Targeted online advertising has been the focus of much discussion since the release of the FTC’s “Do Not Track” proposals late last year. User tracking for advertising purposes is also the focus of the FTC’s latest privacy enforcement action, which has resulted in a consent agreement with an online advertising company, Massachusetts-based Chitika, Inc., which creates ads for such major publishers as the Hearst Corporation and Salary.com.
Chitika uses cookies to track Internet users, so as to display behavioral advertising to them. Chitika allowed users to opt-out of receiving these cookies, but what Chitika didn’t disclose was that the opt-out only lasted for 10 days. The FTC alleged that such a short opt-out period was deceptive and a violation of the FTC Act. The FTC has reached a settlement with Chitika in which Chitika has agreed to honor any user opt-out of tracking for at least 5 years. Chitika has also agreed to display more prominent opt-out mechanisms. The consent agreement prohibits Chikita from misrepresenting the extent of its data collection about consumers or the extent to which consumers can control the collection, use or sharing of their data.
Chitika’s former behavior is a gift to those seeking stricter regulation of online advertising, as it perpetuates the notion that online advertisers are watching you, Big Brother-style. It also supports the arguments that the FTC has made that many privacy policies are not sufficiently clear in their disclosures about user tracking. Even Chitika’s revised privacy policy raises questions for this writer, as it states that Chitika does not collect any “personally identifying user-level information”. However, almost all online operators can and do collect an IP address of the relevant computer, and surely the IP address of any computer that is used by only one person is ultimately “personally identifying” information? This points to the difficulties that many online operators face when they prepare privacy policies. The definition of “personal information” is not always clear, and even the statutes that regulate privacy in the U.S. have inconsistent definitions for this term. Add to that the uncertainty as to exactly how much disclosure is required in a privacy policy, and it is easy to see how companies can get into trouble, even if their errors are not as obvious as Chitika’s.