|E-Commerce :: Behavioral Advertising|
- Legal to Link? |
- DNS & Trademark
- Online Profiling
- Targeted Advertising
- - Behavioral
- Alcohol & Tobacco
- E Signatures
- Intellectual Property
- Online Investing
- Ecommerce Reference
Derived From: Kathleen Anne Ruane, Privacy Law and Online Advertising: Legal Analysis of Data Gathering by Online Advertisers Such as Double Click and NebuAd, CRS Jan. 16, 2009
Introduction and Technical Background
Many website operators produce income by selling advertising space on their sites. Advertisers will pay a premium for ads that are more likely to reach their target demographic. In other media, such as broadcasting, advertisers engage in targeting by purchasing advertising time during programs that those who buy their products are most likely to watch. The Internet presented new challenges and opportunities for advertisers to reach their target audiences. Technology has been developed that allows advertisers to target advertising to individual web users. This is seen as an advantage for advertisers, because, rather than aiming their ads at groups of people who visit a particular site, their ads are aimed at the individual user. This maximizes the odds that the user who sees the ad will be interested in the product or service it touts. Targeting advertising to individuals involves gathering information about that individual's web surfing habits. The collection of this information has raised concerns among some over the privacy of web activity, particularly if the data collected are personally identifiable. Some have alleged that online advertisers are violating privacy laws by collecting these data.
In online advertising's simplest form, a commercial website rents out "space" on its site to another website which places a hot link banner advertisement in that space.1 The banner ad, when clicked, sends the user directly to the advertiser's website. In this scenario, no matter who visits a particular website, that user will see the same advertisement, regardless of whether he/she may be interested in that product or service. However, many advertisers will pay a premium for the increased likelihood that users viewing their advertisement would be interested in the product or service offered. As a result, technology has developed to more accurately target online ads to the desired audience.
Online advertising providers, such as DoubleClick and NebuAd, have developed the ability to target ads to individual Internet users who would be most interested in seeing those ads. These techniques are known generally as "behaviorally targeted advertising." Behaviorally targeted advertising delivers ads that are geared toward specific Internet users by tracking certain, though not necessarily all, web activity of each user and inferring each user's interests based on that activity. Most online advertising providers monitor individual Internet users by placing a "persistent cookie" on that user's computer. "cookies" are small text files that can store information. "Persistent cookies" reside on a hard drive indefinitely, unlike most "cookies" which expire when a browser window is closed. Generally, online advertisers give the "cookies" they place on user computers a unique alphanumeric code that identifies that user to the advertising company purportedly without revealing any personally identifiable information. "cookies" may be placed on an individual's computer when an individual visits a website affiliated with the online advertisement supplier; however, the exact moment of "cookie" placement may be different when the relevant advertising partnership is between a user's Internet Service Provider (ISP) and an online advertising provider.
Once the cookie is in place, it gathers certain information related to that user's online activity on a continuous basis and relays that information to the online advertising provider. The advertising provider assembles that data into an individual profile that is then used to target advertising to that user's interests. This process is ongoing, but, in general, the user may opt out of continued monitoring at any point, assuming they are aware that it is occurring. In most types of behaviorally targeted advertising technology, the advertising firm gathers information about user activities on websites that are affiliated with the advertising firm. The behavioral advertiser DoubleClick, for instance, operates on this model. Information on individual users is transmitted to DoubleClick by DoubleClick's clients. In a newly emerging behavioral advertising model, the advertising provider is attempting to partner with the users' ISP. This partnership will presumably grant the advertising provider access to all web activity in which an ISP's subscribers engage. Both of these types of potential partnerships raise a number of questions regarding potential violations of existing privacy protections in federal law.
Electronic Communications Privacy Act
Concerns have been raised that online advertising providers, websites, and ISPs that agree to collect certain data generated by Internet traffic to behaviorally target advertising may be violating the Electronic Communications Privacy Act (ECPA)100 Stat. 1848, 18 U.S.C. 2510- 2521.2 ECPA is an amendment to Title III of the Omnibus Crime Control and Safe Streets Act of 1968, 87 Stat. 197, 18 U.S.C. 2510-2520 (1970 ed.), which prohibits the interception of electronic communications unless an exception to the general prohibition applies.3 This section will discuss the potential application of ECPA to online advertising providers and the potential application of ECPA to ISPs.
