David Bender on Privacy Issues Attendant to Behavioral Advertising

David Bender on Privacy Issues Attendant to Behavioral Advertising


What happens to data generated by Internet surfing and by queries to search engines offered by Google, Ask.com, and Yahoo!? Much of this data is kept and then used to advertise in a more precise manner, a practice generally known as behavioral advertising. Is this lawful? If so, should it be? David Bender, a sole practitioner and the author of Computer Law (LexisNexis Matthew Bender), discusses this important and emerging issue. He writes:
 
     In the United States, there are no laws, state or federal, directed expressly to this practice. However, the privacy aspects of behavioral advertising are receiving an increased amount of attention as of late. In particular, in December 2007 the staff of the Federal Trade Commission released for comment a set of proposed principles for guidance in the development of self-regulation with regard to behavioral advertising. In April 2008 the EU’s Article 29 Working Party issued a working paper on the topic. And in May 2008 a bill directed generally to curbing or regulating this practice was introduced in the New York State legislature.
 
     The FTC proposed principles are summarized as follows.
 
• The FTC staff believes that privacy issues in behavioral advertising should be both more transparent, and more under the control of consumers:
 
o “Every Web site where data is collected for behavioral advertising should provide a clear, consumer-friendly, and prominent statement that data is being collected to provide ads targeted to the consumer and give consumers the ability to choose whether or not to have their information collected for such purpose.”
 
• To mitigate concerns that this data may find its way to malefactors, and also concerns about unnecessarily lengthy retention periods, the FTC staff proposes:
 
o “Any company that collects or stores consumer data for behavioral advertising should provide reasonable security for that data and should retain data only as long as is necessary to fulfill a legitimate business or law enforcement need.”
 
     . . . .
 
     The [New York] bill would create, in the NY General Business Law, a new section entitled “The Third Party Internet Advertising Consumers’ Bill of Rights Act of 2008.” The impetus for the bill apparently comes from the April 2007 announcement that Google, a leading provider of search capability and targeted advertising, would acquire DoubleClick, a leader in digital marketing technology and services, including ad management. Google characterized the combination as offering “superior tools for targeting, serving and analyzing online ads of all types, significantly benefiting customers and consumers.”
 
     . . . .
 
     Given that some of the most popular search engines are owned and operated by companies headquartered outside the EEA, an issue of particular importance is whether the EU Data Protection Directive and the member state laws implementing it apply to the processing of personal data by those owner/operators. . . . The starting point is Art. 4 of the Directive, as amplified by WP56. Article 4 provides that national law applies where (a) processing is carried out “in the context of activities of an establishment of the controller on the territory of the member state,” (b) the controller is not established in a member state, but national law applies by virtue of international law, or (c) the controller is not established in a member state, and processes data by means of equipment, automated or otherwise, situated in a member state (unless used only for transit through that member state).
 
(footnotes omitted)
 
Subscribers to www.Lexis.com may purchase this entire expert commentary here.