Volume 19 Issue 3 (Fall 2015)
By Richard B. Caplan
In 1984, Rockwell released his first and ultimately biggest hit: “Somebody’s Watching Me.” It begins: “I’m just an average man, with an average life / I work from nine to five; hey hell, I pay the price / All I want is to be left alone in my average home.” He later asks: “Can the people on TV see me / Or am I just paranoid?” One can only imagine how Rockwell would have felt if the Internet was in full swing when he sang about his fears.
Our behavior on the Internet is of great interest to many different people, including advertisers. They want to know what sites we visit, in part to provide us with targeted ads; this type of advertising is referred to as online behavioral advertising (“OBA”). Laws regulating what types of data about online behavior may be collected, shared, and otherwise used, and how, differ greatly from country to country. One simple but major issue on which jurisdictions differ is the mechanism of “notice and consent,” that is, providing consumers with notice regarding the collection and use of data about them and obtaining consumer consent to do so.
The two primary issues regarding consumer notice and consent are (1) whether the consumer must grant affirmative consent or whether consent can be implied from certain consumer actions and (2) whether affirmative consent must be obtained via opt-in methods rather than opt-out. (Opt-in methodologies require the consumer to take specific action to consent, such as checking a box to agree to have their online behavior tracked; whereas with an opt-out methodology, consent is the default, and the consumer must take action to choose to withdraw or refuse consent.) Laws regarding consumer notice and consent vary both between jurisdictions and within the same jurisdiction (for example, law regulating OBA may have different requirements than law in the same country regulating online health data). While many countries either require by law or strongly encourage the opt-in approach, such as Canada and the European Union, for most purposes, the United States allows the opt-out approach.
In the United States, many businesses and associations hope to avoid passage of legal requirements by self-regulating their activities in an attempt to show that such legal restrictions are not necessary. Among them are the American Association of Advertising Agencies, Association of National Advertisers, Direct Marketing Association, and the Interactive Advertising Bureau, supported in their efforts by the Council of Better Business Bureaus.
As part of that effort, in July 2009, these players issued a document titled Self-Regulatory Principles for Online Behavioral Advertising (commonly referred to as “the Principles”). The Principles are indebted to and inspired by recommendations made earlier in 2009 by Federal Trade Commission staff and track the FTC recommendations nearly identically. Online behavioral advertising is defined in the document to include the practice of collecting “data from a particular computer or device regarding web viewing behaviors over time and across non-Affiliate websites for the purpose of using such data to predict user preferences or interests to deliver advertising to that computer or device based on the preferences or interests inferred from such web viewing behaviors.” The document also clarifies what OBA does not include: the collection of viewing behavior solely for a website’s own use, contextual advertising, Ad Reporting (defined as “the logging of page views on a web site(s) or the collection or use of other information about a browser, operating system, domain name, date and time of the viewing”), and Ad Delivery (defined as “the delivery of online advertisements or advertising-related services using Ad Reporting data”).
Seven principles outlined in the document commit to doing each of the following with respect to OBA: (1) educating the public; (2) being transparent; (3) offering consumers notice and choice; (4) providing data security; (5) obtaining consumer consent before any material change to a company’s policy; (6) managing sensitive data; and (7) being accountable. The accountability principle “calls for programs to have mechanisms by which they can police entities engaged in online behavioral advertising and help bring these entities into compliance. Programs will also publicly report instances of uncorrected violations to the appropriate government agencies.”
The Principles apply to three major types of entities: First Parties, such as website publishers/operators; Third Parties, such as advertising networks and data companies; and Service Providers, such as any Internet access provider or other service that enables the provider to have access to all or substantially all URLs accessed by its users.
Enhanced Consumer Notice and Consent
Under the Principles, third Parties should give notice on their own websites that describes their OBA data collection and use practices, as well as provide notice elsewhere, such as in or around an advertisement on the web page where the data is being collected. Third Parties are required to give website users the ability to choose whether data is collected and used.
Service providers should also provide notice about OBA occurring as a result of their services and should not collect and use data for OBA without, after informing a user, receiving consent; consent is defined as “an individual’s action in response to a clear, meaningful and prominent notice.”
Furthermore, website publishers should provide visitors with notice when Third Parties collecting information fail to provide notice.
Enforcement of the Principles
Several years after publication of the Principles, the Online Interest-Based Advertising Accountability Program (“OIBAAP”), which helps enforce the Principles, realized that the responsibility for providing enhanced notice was misunderstood by a significant minority of otherwise compliant websites and issued a Compliance Warning in 2013. OIBAAP was concerned that if enhanced notice was not provided, consumers, like Rockwell, would have a “creepy feeling” that they were “silently being followed around the Internet.” The warning put website owners on notice that more vigorous enforcement of the enhanced notice provisions would begin on January 1, 2014.
Following up on the warning, earlier this year, OIBAAP conducted a formal review of and issued decisions regarding four popular websites: Etsy, Imgur, TWiT, and 247 Sports. All four had similarly failed to include the required enhanced notice on all pages where data collection was taking place. Their notice practices differed as well. For example, Etsy did include a disclosure of third-party data collection for Internet-based advertising, while TWiT did not. All four companies changed their practices in response to the OIBAAP review, and all four decisions conclude by noting, “practices voluntarily corrected.” Including these four, the OIBAAP has now issued forty-six accountability program decisions.
Principles for the Mobile Environment
Meanwhile, the mobile advertising industry is booming, with 65% growth in 2014 to become a $31.9 billion industry. While the Principles do apply to apps, because apps are not browser-based, it may not be possible to actually comply with the Principles on the mobile web in the same way as on a desktop computer. Therefore, a different opt-out mechanism needs to be in place. To address this, enforcement of OIBAAP’s Application of Self-Regulatory Principles to the Mobile Environment (commonly referred to simply as the “Mobile Guidance”), released in July 2013, began on September 1, 2015. Eventually, the guidance for OBA and mobile behavioral advertising will be unified into a uniform set of principles. But until then, anyone involved in advertising in the mobile space should be familiar with the Mobile Guidance.
The principles of the Mobile Guidance apply to precise location data, cross-app data, and personal directory data. If an entity collects any data of these types, it should provide the consumer with notice before any collection takes place. This can be done before download of the app takes place, on installation, or when first opening the app. The consumer should be prompted to affirmatively signal consent (opt in) and should also be informed as to how to withdraw consent.
Whether in the traditional online environment or in the developing mobile app environment, publishers need to be aware of more than just their specific responsibilities. They also need to consider issues such as the larger framework governing the collection of consumer data and the responsibilities of others. For all these reasons and more, notices to website visitors and app users, as well as privacy policies, need to be carefully drafted to provide clear and accurate information.
 See, e.g., Nicole Ozer, Putting Online Privacy Above the Fold: Building a Social Movement and Creating Social Change, 36 N.Y.U. Rev. L. & Soc. Change 215 (2012).
 American Association of Advertising Agencies et al., Self-Regulatory Principles for Online Behavioral Advertising (July 2009).
 Federal Trade Commission, Self-Regulatory Principles for Online Behavioral Advertising: Tracking, Targeting, and Technology (Feb. 2009).
 American Association of Advertising Agencies et al. 2009, 10-11.
 Id. at 11.
 Id. at 4.
 Id. at 10.
 Advertising Self-Regulatory Council, Compliance Warning: Responsibilities of First Parties for Notice of Third-Party Data Collection for Online Behavioral Advertising on Their Websites (2013).
 Id. at 1.
 American Association of Advertising Agencies et al., Application of Self-Regulatory Principles to the Mobile Environment (July 2013).