ABA Health eSource
June 2009 Volume 5 Number 10

Handle With Care: Implications of Recent FTC Activity to Online Marketing
of Health-Related Products and Services

By Mark Paulding, Hogan & Hartson, Attorney, Washington, D.C.

AuthorFor more than a decade advertisers have been drawn to the Internet by, among other things, the wealth of behavioral information that can be gleaned from Internet users. Access to this information is made possible by the use of technologies, such as cookies and web beacons, by advertising networks to track the movements of an Internet user across multiple websites over extended periods of time. The data collected can be used to populate profiles of consumer behavior, interests, and demographics. 1 These profiles, in turn, are used to target marketing messages to consumers. This practice, sometimes referred to as online behavioral advertising, has become a source of increasing concern among consumer advocates and lawmakers.

A significant issue for advocates and lawmakers is that the tracking process is largely invisible to the average Internet user, raising concerns that consumers are disclosing personal information in a manner to which they might object if given clear notice. Historically, website privacy policies have been used to disclose how information about visitors is collected and used, but there is a growing belief that such policies are too long and legalistic and, as a result, do not provide adequate notice to consumers. In response to these and other concerns, self-regulatory organizations, such as the Network Advertising Initiative (“NAI”), have developed standards for online advertising. 2

The Federal Trade Commission (“FTC”), which has been monitoring behavioral advertising since the late-1990s, initially endorsed the concept of industry self-regulation, but the goodwill of the agency on this issue has eroded over time. Recently, the FTC published a report (“the Staff Report”) containing Self Regulatory Principles for Online Behavioral Advertising (“the FTC Principles”). 3 While the FTC Principles are not the result of a formal rulemaking, they do provide a clear indication of the FTC’s views and possible enforcement agenda in the future. In a concurring statement Commissioner, now-Chairman, Jon Leibowitz stated this “could be the last clear chance to show that self-regulation can – and will – effectively protect consumers’ privacy.” 4 In a notable warning, Chairman Leibowitz signaled that the failure of self regulation “will certainly invite legislation by Congress and a more regulatory approach by our Commission.” 5

Perhaps the most notable development within the Staff Report is that the FTC has moved away from drawing a clear distinction between the collection and use of personally identifiable information (“PII”) 6 and anonymous behavioral data. The FTC Principles apply to any behavioral data collected for advertising purposes, whether it contains PII or not. The Staff Report notes that the distinction between PII and non-PII is less meaningful in the context of online behavioral advertising and that both PII and non-PII present privacy concerns. 7 As a result, the FTC Principles call for a number of practices previously reserved for PII.

While the FTC Principles have significant implications for all online behavioral advertising, 8 it may pose particular challenges for health-related advertising. The FTC Principles call for affirmative express consumer consent for the collection of sensitive information for behavioral advertising. While sensitive information is undefined, the Staff Report indicates that health information, such as medications and diseases, is included. 9

Many advertisers and advertising network operators criticized the sensitive information provision on the grounds that sensitive information is already subject to regulation. For example, health information that can be connected to an individual may be governed by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). Nonetheless, the Staff Report concluded that “existing statutory regimes do not address most types of online behavioral advertising.” 10 Although the Staff Report does not elaborate on the basis for this conclusion, one explanation could be the fact that HIPAA is restricted to “covered entities,” which include health plans, health care clearinghouses, and certain health care providers, and certain business associates. 11 Many companies involved in the advertising of health products and services may not be HIPAA covered entities or business associates. For example, medical device manufacturers may use or wish to use online behavioral data to target advertisements for their products. Furthermore, the data commonly collected for online behavioral advertising may not be subject to HIPAA because it does not rise to the level of individually identifiable health information. The Staff Report is clear that the FTC Principles apply to behavioral information that does not identify an individual.

The Staff Report encourages industry, consumer advocates, and other stakeholders to develop more specific standards defining the scope of sensitive information, including determining if there are any types of sensitive information that should never be used in online behavioral advertising. The recently released 2008 NAI Principles includes “[p]recise information about past, present, or potential future health or medical conditions or treatments, including genetic, genomic, and family medical history” within the definition of sensitive consumer information and requires affirmative consent for its use in online behavioral advertising. 12 While the Staff Report discusses the 2008 NAI Principles, praising and criticizing it in roughly equal part, this particular provision was not addressed. Moreover, the 2008 NAI Principles are only directly applicable to NAI members. Whether other entities, particularly advertisers and website publishers adopt similar standards is yet to be determined. Health care organizations active in Internet advertising should ensure that they are participating in the dialogue in order to protect their interests.

In practice, the FTC Principles call for websites where health-related online behavioral advertising data is collected to adopt mechanisms to acquire affirmative consumer consent. For example, a website may present an interstitial screen that concisely discloses the collection of health information for advertising purposes and requests the user’s consent before allowing access to any webpage where behavioral data is collected. Cookies may be used to memorialize the user’s choice, but if the cookie is deleted for any reason the website would likely be expected to acquire affirmative express consent again. Affected website publishers should also ensure that the consent mechanism is not circumvented by common browser features such as pop-up blockers. Affirmative consent mechanisms for more complex relationships (e.g., websites that contain embedded content from multiple publishers) and platforms with more limited functionality (e.g., mobile devices) presents complications that are not addressed in the Staff Report or FTC Principles.

