Forum called on Congress earlier this week to enact legislation in response to what they feel are genuine threats to privacy arising from online behavioral tracking and targeting.

The guiding principles the coalition wants Congress to follow in its enactment of privacy legislation are substantively contained in the following Fair Information Practices (“FIP”), which the coalition claims has been the foundation of U.S. privacy policies for decades: collection limitations, data quality, purpose specification/communication, use limitation, security safeguards, appropriate openness, individual participation and knowledge rights, accountability, and redress. FIP was coined by a U.S. government advisory committee in 1973 in response to the use of automated data systems that contained information about individuals. The U.S. Privacy Act of 1974 established a code of fair information practices, and the FTC refers to these practices in a report entitled, Privacy Online: Fair Information Practices in the Electronic Marketplace (May 2000).

A sample of the principles contained in the coalition’s Legislative Primer, entitled Online Behavioral Tracking and Targeting Concerns and Solutions, includes:

• A definition of “sensitive information,” along with guidelines as to the kinds of data that should not be collected or used for behavioral tracking/targeting
• A prohibition on the collection or use of data from anyone under the age of 18
• The right of an individual to obtain access to his/her personal or behavioral data
• Personal and behavioral data collected must be relevant for the purposes for which they are to be used
• A private right of action given to each individual whose data is collected and tracked, along with liquidated damages and appropriate federal/state regulation and oversight

Given the July release of self-regulatory principles, crafted and widely embraced by the advertising industry, with explicit support for self-regulation from the FTC itself, and three decades of successful self-regulation in the advertising industry (guided by the Council of Better Business Bureaus), it is not clear why a spokesperson for the Privacy Rights Clearinghouse would take the position that “The record is clear: self-regulation doesn’t work. It is time for Congress to step in and codify the principles into law.” Or why a spokesperson for Consumer Watchdog commented: “We’ve seen in industry after industry what happens when the fox is left to guard the chicken coop – consumers lose.”

With Congressman Boucher (D-Va.), Chairman of the Subcommittee on Communications, Technology and the Internet, indicating that his Subcommittee intends to visit this issue in the fall, it is not clear whether Congress will allow the industry and the FTC an opportunity to give self-regulation time to work, or if a perceived need to “do something” and change the status quo remains. One thing has not changed: the positions of the industry and consumer and privacy advocacy groups.

Legal Bytes will keep you posted on developments in this area as they evolve, but if you need help or want further information, feel free to contact Adam Snukal, me, or any of the Reed Smith attorneys with whom you regularly work.

• Email This
• Print
• Comments
• Trackbacks (3)
• Share Link

Here is the fifth in our installments of summarizing the seven principles contained in the Self-Regulatory Online Behavioral Advertising Principles released by the Association of Advertising Agencies, the Association of National Advertisers, the Direct Marketing Association, and the Interactive Advertising Bureau, in concert with the Council of Better Business Bureaus, For reference, the seven enumerated principles are:

• Education
• Transparency
• Consumer Control
• Data Security
• Material Changes
• Sensitive Data
• Accountability

The Material Changes principle requires an organization engaged in behavioral advertising to obtain consent before applying any material changes to its existing online behavioral advertising policies and practices – specifically, to the data collection-and-use policies and practices that apply to data collected prior to the effective date of any material change to these policies and practices.

This principle also makes it clear that a change in policy or practice that would result in less data collection or more restrictive use of the data (i.e., less or more restrictive use of the data than existing usage) is NOT a material change that would require prior consent. This makes sense considering that the purpose of the principle, when coupled with Transparency and Consumer Control, is not to merely give consumers an absolute right to consent or to reject any and all changes, but only those that would broaden, deepen or alter in an expansive or materially different manner, the existing collection-and-use practices of the organization. If a change would result in less data being collected or more constrained use of the data being collected, a consumer would likely be notified of the change, but consent would not be required.

Legal Bytes will be bringing you a summary of the remaining two principles in the next week. And now, as always, if you have any questions or need help, please feel free to contact me or any of the Reed Smith attorneys with whom you regularly work.

