Welcome to “A Moment of Privacy,” a newsletter brought to you by the Privacy and Data Security Practice Group at Proskauer Rose LLP.
“A Moment of Privacy” addresses one legal development each month in the area of privacy and data security law. We answer the questions our clients are asking, in a way that we hope gives practical information to our readers. If you send us your question, you may find your answer in an upcoming newsletter.
And now for this month’s question:
Q: I understand that the Network Advertising Initiative issued a new Self-Regulatory Code of Conduct covering online behavioral advertising in December 2008. What do I need to know about the revised Code?
A: Prompted by renewed FTC and Congressional interest in online behavioral advertising over the last year, the Network Advertising Initiative issued a revised Self-Regulatory Code of Conduct in December 2008. The Code is binding on NAI members that participate in the “advertising network business model,” that is, the display of banner advertisements to Web surfers based upon data collected across multiple Web sites via the use of cookies, Web beacons and similar technologies. Even if a company is not itself an NAI member, the Code is important because NAI members are obliged to impose its core principles on the customers to whom they provide advertising services.
Perhaps most significantly, the NAI agreed that the basic principles in the Code should apply to other forms of online advertising conducted by its members and their customers. Although the Code provisions as revised still refer explicitly only to the advertising network business model, certain principles are identified as subjects for forthcoming "implementation guidelines" that will assist in the application of those principles to other ad-serving models. The implementation guidelines will be binding upon NAI members, and secondarily on their advertising customers, who participate in those ad-serving models.
In brief, the revised Code reiterates existing principles articulated in the original Code issued in 2000 applicable to advertising conducted via the advertising network business model by its members and their advertising customers, including, among other things, the requirements that notice of data collection be provided on Web sites and that users opt-in to the collection and use of certain kinds of data for advertising purposes.
In the area of data retention, the revised Code adds a limitation on the retention of data collected on Web sites for advertising purposes to a period “only as long as necessary to fulfill a legitimate business need, or as required by law.” This limitation applies whether the data is collected for “ad delivery and reporting purposes” on a single Web site, or whether it is collected for cross-domain advertising. The limitation also applies equally to "personally identifiable information" (PII) and non-PII.
Another significant change is a revised definition of PII, which provides that PII “includes name, address, telephone number, email address, financial account number, government-issued identifier, and any other data used or intended to be used to identify, contact or precisely locate a person.” First, the specific references to “financial account number” and “government-issued identifier” are new. Second, the additional reference to “data … intended to be used” for specified purposes is also new. The language is intended to reflect the fact that data that is not by itself PII should be regarded as PII when collected with those purposes in mind. Conversely, the language is intended to convey that the collection of data that might otherwise be classified as PII is not considered PII for purposes of the revised Code if is not "intended to be used" for advertising purposes. According to the commentary released by the NAI along with the revised Code, this qualification to the definition of PII is intended to recognize that some of the NAI members take steps, i.e., anonymizing data, to prevent data that they collect for advertising purposes from becoming identifiable. In addition, the phrase “used to … locate a person” is modified by the word “precisely” to differentiate general locational information such as an IP address from more precise locational information that may be generated from GPS-enabled devices. The NAI acknowledged that this definition of PII is unique, but asserted that it is intended to be flexible and pertinent to the online advertising context to which it applies.
Finally, the definition of “sensitive consumer information” is revised to include expressly the more precise type of locational information excluded from the definition of PII, as well as to define more flexibly those categories of health-related information that should be regarded as sensitive. In contrast to the 2000 Code that prohibited any use of sensitive information for advertising purposes, however, the revised Code permits the use of such information for online behavioral advertising purposes where the consumer opts-in.
Have a question? E-mail Kristen J. Mathews at kmathews@proskauer.com.