ChoiceStream

As most of you undoubtedly know, the FTC recently issued a report that finalizes its 2007 draft of Self-Regulatory Principles for Online Behavioral Advertising. The document provides privacy and security guidelines for advertising that targets individual consumers based on their searches, Web site visits, page views or other Internet activity.

The document has generated a lot of controversy as advertisers, agencies, media pundits and marketing consultants analyze it from every conceivable angle. In many cases, the controversy seems more spectator sport than hard analysis based on fact; but there are some areas of the new report that should give online advertisers pause -- even those that are not technically using personally identifiable information (PII) to target their ads.

Among a number of concerns with the new guidelines, two in particular rise to the top in prominence. The first major concern is the broadening of the scope of the guidelines. Traditionally, the FTC saw its mandate with respect to consumer privacy as providing guidelines for the safe and secure use of PII online. PII was defined as a user’s name and address, social security number, or other data that could easily and directly identify a unique individual.

The new guidelines have dramatically broadened the scope of that mandate by stating that the traditional distinction between PII and non-PII should no longer determine whether or not the privacy guidelines apply. The FTC cites the increased use of static IP addresses as an example of non-PII data that could compromise privacy. The FTC notes that the widespread use of static IP addresses (as a result of the transition to Internet Protocol v6) will make it possible to identify individual users from non-PII data. As a result, the report maintains that *any data* (PII or non-PII) that is collected for behavioral advertising and could be associated with a specific user or with a specific computer or IP address is covered by the report’s guidelines.

Broadening the scope of the guidelines to include what was traditionally considered non-PII has the potential to make a whole new class of advertisers subject to the guidelines. In fact, this could one day include advertisers who are not personalizing or targeting their ads and in turn require their unnecessary adherence to these guidelines.

The second major concern regarding the new guidelines centers on the implementation requirements surrounding ‘notice’ and ‘choice’. While the report pays great attention to the need for clear notice and choice, it fails to offer specific information to help advertisers figure out how to achieve them. For example, the report explicitly declines to take a stand on whether choice should be opt-in or opt-out. Instead, it offers the dismayingly unhelpful guideline that it should be “clear, easy to use, and accessible to consumers.” This abstract advice is open to broad interpretation, which may result in widely varying policies from one advertiser to the next and leave those advertisers open to the possibility of inadvertent violations of the FTC Act.

In addition, the FTC encourages advertisers to experiment with alternative methods of providing notice and choice in an effort to further best practices. Unfortunately, and fatally, there is no safe harbor for such experimentation and therefore no real benefit, only increased risk, to being on the cutting edge and experimenting with novel methods of providing notice and choice.

The guidelines outlined in the FTC report are incremental steps toward furthering self-regulation, but to be truly useful--and widely adopted--I believe that they need to be more specific. The Internet, by its nature, is fundamentally self-regulating. Those companies that succeed in providing a transparent exchange of value will prosper and establish best practices and model self-regulatory guidelines; those that are not transparent or do not provide value will fail. More detailed guidelines will set the boundaries within which those market forces can efficiently and effectively play out.