• Email This
• Print
• Comments
• Trackbacks (3)
• Share Link

The Association of Advertising Agencies, the Association of National Advertisers, the Direct Marketing Association, and the Interactive Advertising Bureau, in concert with the Council of Better Business Bureaus, recently released its Self-Regulatory Online Behavioral Advertising Principles. When we announced these principles, we also promised to provide you with a bit more detail regarding each of these principles, which are listed below; so here is a brief summary of the fourth – Data Security. For reference, the seven enumerated principles are:

• Education
• Transparency
• Consumer Control
• Data Security
• Material Changes
• Sensitive Data
• Accountability

The Data Security principle requires entities to provide reasonable security for, and limited retention of, data collected and used for online behavioral advertising purposes. Consistent with the FTC standard, entities must maintain appropriate physical, electronic and administrative safeguards based upon the sensitivity of the data. Further, data collected and used may not be retained any longer than necessary to fulfill a legitimate business need (e.g., testing and auditing) or as required by law. In addition, the principle sets forth the steps that service providers (e.g., entities that provide Internet service, toolbars, web browsers or comparable desktop applications) must take in connection with data collection and use, including alteration, anonymization or randomization (e.g., hashing) of personally identifiable information; enhanced notice and disclosure at the time the data is collected; and the protection of the non-identifiable nature of data shared with non-affiliates. Under the Data Security principle, service providers will be held accountable for compliance with these principles in connection with their collection and use of data for online behavioral advertising purposes. Thanks to Stacy Marcus for her analysis.

We can now also report to you that yesterday a coalition of 10 consumer and privacy advocacy groups (i.e., Center for Digital Democracy, Consumer Federation of America, Consumers Union, Consumer Watchdog, Electronic Frontier Foundation, Privacy Lives, Privacy Rights Clearinghouse, Privacy Times, U.S. Public Interest Research Group, and The World Privacy Forum, has released a draft of their own principles, in the form of a Legislative Primer, entitled Online Behavioral Tracking and Targeting Concerns and Solutions. Legal Bytes will have a more detailed report for you on this new development in the next day or two, and in the meantime – or any time – feel free to contact me, Stacy Marcus, or any of the Reed Smith attorneys with whom you regularly work.  

• Email This
• Print
• Comments
• Trackbacks (3)
• Share Link

Last month we promised to provide you with a bit more detail regarding each of the self-regulatory principles that form the basis of the Self-Regulatory Online Behavioral Advertising Principles, announced by the Association of Advertising Agencies, the Association of National Advertisers, the Direct Marketing Association, and the Interactive Advertising Bureau, in concert with the Council of Better Business Bureaus. The principles are intended to provide a framework for industry participants to adopt, implement and adhere to standards of conduct applicable to their online behavioral advertising practices. Seven basic principles are contained in the report, and Legal Bytes is briefly summarizing each one, although we urge you to read the full report. 

We previously reported on the Education and Transparency principles; those links in the outline below will take you to the summaries, or you can read the overview posted when we reported on the initial release of the Self-Regulatory Online Behavioral Advertising Principles.

For reference, here are the seven enumerated principles:

• Education
• Transparency
• Consumer Control
• Data Security
• Material Changes
• Sensitive Data
• Accountability

Today, Keri S. Bruce highlights the Consumer Control principle that relates to the practice recommended by the report of providing consumers with additional control over whether data is collected about them and whether it is shared with others. The principle applies to third parties that collect or use behavioral advertising data and the websites from which the data is collected. The principle also applies to “service providers” (i.e., parties that provide Internet access services, toolbars, Internet browsers or comparable services, and who are engaged in online behavioral advertising). Through notices that are described under the Transparency principle, with respect to third parties and websites, consumers should be able to control the use and collection of their personally identifiable information by opting-out of having data collected or shared with non-affiliate websites. With respect to service providers, because they potentially can, by the nature of the services they provide, gain access to all or substantially all online behavioral data of a particular user when that user is online with or through the service provider, the Consumer Control principle requires industry participants to follow practices that require consumers to opt-in to data collection for online behavioral advertising purposes by the service provider. Further, even after consent is given, service providers must provide a means for the consumer to withdraw her or his consent. 

Thanks to Keri S. Bruce for her analysis. For further information, you can also call me or the Reed Smith attorney you regularly work with. Stay tuned for summaries of the remaining principles.