The Online Advertising Provider
The first question that must be addressed is whether ECPA applies to the activities of online advertising providers. Online advertising providers are acquiring information such as the fact that a user clicked on a particular link (an action which is the equivalent of asking the site providing the link to send the user information), and they are acquiring that information while the communication is in transit.4 Furthermore, these advertisers may acquire information, such as words entered into a search engine or answers to online forms, while it is in transit.5 Under ECPA, it is illegal, with certain enumerated exceptions, for any person to "intentionally intercept, endeavor to intercept, or procure any other person to intercept or endeavor to intercept, any wire, oral or electronic communication."6 It is important to lay out the statutory definitions of each of the key terms in order to assess whether the ECPA prohibition and/or any of its exceptions applies to activities conducted by online behavioral advertisers.
- "Intercept" means the aural or other acquisition of the contents of any wire, electronic, or oral communication through the use of any electronic, mechanical, or other device.
- "Contents" when used with respect to any wire, oral, or electronic communication includes any information concerning the substance, purport, or meaning of that communication.
- "Electronic Communication" means any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photoelectronic, or photo optical system that affects interstate or foreign commerce.
Because the advertisers record that a particular user requested information from a website by clicking on a particular link or sent information to a website via a search entry or other method, the advertisers appear to be "intercepting" the "contents" of those "electronic communications." Therefore, the interceptions are likely covered by ECPA.
Merely determining that this type of data acquisition by online advertisers is an interception for the purposes of ECPA does not end the analysis. ECPA excepts certain communication interceptions from its prohibition. The exception to ECPA that would most likely apply to these types of interceptions is the exception that allows for interception of communications with the consent of one of the parties.11 The question of when and how consent to the interception may be given is addressed below.
The Internet Service Provider
The second question to be addressed is whether ECPA applies to ISP providers that would allow online advertising providers to gather data from traffic over the ISP's network. ECPA prohibits any person or entity providing an electronic communications service from intentionally divulging the "contents of any communications ... while in transmission on that service to any person or entity other than an addressee or intended recipient of such communications or an agent of such addressee or intended recipient."12 The same definitions outlined in the previous section apply here. This section seems to apply to ISPs that would agree to allow online advertising providers to acquire portions of the web traffic of ISP customers, because the ISP would be allowing the advertising providers to acquire the contents of communications while they are in transmission and neither the advertising provider nor the ISP would, in most cases, be the addressee or intended recipient of the communications.
Again, determining that the data collection is likely an interception for the purposes of ECPA does not end the analysis. An ECPA exception may apply. ISPs are allowed to intercept communications while in transit if such interception is part of "any activity which is a necessary incident to the rendition of [that service] or to the protection of the rights or property of the provider of that service."13 It does not seem likely that this exception applies to ISPs when contracting with online advertising providers. Though the service for which they contract may help keep the websites of the advertising provider's clients free to the public by producing advertising revenue, the interception is not necessary to maintain an ISP's proper function or solvency and, therefore, likely is not necessary to the rendition of Internet access service.14 ISPs also are allowed to divulge the contents of a communication in transit "with the lawful consent of the originator or any addressee or intended recipient of such communication."15 If the ISPs obtain the consent of their customers to intercept some of their online activities, this exception to ECPA would seem to apply. Again, the questions of how and when consent may be obtained and what constitutes "lawful consent" arise and are addressed in the following section.
The Consent Exception of ECPA
As noted above, interception of electronic communications is not prohibited by ECPA if one of the parties to the communications has consented to the interception. Consent is not defined by ECPA; nor do precise instructions of how and when consent may be obtained under ECPA appear in regulation. Therefore, it has been left largely to the courts to determine when consent to intercept a communication otherwise covered by ECPA's prohibitions has been granted.16 There have been few cases dealing with ECPA's application to online advertising providers and none examining ECPA's application to agreements between ISP providers and online advertising providers. As a result, many open-ended questions exist regarding how to obtain adequate consent. This section first will examine whether the consent exception to ECPA applies to data collection agreements between online advertising providers and website operators. It will then examine whether and how the consent exception applies to data collection agreements between ISPs and online advertising providers.