The obligations of the FTC Principles fall explicitly on website publishers. Thus, health informational websites, company billboard websites, and search engines are among the properties most directly affected. However, the FTC Principles do not restrict FTC authority to pursue enforcement actions under the deceptive and unfair trade practices provisions of the FTC Act. Therefore, advertising networks and advertisers could be the targets of enforcement actions for maintaining, selling, and/or purchasing access to behavioral profiles containing sensitive health information if it was not originally collected in a manner consistent with the FTC Principles. Pharmaceutical companies, medical device manufacturers, and health plans that may wish to use behavioral profiles to target advertising for their products and services should carefully examine their advertising practices to determine whether they can be operated in a manner consistent with the FTC Principles.

All the foregoing being stated, there are three important limitations to the FTC Principles. First, the FTC Principles apply only to data collected for the purposes of advertising. Other uses of behavioral information, from fraud prevention to website analytics, are exempt. 13

Second, first party advertising, where data is not shared with third parties, is not subject to the FTC Principles. A website publisher may track visitors on its website and target marketing messages to those users based on that activity. In addition, a website publisher may share behavioral data with a third party service provider to deliver advertising based on a visitor’s behavior on the website or for other legitimate non-advertising purposes. 14

The sharing of behavioral data between affiliated websites is permitted if the relationship between the websites is “sufficiently transparent and consistent with reasonable consumer expectations.” 15 As an example, the Staff Report states that it may reasonable to expect that “Citibank and Citifinancial are closely linked entities, the link between affiliates Smith Barney and Citibank is likely to be much less obvious.” 16 This example indicates that the FTC Staff intends the exception to be narrow, posing challenges for many common Internet marketing practices. For example, pharmaceutical companies occasionally launch websites for specific branded products. In light of the example in the Staff Report, it may not be possible to apply the first party advertising exception to the sharing of behavioral data between such websites for advertising purposes. Unfortunately, the Staff Report provides little further insight on this issue other than to acknowledge that determining whether an affiliate relationship is sufficiently transparent and consistent with consumer expectations “will depend upon the particular circumstances.” 17

Third, the FTC Principles do not apply to contextual advertising, where an ad is based on a single website visit or search query. This exception is narrowly tailored so that “[w]here a practice involves the collection and retention of consumer data for future purposes beyond the immediate delivery of an ad or search result” the FTC Principles would apply. 18

In conclusion, health-related advertisers and website publishers should carefully examine their online advertising practices in order to determine whether they constitute online behavioral advertising and, if so, whether they are consistent with the FTC Principles. Based on this determination, steps should be taken to adjust practices to best protect company interests and support effective industry self-regulation. The FTC Principles are an indicator of the likely FTC enforcement agenda regarding online advertising and may presage future congressional legislation and/or formal rulemaking efforts.

1 The data typically collected in the process of online behavioral advertising includes (among other data elements) the identification code of a persistent cookie; referring URL; user’s IP address; computer operating system and browser; and keywords or codes within a webpage that classifies its content.

NAI is a self regulatory organization established by leading network advertisers and web analytics service providers to establish standards for the collection and use of online consumer data and provide a centralized opt-out procedure for member organizations.

3 See FTC Staff Report: Self Regulatory Principles for Online Behavioral Advertising (Feb. 2009), available at this link .
4 Concurring Statement of Commissioner Jon Leibowitz, FTC Staff Report: Self Regulatory Principles for Online Behavioral Advertising, available at this link (Feb. 2009).
5 Id; see also Communications Networks and Consumer Privacy: Recent Developments: Hearing Before the Subcomm. on Commc’ns, Tech., and the Internet Hearing, 111th Cong. (2009) (statement of Congressman Rick Boucher) (announcing intention to develop legislation addressing online privacy protections), available at this link .
6 Traditionally, PII includes data elements such as: name, Social Security Number, mailing address, e-mail address, and/or telephone numbers.
7 See Staff Report at 21-22.
8 For example, the FTC Principles call for clear notice of information practices and explicitly suggests that website publishers use methods more direct and comprehensible than privacy policies. The FTC Principles also call for affirmative consent for any material retroactive change in information practices and limited retention of behavioral data. The FTC Principles also call for the provision of reasonable security for behavioral advertising data, which would include sensitive health data. While most companies that collect, use, and/or store behavioral advertising data should already have a comprehensive information security program in place, anonymous behavioral data may not be incorporated into such a program. Moreover, providing reasonable security could be a significant undertaking with regard to health-related data since security requirements are scalable depending upon the “sensitivity of the data, nature of a company’s business operations, the types of risks a company faces, and the reasonable protections available to a company.” Staff Report at 46-47.
9 See Staff Report at 44.
10 Id.
11 The HITECH Act, title XIII of the American Recovery and Reinvestment Act, extends certain elements of HIPAA directly to business associates.
12 See Network Advertising Initiative, 2008 NAI Principles: The Network Advertising Initiative’s Self-Regulatory Code of Conduct (Dec. 16, 2008), available at this link .
13 See Staff Report at 27.
14 See id. at 28, fn. 58.
15 Id. at 28-29, fn. 59.
16 Id.
17 Id.
18 See id. at 30.

The ABA Health eSource is distributed automatically to members of the ABA Health Law Section . Please feel free to forward it! Non-members may also sign up to receive the ABA Health eSource.