Rapidly changing and complex technology, the rise of “Big Data” and an increasing focus on digital advertising has made advertising legal compliance an increasingly complex area for companies. In-house attorneys and their outside counsel must wrestle with understanding the legal implications of new digital marketing and advertising technologies. The increasing use of newer technologies in this space requires that a company manage the privacy implications as well as the cybersecurity implications that come along with them.

Companies have participated in behavioral advertising for years by collecting data about consumers and targeting ads to these consumers based on data analysis about an individual’s preferences. However, the technology behind behavioral advertising has evolved, and companies have now started to use the data collected to build very detailed profiles about individuals, to track individuals across devices and to combine these detailed profiles about individuals with data obtained from other sources. Some of these new “hot” behavioral advertising technologies include programmatic advertising and data onboarding. Programmatic advertising is the serving of hyper-targeted ads on a real-time basis that draw on vast amounts of data such as cookies and other tracking technologies to create consumer profiles and serve more targeted ads to consumers. Data onboarding, on the other hand, involves companies providing a third-party “onboarding” provider with de-identified data originally derived from a consumer’s personally identifiable information (PII). The onboarding vendor then hashes the information and the hashed values are used to link to other data (provided by third parties and other offline data) to send a consumer much more targeted advertising than conventional behavioral targeting. Companies have also started to combine these technologies with cross-device tracking, which is where data collected about an individual is used to track that person across different devices. New technologies mean that it is necessary for companies to re-examine their privacy practices.

Although complying with self-regulatory guidelines like the Networking Advertising Initiative (NAI) Code of Conduct, the Digital Advertising Alliance’s (DAA) Self-Regulatory Principles for Online Behavioral Advertising and the FTC’s 2009 Staff Report “Self-Regulatory Principles for Online Behavioral Advertising” may provide a starting point for compliance, these guidelines may still not go far enough to avoid legal trouble when utilizing some of these newer advertising technologies. A company should delve deeper into understanding its own use of marketing and advertising technologies and the technologies of its third party vendors to avoid lawsuits, bad press, and catching the FTC’s attention. The FTC has set its sights on behavioral advertising and cross-device tracking in the last few years so it is increasingly likely that these issues will continue to be on the FTC’s radar.

The legal concerns with these newer advertising technologies center around the fact that a company can collect single points of data legally but can run into additional privacy concerns once that data is combined with other pieces of data. Recent tech innovations have made it so that wide categories of data – beyond traditional PII – have the potential to identify an individual making the distinction between non-PII and PII almost obsolete. Jessica Rich, Former Director of the FTC’s Bureau of Consumer Protection, stated in a blog post on the FTC’s website that the FTC regards “data as ‘personally identifiable,’ and thus warranting privacy protections, when it can be reasonably linked to a particular person, computer, or device. In many cases, persistent identifiers such as device identifiers, MAC addresses, static IP addresses, or cookies meet this test.” An expanding definition of PII by the FTC coupled with new technologies that enable more categories of data to be potentially individually identifiable demonstrate why it is critical to assess a company’s current marketing and advertising practices to understand what privacy protections and disclosures to consumers are warranted.

Companies should:

  1. Periodically review their website privacy policies and ensure their actual data collection and sharing practices are aligned with their policies and accurately described-in letter and in spirit;
  2. Implement corresponding controls limiting the collection, use, and sharing of data and work with other internal stakeholders to enforce these controls (These policies should have an eye toward all consumer information, not just conventional PII. This could include policies requiring that targeting be done on an anonymized basis with no re-identification.);
  3. Explore offering opt-in consent to customers;
  4. Track legal and press reports related to behavioral/targeted advertising and other data privacy issues;
  5. Negotiate third-party vendor agreements with advertising and marketing providers to ensure that data security and privacy concerns are addressed contractually and in accordance with a company’s internal policies;
  6. Adopt a “Privacy by Design” approach where privacy and security protections are built in at the very beginning of implementation of a new service or product and legal is included from the inception; and
  7. Avoid any targeted advertising involving the use of “sensitive information”, such as children’s information, financial and health information, Social Security numbers, precise geolocation data and information related to medical conditions. Additionally, companies should be particularly cautious when collecting and using sensitive information to consider regulations set in place to prevent discrimination against consumers such as the Fair Credit Reporting Act, Equal Opportunity Credit Act and the Genetic Information Nondiscrimination act, The use of big data to drive advertising programs could inadvertently lead to the exclusion of certain consumers. A good resource for companies trying to identify best practices for data use and sharing is the CFPB Non-Binding Principles for Consumer-Authorized Financial Sharing and Aggregation.

Although the technologies and the privacy concerns around behavioral advertising are complicated, the one thing that remains clear is that deep and careful consideration of these issues is needed to lead to a deeper understanding of a company’s legal obligations when using big data along with increasingly complex marketing and advertising technologies.