Data Collection Agreements Between Websites Operators and Online Advertising Providers
Agreements for online advertising providers to monitor certain web traffic may be between the online advertising provider and the website operators seeking to have ads placed on their sites. The advertising providers receive information about user activity on participating websites and aggregate that data to better target ads. In litigation against the online advertising provider DoubleClick for violations of ECPA, the court examined whether websites were "users" of electronic communications services under ECPA.17 ECPA defines a "user" as "any person or entity who (A) uses an electronic communication service; and (B) is duly authorized by the provider of such service to engage in such use."18 The court reasoned that websites are "users" (and, therefore, "parties to the communications" at issue) because they actively respond to requests they receive over electronic communications services by deciding whether to send the requested document, breaking the document down into TCP/IP protocol, and sending the packets over the Internet.19 Because websites are "users" of electronic communications, the court found that websites are also "parties to the communications" in dispute; therefore, website owners have the ability to consent to a communication's interception.
The court also held that the website operators had consented, by virtue of their contract with DoubleClick, to allow the company to intercept certain traffic on their websites in order to target advertising to website visitors.21 Consent for private interceptions of electronic communications cannot be granted if the purpose of the interception is the commission of criminal or tortious conduct.22 The court noted that the focus of the determination of criminal or tortious purpose under ECPA is "not upon whether the interception itself violated another law; it is upon whether the purpose for the interception-its intended use-was criminal or tortious."23 Applying that standard, the court found that the plaintiffs had not alleged that DoubleClick's primary motivation for intercepting communications was to injure plaintiffs tortiously. In the court's view, even if DoubleClick's actions ultimately proved tortious or criminal, there was no evidence that DoubleClick was motivated by tortious intent. As a result, the court found that the consent exception to ECPA was satisfied.
In a similar suit against online advertising provider Pharmatrak, the court outlined limitations to the consent exception regarding these types of agreements. In that case, Pharmatrak had contracted with certain drug companies to provide advertising on their websites. Included in the agreement was permission for the advertising provider to record certain web traffic that did not include personally identifiable information.25 Perhaps inadvertently, the online advertising provider did collect a small amount of personally identifiable information though it had pledged not to do so. The advertiser argued that consent had been granted for such interception. The court disagreed. According to the court, it is for the party granting consent to define its scope, and the parties in this case had not consented to the collection of personally identifiable information.26 In collecting personally identifiable information by intercepting data without the consent of one of the parties, the online advertiser potentially had violated ECPA, but may have lacked the requisite intent to be found liable under the statute.27 The appeals court directed the trial court to conduct further investigation into the matter.
Given the conclusions in the above cases, it appears that online advertising providers, like DoubleClick, that partner to collect data from individual websites generally are not violating ECPA, because the websites are "parties to the communication" with the ability to consent to interception. Based on these cases, the advertising providers will not be seen as running afoul of ECPA so long as the data the advertising providers collect do not fall outside the scope of the data the advertising providers' clients have agreed to disclose.
Data Collection Agreements Between ISPs and Online Advertising Providers
On the other hand, when the partnership is between the ISP and the online advertising provider, neither of the parties to the agreement to intercept web traffic is a party to the communications that are being intercepted. Therefore, it would appear that consent for the interceptions must be obtained from individual customers of the ISPs. The questions, in these circumstances, are whether consent must be "affirmative," or if it can be "implied," and if consent must be "affirmative" what process must be used to obtain such consent from individual users.
Affirmative or Implied Consent
Consent to interceptions has been implied by the surrounding circumstances of communications. While consent may be implied, it may not be "casually inferred."28 It seems unlikely, as a result, that merely by using an ISP's service, a customer of that service has implied her consent to the interception of her electronic communications by online advertising providers. If consent likely may not be implied simply from use of an ISP's service, then a form of affirmative consent from the ISP's customer would be necessary.
Opt in v Opt Out Consent
In other statutes requiring consent for certain types of disclosure, regulatory regimes have developed to define when and how affirmative consent should be obtained.29 A similar debate is occurring now involving how ISPs should obtain consent from their customers to share data about their online activities with online advertising providers. The debate centers around whether ISPs and advertisers must obtain "opt-in" consent or if they may continue to obtain "opt-out" consent for these interceptions.