• Email This
• Print
• Comments
• Trackbacks (4)
• Share Link

Last month, Legal Bytes reported to you that the Association of Advertising Agencies, the Association of National Advertisers, the Direct Marketing Association, and the Interactive Advertising Bureau, in concert with the Council of Better Business Bureaus, released its Self-Regulatory Online Behavioral Advertising Principles. As reported, the major participants in the online advertising industry have proposed to apply these principles to their practices related to online behavioral advertising: “the collection of data from a particular computer or device regarding Web viewing behaviors over time and across non-Affiliate Web sites for the purpose of using such data to predict user preferences or interests to deliver advertising to that computer or device based on the preferences or interests inferred from such Web viewing behaviors.” 

We promised to provide you with a bit more detail regarding each of these principles. We previously reported on Education, and today we summarize Transparency. As we go through each one, we’ll use the outline below to enable you to link to all the prior principles covered in Legal Bytes, while highlighting the one covered today. The seven enumerated principles are:

• Education
• Transparency
• Consumer Control
• Data Security
• Material Changes
• Sensitive Data
• Accountability

The Transparency principle seeks clear and accessible consumer disclosures regarding the type of data collected and how the data will be used to conduct behavioral advertising. Because behavioral advertising is often conducted by third-party advertising networks that lease space on a website, the principle applies to both third-party entities collecting and/or using the data, and the websites from which such data is being collected. Under this principle, these parties would provide “enhanced notice” on the page where data is collected through links embedded in or around advertisements, or on the web page itself. Customers will have the ability to read these notices and use the information to enable themselves to take control over the use of their personal information, choosing whether they would like to permit their information to be used for online behavioral advertising purposes.

Thanks to Amy S. Mushahwar for her analysis. Stay tuned for summaries of each of the remaining principles.

• Email This
• Print
• Comments
• Trackbacks (4)
• Share Link

Last month, Legal Bytes reported to you that the Association of Advertising Agencies, the Association of National Advertisers, the Direct Marketing Association, and the Interactive Advertising Bureau, in concert with the Council of Better Business Bureaus, released its Self-Regulatory Online Behavioral Advertising Principles. As reported, the major participants in the online advertising industry have proposed to apply these principles to their practices related to online behavioral advertising: “the collection of data from a particular computer or device regarding Web viewing behaviors over time and across non-Affiliate Web sites for the purpose of using such data to predict user preferences or interests to deliver advertising to that computer or device based on the preferences or interests inferred from such Web viewing behaviors.” 

Since we promised to provide you with a bit more detail regarding each of these principles, which are listed below, here is our first installment in fulfilling that commitment. The seven enumerated principles are:

• Education
• Transparency
• Consumer Control
• Data Security
• Material Changes
• Sensitive Data
• Accountability

The Education principle requires everyone in the online behavioral environment to participate in meaningful efforts to educate consumers and businesses about behavioral advertising, the purpose of the Self-Regulatory Online Behavioral Advertising Principles, and the potential benefits and consumer choices that are available when these principles are followed, and to explain to consumers the means and implications of exercising their rights and the choices they may have. While the specifics of all of the proposed educational outreach are yet to be established within the framework of the industry groups that have formulated these principles, the one thing that was agreed on as a tangible, quantitative objective is that through industry-developed website(s) and a major online education campaign, the initial educational outreach would be developed to achieve at least 500,000,000 (yes, that’s five hundred million) impressions over the next 18 months. Thanks to Keri Bruce for her input. Stay tuned for highlights of the six other principles.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

A group of the nation's largest media and marketing trade associations today released self-regulatory principles to protect consumer privacy in ad-supported interactive media that will require advertisers and websites to clearly inform consumers about data collection practices, and enable them to exercise control over that information.

In an extraordinary show of industry cooperation and collaboration, the American Association of Advertising Agencies, the Association of National Advertisers, the Direct Marketing Association, and the Interactive Advertising Bureau last week released a series of self-regulatory principles, intended to be implemented by 2010 and designed to protect consumer privacy in advertising-supported interactive media. As part of the announcement, the Council of Better Business Bureaus along with the DMA, has agreed to implement accountability programs relative to these principles.

