Behavioral Advertising Targeted By Congress, European Union
The latest example of the reduced, if not lacking, confidence in U.S. regulators in these times is the apparent Congressional intent to legislate restrictions on targeting of advertising to users of the Internet utilizing information gleaned from analysis of that usage. Last week the House Subcommittee on Communications, Technology and the Internet held another round of hearings on the subject. This is an area in which the Federal Trade Commission (FTC) has been active for some time, adopting final Principles in February 2009 for use by the industry in self-regulation.
The four Principles governing behavioral advertising, discussed in detail in the FTC's Report, require (i) notice of data gathering and consumer ability to opt out, (ii) reasonable security protections for collected data and limited term retention, (iii) express consent to a change to the use and protection of data already gathered, and (iv) express consent to the use of sensitive personal data.
The FTC has been monitoring behavioral advertising for the last decade and the Principles are the culmination of efforts that included Town Hall Meetings and a round of comments before finalizing the Principles. Although compliance with the Principles is voluntary, the FTC indicated that in the coming year it would investigate and monitor self-regulatory programs of industry participants and bring enforcement actions under Section 5 of the FTC Act for unfair and deceptive practices where appropriate.
The industry has embraced self regulation but apparently both the House and the Senate have not. There will be more hearings and possibly a bill or two later this Summer.
The United States has always been a laggard in personal privacy regulation compared to certain other regions, in particular the European Union. Behavioral advertising in the UK has also been in the news, with the European Commission threatening to sue the UK government if it does not modify its data protection laws to address new technologies such as behavioral advertising. BT (formerly British Telecom) conducted tests in 2008 of its "Phorm" covert behavioral advertising technology without notifying consumers or obtaining their consent, which is a violation of the EU Data Protection Directive. The EU Telecommunications Commissioner also separately expressed concern about use of RFID technology to monitor consumer behavior without their consent.
European privacy legislation is likely to continue to be more stringent than anything adopted in the U.S., since the U.S. model generally favors "opt out" protection, which is much less onerous than European "opt-in" requirements. For many years European data protection laws have imposed restrictions on the cross-border transfer of personal information to a jurisdiction without legal protections equivalent to the "home country" protection. Since personal data originating in the EU has been transported across borders for processing for years, often to the U.S., there has for years been the question whether European law was being complied with, along with questions of extra-territorial jurisdiction. These questions are simply amplified with the Internet, although probably with no change in the general ignorance of the potential issues. As a practical matter, though, this will continue to be an area where the law is aspirational, but not enforceable.
The four Principles governing behavioral advertising, discussed in detail in the FTC's Report,
The FTC has been monitoring behavioral advertising for the last decade and the Principles are the culmination of efforts that included Town Hall Meetings and a round of comments before finalizing the Principles. Although compliance with the Principles is voluntary, the FTC indicated that in the coming year it would investigate and monitor self-regulatory programs of industry participants and bring enforcement actions under Section 5 of the FTC Act for unfair and deceptive practices where appropriate.
The industry has embraced self regulation but apparently both the House and the Senate have not. There will be more hearings and possibly a bill or two later this Summer.
The United States has always been a laggard in personal privacy regulation compared to certain other regions, in particular the European Union. Behavioral advertising in the UK has also been in the news, with the European Commission threatening to sue the UK government if it does not modify its data protection laws to address new technologies such as behavioral advertising. BT (formerly British Telecom) conducted tests in 2008 of its "Phorm" covert behavioral advertising technology without notifying consumers or obtaining their consent, which is a violation of the EU Data Protection Directive. The EU Telecommunications Commissioner also separately expressed concern about use of RFID technology to monitor consumer behavior without their consent.
European privacy legislation is likely to continue to be more stringent than anything adopted in the U.S., since the U.S. model generally favors "opt out" protection, which is much less onerous than European "opt-in" requirements. For many years European data protection laws have imposed restrictions on the cross-border transfer of personal information to a jurisdiction without legal protections equivalent to the "home country" protection. Since personal data originating in the EU has been transported across borders for processing for years, often to the U.S., there has for years been the question whether European law was being complied with, along with questions of extra-territorial jurisdiction. These questions are simply amplified with the Internet, although probably with no change in the general ignorance of the potential issues. As a practical matter, though, this will continue to be an area where the law is aspirational, but not enforceable.
Comments