"Opt-in" consent is obtained when a party to the communication is notified that his or her ISP has agreed to allow an online advertiser to track that person's online activity in order to better target advertising to that person. The advertiser, however, may not begin to track that individual's web activity until the individual responds to the notification granting permission for such activity.30 If the individual never responds, interception can never begin. "Opt-out" consent, by contrast, is obtained when a party to the communication is notified that his or her ISP has agreed to allow an online advertiser to track that person's online activity and the advertising provider will begin such tracking unless the individual notifies the ISP or the advertiser that he or she does not grant permission for such activity.31 If the individual never responds, interception will begin. Currently, it appears that companies such as NebuAd are obtaining or planning to obtain "opt-out" consent for the information gathering they engage in with ISPs.32 The present question is whether "optout" consent is sufficient to satisfy the ECPA consent requirement. This question has yet to be addressed by a federal court or clarified by legislation or regulation. However, as discussed below, if Section 631 of the Communications Act applies to this type of data collection, "opt-in" consent may already be required for cable companies acting as ISPs (though this may not be required of telco companies such as Verizon or AT&T that operate as ISPs).
Section 631 of the Communications Act
It is also possible that privacy provisions of the Communications Act apply to agreements between cable operators acting as ISPs and online advertising providers.33 Section 631 of the Communications Act provides basic privacy protections for personally identifiable information gathered by cable operators.34 Specifically, cable operators must provide notice to subscribers, informing them of the types of personally identifiable information the cable operator collects, how it is disclosed, how long it is kept, etc.35 Cable operators are prohibited from collecting personally identifiable information over the cable system without a subscriber's prior written or electronic consent.36 Cable operators are also forbidden to disclose personally identifiable information without prior written or electronic consent of subscribers and must take action to prevent unauthorized access to personally identifiable information by anyone other than the subscriber or cable operator.37 NebuAd has argued that Section 631 does not apply to the activities of cable operators when cable operators are acting as cable modem service providers.38
Section 631 governs the protection of information about subscribers to "any cable service or other service" provided by a cable operator. "Other service" is defined as "any wire or radio communications service provided using any of the facilities of a cable operator that are used in the provision of cable service."39 In its order classifying cable modem services as "information services," the FCC stated the belief that "cable modem service would be included in the category of 'other service' for the purposes of section 631."40 Furthermore, in 1992, Congress added the term "other services" to Section 631 as part of the Cable Television and Consumer Protection and Competition Act.41 The House Conference Report on the law clarified that provisions redefining the term "other services" were included in order "to ensure that new communications services provided by cable operators are covered by the privacy protections" of Section 631.42
Section 631 is judicially enforced, however, and it is for the courts to interpret the scope of its application absent more specific guidance from Congress.43 It is unclear whether all of the provisions of Section 631 encompass Internet services. "Other services" have been interpreted by at least one district court to encompass Internet services.44 On the other hand, in 2006, the Sixth Circuit Court of Appeals found that the plain language of Section 631(b) precluded its application to broadband Internet service.45 Section 631(b) prohibits cable operators from using their cable systems to collect personally identifiable information without the consent of subscribers.46 The court based its decision that Internet services were not covered by this prohibition on its interpretation of the definition of "cable systems."47 The court found that the systems that deliver Internet services are not the systems that Section 631(b) addresses, and therefore, cable operators were not prohibited by Section 631(b) from collecting personally identifiable information over systems that delivered Internet access services. The Supreme Court has yet to rule on this issue.
Even if Section 631(b) does not prevent cable operators from collecting personally identifiable information over broadband Internet services, Section 631(c) may prohibit the disclosure of such information to third parties regardless of whether the information was collected over the cable system.48 Section 631(c) of the Communications Act states that "a cable operator shall not disclose personally identifiable information concerning any subscriber without the prior written or electronic consent of the subscriber concerned and shall take such actions as are necessary to prevent unauthorized access to such information by a person other than the subscriber or cable operator."49 If a cable operator, as an ISP, agrees to allow an online advertising provider to inspect traffic over its cable system and to acquire some of that information, it seems that the cable operator/ISP is disclosing information to the online advertising provider. Such disclosure would apparently be a violation of the Communications Act if (1) the information disclosed is personally identifiable information and (2) the cable operator/ISP is disclosing it without the prior written or electronic consent of the subscribers to whom the information pertains.
Whether online advertising providers are gathering personally identifiable information in order to provide their services is a matter of much debate. Section 631 does not define what personally identifiable information is; it defines what personally identifiable information is not. According to 631, Personally Identifiable Information (PII) does not include "any record of aggregate data which does not identify particular persons."50 Online advertising providers claim that they do not collect any personally identifiable information.51 Public interest groups and other commentators disagree, citing scenarios in which data which was not supposed to contain personally identifiable information was used to identify individuals.52 Because Section 631 is judicially enforced, it is likely that whether online advertisers are acquiring personally identifiable information as opposed to aggregate data that do not identify particular persons will be a determination made by a federal trial court. To date, there have been no cases addressing this question.