These self-regulatory guidelines come on the heels of a recently released study commissioned by the IAB entitled “Economic Value of the Advertising-Supported Internet Ecosystem,” which reported that the advertising-supported Internet represents 2.1 percent of the total U.S. gross domestic product (GDP), contributing $300 billion to the economy, and has created 3.1 million U.S. jobs.

“Guided by the seven Principles we have announced today, the advertising community is developing one of the most comprehensive self-regulatory programs ever undertaken by the business community. The fast-changing online marketing environment is best addressed by a self-regulatory framework that is transparent, flexible and accountable to consumers' needs and concerns. On behalf of our 360 members, who collectively invest more than $200 billion annually in marketing communications, we look forward to jointly developing a comprehensive business system that respects and honors these Principles,” said Bob Liodice, President and CEO, (ANA).

“This historic collaboration represents businesses and trade associations working together to advance the public interest,” said Randall Rothenberg, President and CEO, IAB. “Although consumers have registered few if any complaints about Internet privacy, surveys show they are concerned about their privacy. We are acting early and aggressively on their concerns, to reinforce their trust in this vital medium that contributes so significantly to the U.S. economy.”

The seven Principles designed to address consumer concerns about use of personal information without wreaking havoc to advertising that subsidizes and supports the vast array of free online content relate to:

• Education
• Transparency
• Consumer Control
• Data Security
• Material Changes
• Sensitive Data
• Accountability

We will be highlighting each of these principles separately in Legal Bytes over the weeks ahead, but if you would like to read the “Self-Regulatory Principles for Online Behavioral Advertising” report now, in its entirety, just follow the link.

• Email This
• Print
• Comments
• Trackbacks (9)
• Share Link

In a report entitled “Targeted Online Advertising” (La Publicité Ciblée en Ligne), presented in February and recently released publicly, the French data protection regulatory authority (CNIL) has expressed concern that targeted online advertising could be a conduit for the merchandising of personally identifiable information about online users. 

The CNIL has been examining context-sensitive, behavioral marketing and targeted advertising mechanisms online, and is concerned about privacy implications. The report notes that analyzing online user data for the purpose of serving more relevant advertising involves the collection of Internet protocol addresses, what websites a user arrived from or subsequently visited, and even key words entered by the user. In case you haven’t thought about it, definitions are hardly uniform in laws and regulations around the world, i.e., an IP address is considered personal data in the EU, but is not personally identifiable information in the United States. 

The report raises an alarm over what could be a means of “systematic profiling” and examines what it believes are growing risks to privacy in this context. In France, and many jurisdictions, targeted advertising must comply with the same data protection rules that apply to the use of personal data online. The French authorities have consistently maintained that users should be specifically informed about how their data will be used, and should be given the opportunity to opt out of these uses—even if it means they can no longer use the services available on the site.

The report also specifically notes that many free services on the Internet are actually subsidized by advertising. While “free” is an accurate financial description in a literal sense, consumers often don’t appreciate they are actually paying a “price”—the value of personal information provided in exchange for “free” services they receive online. 

While the report does not attempt to cover mobile or wireless advertising broadly, it does note that adding information about a user’s location through GPS and other technology, adds tracking capability that the CNIL fears will allow for even greater intrusion and profiling of individual behavior. You can read the entire CNIL report in French on their website at “La publicité ciblée en ligne” (Targeted Online Advertising).

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Reed Smith acts as counsel to many of the advertising industry’s leading trade and membership associations – The Association of National Advertisers, The Word of Mouth Marketing Association, the Interactive Advertising Bureau, to name only a few. As you may have notices, a recent Legal Bytes blog post noted that just last month the FTC supplemented its December 2007 “Self-Regulatory Principles for Online Behavioral Advertising” report. 

