German Data Protection Authorities Issue Resolution on Website Analysis Methods

Posted on January 7, 2010 by Hunton & Williams LLP

In December 2009, the German data protection authorities (“DPAs”) for the private sector published a resolution on data protection compliance for website audience measurement (in German).  The resolution was adopted at the Düsseldorfer Kreis meeting on November 26-27, 2009.

Many website operators analyze users’ surfing behavior for advertising and market research purposes, or to adapt their websites to suit consumer preferences. To create user profiles, website operators often use software or other services that are offered by third party service providers (sometimes free of charge).

In the resolution, the DPAs specify that website operators must comply with the provisions of the German Telemedia Act (“TMG”) when creating user profiles.  According to the TMG, website operators are only allowed to create user profiles by using pseudonyms.  A user’s IP address, however, does not qualify as a pseudonym under the TMG. The resolution further states that the following TMG requirements must be met:

  • Website users must have the opportunity to object to the creation of their user profiles, and website operators must honor such objections effectively.
  • Pseudonymized user data may not be combined with data about the individual associated with the pseudonym. 
  • User data must be deleted (1) if storage is no longer necessary for usage analysis purposes, or (2) if the user requests the deletion.
  • Without the user’s consent, personal data may be collected and used only to the extent necessary to enable the use of telemedia services and for billing purposes. Any other use requires the consent of the user.
  • In their privacy policies, website operators must (1) provide clear disclosure regarding the creation of pseudonymized user profiles, and (2) inform users that they have the option to object to the creation of such profiles.
  • Because complete IP address data may be traced back to a user, analysis of surfing behavior using complete IP addresses (including a geo-localization) is only admissible pursuant to deliberate, explicit consent.  If the user has not given consent, the IP address must be truncated prior to analysis to eliminate the possibility of data being attributed to a specific user.
Tags: , , , , , , , , , ,

Marketing Industry Groups Propose Behavioral Advertising Guidelines

Posted on July 2, 2009 by Hunton & Williams LLP

On July 2, 2009, five marketing industry associations jointly published a set of voluntary behavioral marketing guidelines entitled “Self-Regulatory Principles for Online Behavioral Advertising.” The American Association of Advertising Agencies, the Association of National Advertisers, the Direct Marketing Association, the Interactive Advertising Bureau and the Better Business Bureau developed the standards, which correspond to the self-regulatory principles proposed by the Federal Trade Commission (“FTC”).

Behavioral advertising involves collecting and analyzing information about consumer online behavior for marketing-related purposes, such as serving targeted ads, or developing purchase propensity models. In the U.S., the practice has come under scrutiny by consumer groups, legislators and the FTC. The FTC published a second report on its own proposed self-regulatory principles on February 12, 2009.

The new self-regulatory guidelines are based on seven principles: Education, Transparency, Consumer Control, Data Security, Consent to Material Changes, Sensitive Data and Accountability. The principles call on participating organizations to (i) conduct outreach campaigns to educate consumers about behavioral advertising, (ii) provide clear disclosures about their online behavioral advertising practices (including notices at data collection points), (iii) allow consumers to choose whether their data is used for behavioral advertising, (iv) provide security for consumer information and limit its retention, (v) obtain consumer consent to material changes regarding the use of their information, and (vi) require parental consent for the use of information collected from children under the age of 13. The principles also call for establishing an accountability program for monitoring compliance with the guidelines and reporting non-compliance to appropriate government agencies. The Better Business Bureau and the Direct Marketing Association are currently working together to develop accountability mechanisms, which are intended to be in place by early 2010.

The publication detailing the Self-Regulatory Principles is available at www.iab.net/behavioral-advertisingprinciples.
Tags: , , , , , , , , , , ,

Draft Bill to Require Disclosure of Online Behavioral Tracking

Posted on March 24, 2009 by Hunton & Williams LLP

Behavioral targeting on the Internet has recently come under the scrutiny of lawmakers and privacy advocates.  This increased interest has been triggered in part by Facebook’s and Google’s recent adoption of targeted advertising practices.  In response to growing concerns over behavioral tracking, three U.S. congressmen are preparing a draft bill that would mandate the disclosure of monitoring practices for advertising purposes.  The goal of the bill is to increase transparency and provide individuals with the opportunity to learn what information is being collected about them, by whom and how the information will be used.  At present, there are suggested best practices set forth in the Federal Trade Commission’s (“FTC’s”) Staff Report on Self-Regulatory Principles for Online Behavioral Advertising.  These Self-Regulatory Principles are designed to encourage industry self regulation for the protection of consumer privacy in online advertising activities.  The FTC is in the process of reviewing the privacy issues raised by online behavioral advertising over the course of the last decade.  An FTC Town Hall meeting to address behavioral advertising practices was hosted in November 2007.  In response to the comments received at the Town Hall meeting, the FTC issued Self-Regulatory Principles to promote industry self-regulation.  If enacted, the proposed bill would frustrate industry’s nascent efforts to self-regulate in this area.

While there has been considerable discussion of online behavioral advertising, the placement of targeted ads on the Internet is not a new phenomenon.  A number of well-known companies, including Yahoo! and Microsoft, have made use of the technology for years.  Facebook has joined the bandwagon and notified advertisers that they could begin targeting ads to users based on language and location.  A posting on Facebook’s company blog indicated that the location and language features represented a “huge upgrade for Facebook’s targeting.”  The ability for advertisers to target specific users is significant given that Facebook recently announced that it expects to have 200 million users by the end of March 2009.  Google also announced that it will begin interest-based advertising that provides users with ads based on the types of websites they visit.  This service would supplement Google’s existing contextual advertising.  As part of its approach to targeted ads, and perhaps to allay privacy concerns,  Google will offer users an opt-out by downloading a browser level plug-in to restrict the use of interest-based ads.   

The FTC’s online behavioral advertising principles are available here.
Tags: , , , , , , , ,