Assuming even that online advertising providers are gathering personally identifiable information, cable operators are allowed to disclose personally identifiable information as long as they obtain the prior written or electronic consent of the relevant subscribers, essentially an "optin" standard.53 In the event that online advertising companies are determined to be gathering personally identifiable information and that Section 631(c) applies to cable operators in their provision of cable modem services, cable operators would be required to obtain consent for such disclosure under an "opt-in" regime.
FTC Online Advertising Principles
The Federal Trade Commission (FTC) has held a number of hearings and town hall meetings to examine the privacy issues raised by online behavioral advertising.54 The FTC continues to advocate for industry self-regulation in this area, but has put forth a number of principles intended to provide guidance. Some of the proposed principles include acquiring affirmative express consent to use sensitive data for behavioral advertising, implementing reasonable security for data collected, and limiting the time such data is retained.55 The FTC has also suggested that every website where data are collected provide a "clear, concise, consumer-friendly, and prominent statement that (1) data about consumers' activities online is being collected at the site ... and (2) consumers can choose whether or not to have their information collected...."56
These principles were published on the FTC's website in December of 2007. The FTC also sought comments from the public on the principles. The comment period closed in April of 2008. The comments received were posted on the FTC's website in order to aid in the development of self-regulatory programs.57 The FTC noted that, though the agency believed self-regulation remained the best course of action, it did not foreclose the use of the FTC's enforcement or regulatory authority, including its authority to challenge unfair or deceptive trade practices.
Network Advertising Initiative Standards
The Network Advertising Initiative (NAI) is an industry group composed of online advertising providers that has developed voluntary privacy, notice, and consent standards that are considered to represent industry best practices for the protection of data gathered for the purposes of behavioral advertising.58 These standards do not have the force of law, but a number of online advertising providers have pledged to abide by them.
In December of 2008, the NAI released a new "Self-Regulatory Code of Conduct."59 Under these standards, members of the NAI must post clear and conspicuous notice on their websites describing their data collection, transfer, and use practices. The Code instructs NAI members to require the sites with which they contract for behavioral advertising to post conspicuous notice of, among other things, the types of data collected by the company and how that data is used or transferred to third parties. Members also must contractually require any third parties to whom they provide personally identifiable information to comply with the Self-Regulatory Code of Conduct.
The Self-Regulatory Code creates three tiers of information that may be collected for behavioral advertising: non-personally identifiable information (Non-PII),60 personally identifiable information (PII),61 and Sensitive Consumer Information.62 The code requires "opt-out" consent for the use of Non-PII. The prospective use of PII that is to be merged with Non-PII requires "opt-out" consent accompanied by a "robust notice"63 that occurs prior to data collecion. The use of PII that is to be merged with previously collected Non-PII requires "opt-in" consent. The use of Sensitive Consumer Information always requires "opt-in" consent. Members must provide reasonable security for the data that they collect, and they may only retain the data collected "as long as necessary to fulfill a legitimate business need, or as required by law." Behavioral advertising that targets children under the age of thirteen (regardless of the type of information) is prohibited.
- FTC to Host Town Hall to Examine Privacy Issues and Online Behavioral Advertising, FTC 8/8/2007
- FTC Staff Proposes Online Behavioral Advertising Privacy Principles,
- FTC, # 228; Project No. P859900: Online Behavioral Advertising: Moving the Discussion Forward to Possible Self-Regulatory Principles (2008)
- Online Behavioral Advertising, Moving the Discussion Forward to Possible Self-Regulatory Principles, released December 20, 2007
- Privacy Implications of Online Advertising: Hearing Before the S. Comm. On Commerce, Science, and Transportation, 110th Cong. (2008)
- Testimony of Mr. Robert R. Dykes, CEO of NebuAd Inc., .
- Testimony of Ms. Leslie Harris, CEO of the Center for Democracy and Technology,
- In re DoubleClick, Inc. Privacy Litigation, 154 F.Supp. 2d 497 (S.D.N.Y. 2001),
- In re Pharmatrak Privacy Litigation, 329 F.3d 9 (1st Cir. 2003)
- Network Advertising Initiative
- Paul Lansing and Mark Halter, Internet Advertising and Right to Privacy Issues, 80 U. Det. Mercy L. Rev. 181 (2003).