Well the FTC has been busy in re-examining it’s policies regarding testimonials and endorsements in this digital age. As previously reported in Legal Bytes, the FTC indicated it was revising it’s Testimonial and Endorsement Guides (the first time since the 1980s). Well comments have now been submitted and we strongly recommend that anyone in the advertising and marketing business take a look at some of them. In fact, to help you, Legal Bytes has a couple you can look at right now – Comments for The Association of National Advertisers and Comments for The Word of Mouth Marketing Association – and when you finish reading them ask yourself:

• Now that public comments are in, what do we think will happen?
• What is in front of the FTC that might affect its decision making?
• How would self-regulation differ from the way the FTC has been operating?
• What does the new FTC Chairman think about self-regulation?
• Do we expect the new administration to shift direction? If so, which way?
• How is all this likely to affect advertising and marketing using product placements, branded entertainment, blogs, consumer generated content, buzz, viral and word of mouth marketing?

If you need to know, you need to contact John Feldman, Douglas Wood or Joseph Rosenbaum - or your favorite Reed Smith attorney - who will be more than happy to help you.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

FTC Releases Revised Ad Guidelines: Are New Marketing Practices in Your Wallet?

On February 12, 2009, the FTC supplemented its December 2007 “Self-Regulatory Principles for Online Behavioral Advertising” report, highlighting the FTC’s voluntary best practices for the behavioral advertising industry. While continuing to support self-regulation, that should not be taken as a vote of confidence for continuing the status quo. Change is in the air and you may well need to:

• develop more consumer education concerning behavioral advertising;
• develop internal privacy protections for anonymous data profiles;
• create opt-in notice mechanisms for collection of sensitive information; and
• create opt-in notice mechanisms for retroactive changes to privacy practices.

. . . and if you think your privacy policies are ok, as is, think again. The FTC has taken a broad brush to paint a picture of what it considers personally identifiable information (PII) and what ‘sharing’ of that information may require. Our experts Amy S. Mushahwar and John P. Feldman have written an alert that describes what you need to know in more detail. To read the full alert, with links to the FTC releases, click here.

• Email This
• Print
• Comments
• Trackbacks (1)
• Share Link

Last month, we brought you information about outsourcing—a topic making news daily. This month, we bring you smaller news with potentially bigger implications.

In the biblical prophecy of Isaiah, the wolf lives with the lamb, the leopard lies down with the kid and a little child shall lead them. You can draw your own conclusions as to who are lions, lambs and the little child, but a few days ago, the unthinkable occurred. Sun Microsystems and Microsoft reached peace by dropping most claims, cross-claims and the vitriolic debate raging since 1997 when Sun sued Microsoft alleging violations of its Java license terms. With a trail of litigation which includes U.S. and European antitrust regulators, the announcement is nothing short of astounding. Yes, it remains to be seen whether years of mistrust will dissipate and lead to true cooperation, but this is not simply a truce between two rivals. The Wall Street Journal quotes Tony Scott, Chief Technology Officer for General Motors, as saying “What we try to do is educate them on the real pain customers go through when you have multiple incompatible standards and technologies.” Instead of customers being forced to figure out (and pay for) solutions to interoperability and compatibility problems, vendors are now being pressured to do so. Is this the beginning of a trend? Too soon to tell, but this truce is a big deal—Mr. Scott represents a customer!

And now, number 2. Perhaps we have become less concerned about providing information to “friendly sites,” but Yahoo! has introduced a “paid inclusion” product which allows advertisers to guarantee their sites will show up in searches—although payments do not change the order in which results are displayed. Not to be outdone, Google’s new “G-mail” will have context-based advertising derived from—are you ready—a scan of key words in G-mail received by subscribers, which customizes advertising based on information in the e-mail. G-mail a friend about bowling and you may see a pop-up coupon for a local bowling alley. Marketing professionals and advertisers point to the fact that G-mail is an opt-in service and consumers have shown they are willing to give up privacy to obtain greater levels of convenience.

For the record, cookies were invented to allow you to have a shopping cart and accumulate items when going web shopping. Fast-forward past cookies to
spammers, phishing, pop-ups, invisible GIFs, web bugs, intelligent bots and spyware to this latest announcement. Google can now accumulate a detailed
dossier of individual consumer preferences and the contents of e-mails. No one is suggesting Google would abuse such information or that subscribing is not
truly voluntary, but not only do we know what you did last summer, soon we may also be able to tell you what you are planning next summer.

• Email This
• Print
• Comments
• Trackbacks
• Share Link