Behavioral Ad Guidelines: Compliance May Be Challenging

As you likely know, the FTC released its staff report, “Self-Regulatory Principles for Online Behavioral Advertising” this month, and the industry has been buzzing about it. As head of an agency with a substantial stake in behavioral targeting, I’m interested in the report, but it also has broader implications that all marketers need to take into account.

On a call conducted early last week with industry association Network Advertising Initiative (NAI), I realized NAI governing principles are well aligned with the FTC’s. But there are still open questions on both sides, and the biggest takeaway is that more work needs to be done by the two groups, especially when it comes to innovation from the online advertising industry.

Yet behavioral targeting isn’t the only discipline to make use of consumer data; contextual marketing and other display disciplines leverage aggregate demographic, geographic, and purchase data to target their audiences in much the same way behavioral marketers do. As such, all marketers should pay close attention to ensure they’re falling in line with best practices set out by the NAI, the Interactive Advertising Bureau, and other industry organizations who are responsible for spearheading industry self-regulation.

But how? This is a pretty dynamic industry. By the time this debate of self-regulation versus federal regulation comes to any sort of solution, some new technology is sure to emerge to completely change the game again. All we can do as an industry is use our best judgment, conduct regular risk assessment, and stay up to date on best practices and principles coming from both within the industry and from federal agencies. As in all things, it helps to have guiding principles that make the consumer interest the top priority; all the agencies have done a good job of that thus far.

Here are some high-level guidelines to follow if you’re not sure where you fall on the FTC’s spectrum, especially if you engage in behavioral targeting in any way. It’s good practice to check your practices against these new guidelines for compliance. Keep in mind the added benefit of having happy customers and a clean, healthy business model.

Disclaimer: I’m not a lawyer or federal authority. This is not an exhaustive set of recommendations. These are simply high-level recommendations for best practices — plus common sense. Please consult your attorney for authoritative guidance on your approach to privacy and data management.

  • Make sure your privacy policy is clearly visible on your site. There is lingering debate about whether privacy policies are effective and what exactly the FTC means by “prominent” notice to consumers about privacy. Again, this is mostly about common sense. Many people still look for privacy policies. Make sure yours is easily found, updated, concise, clear, and written in layman’s language. If you can open up your home page and find the link to your privacy policy without a magnifying glass or a “Where’s Waldo” champion, you should be fine.
  • Retain data only as long as necessary to fulfill a legitimate business need or as required by law. Both the NAI and FTC policies make this requirement clear, and, once again, data retention is a matter of common sense. Retaining outdated data is wasteful because it can create additional security and privacy burdens, plus it’s no longer useful for marketing. We typically find it useful to ask how a particular data set can be used to optimize programs, make the customer experience better, or make messaging more relevant. If you can’t answer any of those definitively, you don’t need the data. If you don’t need the data, don’t keep it.
  • Provide your customers with the option to opt out and opt in. This requirement can be trickier, because there are several factors that must be considered. Providing the mechanism for opt-out and opt-in is fairly straightforward, and the NAI can assist in defining that. When you make changes to your privacy policy, proactive or retroactive, you’re supposed to provide an opt-in again. Then the issues of personally identifiable information (PII) and sensitive information come into play. The FTC report defines PII as data that “reasonably could be associated with a particular consumer or with a particular computer or device,” but that’s still awfully subjective. Better to be safe than sorry. And if your target audience includes minors, your requirements are significantly changed. Remember, the place to gather and use PII is after you’ve established a relationship with the consumer and received her permission.

Many open questions remain for the industry and the federal government. In the end, much of the guidelines involve common sense and business sense. You can protect your customers’ privacy while maintaining your e-marketing strategy to leverage data. Simply but rigorously ensure that security measures are implemented appropriately and be as transparent with your practices as possible. This will reinforce for your customers that you’re making their privacy a priority and will ensure that you are complying with legislation. Maintaining that standard of business practice helps us maintain the viability of industry self-regulation and safeguards the public trust.

Meet Robin at Search Engine Strategies New York March 23-27 at the Hilton New York. The only major search marketing conference and expo on the East Coast, SES New York will be packed with more than 70 sessions, including a ClickZ track, plus networking events, parties, training days, and more than 150 exhibitors.

Related reading

Overhead view of a row of four business people interviewing a young male applicant.