Anita Ramasastry

FTC and Industry Agree: Consumers Need Clear Notice When Web Use Is Tracked

By ANITA RAMASASTRY


Teusday, July 30, 2009

Many Internet retailers track our online movements as a means of customizing their marketing efforts and figuring out what types of products and services we want to view and purchase. Consumers may be unaware, however, that their online moves are being watched or "tracked" by the companies with which they deal online.

For many consumers, tracking is a positive thing – for it causes consumers to receive advertising and recommendations for products and services that they desire. If a golfing fan visits lots of golf sites, for example, he might find himself receiving targeted advertisements on the Web that focus on golf. A travel buff might see pop-up advertisements for cruises or vacations.

Such targeted advertising, which is generated after merchants track a consumer's online patterns, is referred to as "online behavioral advertising." But some consumers may not want their information collected – or may be wary of merchants' collecting some of their more sensitive data, such as data relating to health or medical issues, for example.

At present, both the government and industry are trying to figure out if there should be any limits – imposed either by government regulation, or through industry self-regulation – on when and how companies may track customer activity and use the data collected for so-called behavioral advertising. In June, Congress held hearings on this topic, and the FTC has previously published a report on the topic (which I described in a prior column).

Moreover, the FTC has begun to set some limits through its enforcement actions. In a recent move, it commenced an enforcement action against – and then reached a settlement with – Sears Holdings Management Corporation (Sears), which is owned by Sears, Roebuck and Company and Kmart Management Corporation. The FTC alleged that that Sears HMC had engaged in a deceptive trade practice by failing to disclose adequately the scope of consumers' personal information that it had collected via a downloadable software application.

In this column, I will discuss the FTC settlement with Sears, as well as a recent report issued by industry groups that also addresses the issue of online tracking of consumer Internet activity. Both the FTC and industry agree that clear notice is an important part of informed consumer choice. While many issues remain unresolved, this is an important first principle that needs to be more broadly and consistently applied.

The FTC's Complaint Against Sears: The Allegations

Online tracking of customer activity is legal, and so is online behavioral advertising. The FTC was concerned, however, that Sears had not fully divulged to consumers what types of information it was gathering after it asked some of its customers to download software that tracked their Internet activities.

According to the FTC's complaint, Sears invited consumers visiting the sears.com and kmart.com Websites to join "My SHC Community." Sears solicited these consumers to "participate in exciting, engaging, and on-going interactions – always on your terms and always by your choice," and paid them $10 for becoming members. As part of joining the SHC Community, Sears asked consumers to download "research" software that it said would confidentially track their "online browsing." It did not specify, however, whether Sears would monitor their browsing outside of its own websites.

According to the FTC's complaint, Sears did not disclose the extent of the tracking it actually performed – which included tracking visits to third-party websites, outside of the Sears universe of companies. Moreover, the FTC alleged that the software also monitored consumers' online secure sessions – including sessions on third-party websites. Perhaps even more startlingly, the Sears software would also collect data transmitted by a consumer in those sessions, including the contents of their shopping carts, online bank statements, drug prescriptions, movie rentals and even library borrowing records.

Did Sears disclose the extent of its tracking anywhere? Any such disclosure could only be found in a lengthy end-user license agreement, available to consumers at the end of a multi-step registration process. Thus, the FTC complaint charged that Sears had failed to adequately disclose the scope of the tracking software's data collection, and that this omission constituted a deceptive practice in violation of the FTC Act.

The Terms of the FTC/Sears Settlement

Last month, Sears reached a settlement with the FTC. The proposed settlement calls for Sears to stop collecting data from the consumers who downloaded the software, and to destroy all data it had already collected. In addition, if Sears advertises or provides any tracking software in the future, it must clearly and prominently disclose the types of data the software will monitor or capture. This disclosure must be made prior to installation, and must be separate from any user license agreement. Sears must also disclose whether any of the data will be shared with or used by a third party.

The FTC order specifically notes that Sears must disclose the following information clearly and prominently, and prior to the display of, and on a separate screen from, any final end user license agreement, privacy policy, terms of use page, or similar document: "(1) all the types of data that the Tracking Application will monitor, record, or transmit, including but not limited to whether the data may include information from the consumer's interactions with a specific set of websites or from a broader range of Internet interaction, whether the data may include transactions or information exchanged between the consumer and third parties in secure sessions, interactions with shopping baskets, application forms, or online accounts, and whether the information may include personal financial or health information; (2) how the data may be used; and (3) whether the data may be used by a third party."

In addition, Sears has promised to "[o]btain express consent from the consumer to the download or installation of the Tracking Application and the collection of data by having the consumer indicate assent to those processes by clicking on a button or link that is not pre-selected as the default option and that is clearly labeled or otherwise clearly represented to convey that it will initiate those processes. . ."

Industry Tightens Its Own Standards for Online Behavioral Advertising

It appears that many industry groups agree with the general principles articulated and applied by the FTC in its settlement with Sears. As part of an effort to promote industry self- regulation, major trade groups in the advertising industry, including the Better Business Bureau, have announced stricter guidelines on how their members use and collect online data. The Self-Regulatory Principles for Online Behavioral Advertising are meant to mirror the FTC's recommendations for such principles that were issued in February 2009.

Principle II focuses on transparency. It states that "Third Parties and Service Providers should give clear, meaningful, and prominent notice on their own Websites that describes their Online Behavioral Advertising data collection and use practices. Such notice should include clear descriptions of the following:

(a) The types of data collected online, including any [personally identifiable information] for Online Behavioral Advertising purposes;

(b) The uses of such data, including whether the data will be transferred to a non-Affiliate for Online Behavioral Advertising purposes;

(c) An easy to use mechanism for exercising choice with respect to the collection and use of the data for Online Behavioral Advertising purposes or to the transfer of such data to a non-Affiliate for such purpose; and

(d) The fact that the entity adheres to these Principles."

These principles are meant to go into effect in 2010, and will involve more than 5,000 companies that belong to the sponsoring organizations, including industry giants such as Google, Microsoft, Yahoo, Disney and Verizon.

The report instructs members to provide notice, either in an ad or on a website (rather than hidden in the privacy policy), that behavioral information is being collected. It also suggests an enforcement process, so that competitors or consumers can bring complaints if a company violates the principles. "Programs will also, at a minimum, publicly report instances of noncompliance and refer entities that do not correct violations to the appropriate government agencies," the report says.

Open Issues Regarding Behavioral Advertising

While the issue of notice has received prominence in recent weeks, open issues regarding behavioral advertising still remain. In particular, consumer groups are advocating that consumers be able to access data that companies are storing about them.

The industry report does not address the issue of access. It does discuss the concept of "control" – but this relates to the idea of consumers having choices about whether to allow information to be collected, not their having ability to see their "file" once information has been collected. News reports indicate that some companies, including Google, plan to give consumers access to data, and it seems like that the access issue will continue to be an important one in this area.


Anita Ramasastry, a FindLaw columnist, is the D. Wayne and Anne Gittinger Professor of Law at the University of Washington School of Law in Seattle and a Director of the Shidler Center for Law, Commerce & Technology. She has previously written on business law, cyberlaw, computer data security issues, and other legal issues for this site, which contains an archive of her columns.

FindLaw Career Center

    Select a Job Title


      Post a Job  |  View More Jobs

    View More