Note: The information contained in this document is for informational purposes only and should not be considered legal advice. This document may or may not reflect the most current legal developments and is not promised or guaranteed to be correct or complete. The purpose of this guide is to help digital advertisers and marketers become aware of the basic regulations that govern the industry. It is not intended to be comprehensive in its explanation of these requirements, but rather to exemplify some of their important aspects.
The most prominent requirement to be aware of as an advertiser or marketer is Section 5 of the FTC Act, which states “unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful.” Advertisements or claims that misrepresent or omit information that would be material to consumers could be considered “deceptive.” Ads that cause economic injury could be considered “unfair.” Advertisers must be able to substantiate advertising claims, express and implied, with “competent and reliable” evidence, including scientific data in some circumstances. The FTC has issued guidance to help advertisers comply with the Section 5 requirements. Additionally, the FTC recently updated its Dot Com Disclosures. These were first released in 2000 to provide guidance on how FTC statues, rules, and guides apply to online advertising and sales. In 2013 the guidance was updated to account for technological changes from the preceding 13 years and further establish the FTC’s criteria in evaluating online advertising and sales.
Publishers and app developers should be aware that claims made on a website or app also are subject to FTC enforcement authority. The FTC has applied its “unfair and deceptive” standards to disclosures and omissions in website and app privacy policies. To comply with FTC law, commercial websites and apps must not misrepresent, omit, or mislead consumers through their privacy policies. The FTC provides case highlights from previous consumer privacy consent orders to help companies better understand acceptable online practices.
In regards to mobile app policy, the FTC has published a guide to help mobile app developers adhere to basic privacy principles. Outlined in the guide are basic principles that should be considered when developing an app. They include, but are not limited to, the following: tell the truth about what the app can do, disclose key information clearly and conspicuously, build privacy considerations into the app from the start, offer choices that are easy to find and easy to use, honor your privacy promises, protect kids’ privacy, collect sensitive information only with consent, and keep user data secure. For a comprehensive list of these guidelines and a detailed explanation of each, please refer to the FTC’s guide “Marketing Your Mobile App, Get It Right from the Start”.
Forty-six states have laws on breach notification (as of July 1, 2013, all but Alabama, Kentucky, New Mexico, and South Dakota). Sixteen states have laws addressing spyware. Over 15 states have sectoral laws addressing the processing of financial, health, and insurance information. The following list highlights several prominent state laws that include requirements beyond breach notification. This list is not comprehensive.
- Requires any person who collects Social Security numbers in the course of business to adopt a privacy protection policy. The policy must be posted on a web page and must be designed to protect the confidentiality of Social Security numbers, prohibit unlawful disclosure of Social Security numbers, and limit access to Social Security numbers.
- Requires every person who owns or licenses personal information about a resident of the Massachusetts to “develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards…”
- Requires data collectors that accept payment cards and are doing business in Nevada to comply with the Payment Card Industry Data Security Standard. The law also prohibits businesses from electronically transmitting a customer’s personal information “outside of the secure system of the business,” or moving any data storage device containing a customer’s personal information “beyond the logical or physical controls” of the business unless the transmission or data storage device is encrypted.
- Requires businesses to notify consumers when they intend to sell nonpublic personal information to a third party.
The Digital Advertising Alliance (DAA) Self-Regulatory Program is designed to help protect consumers’ ability to exercise notice and choice in ad-supported online media (i.e., the right to be notified of data collection and the choice of whether or not to consent to the collection). The DAA consists of the American Advertising Federation (AAF), American Association of Advertising Agencies (4A’s), the Association of National Advertisers (ANA), the Direct Marketing Association (DMA), the Network Advertising Initiative (NAI) and the Interactive Advertising Bureau (IAB) in conjunction with the Council of Better Business Bureaus (CBBB).
Currently, the DAA Self-Regulatory Program has issued Principles covering three areas: online behavioral advertising, the collection and use of multi-site data, and the collection and use of data in the mobile environment.
To find out how to participate in this program, visit the DAA’s website.
There are other self-regulatory programs and standards that exist to improve notice and choice for consumers. The IAB also provides a number of best practices standards with which all of its members can adhere to. For example, the IAB Native Advertising Playbook sets industry disclosure principles around native advertising. The Network Advertising Initiative (NAI) Code of Conduct requires members to provide notice and choice to consumers, and limits the types of data members can use for advertising purposes.
The FTC investigates companies in violation of federal privacy statutes and FTC regulations, requiring respondents to come into compliance and to enter into long-term consent decrees. If a respondent fails to comply, the FTC may sue and seek civil penalties. An overview of the FTC’s investigative and law enforcement authority is available on the FTC’s website.
State laws are enforced by the respective state’s Attorney General and penalties will vary. State Attorney Generals often will have concurrent enforcement authority with the FTC to enforce certain federal statutes.
Some laws provide for a private right of action, which means that individual consumers have the right to sue a company for violations. When these rights exist a violation risks class action litigation, where a law suit is brought on behalf of all consumers allegedly affected.
The industry self-regulatory rules are administered and enforced by the Digital Advertising Alliance (DAA). The Council of Better Business Bureaus (CBBB) and The Direct Marketing Association (DMA) work cooperatively to ensure accountability and enforcement of the DAA Self-Regulatory Program Principles. When there is a possible violation by a member company that has announced its adherence to the Principles, companies will work with the DAA to come into compliance with the self-regulatory Principles. If a company fails to cooperate, it faces possible suspension or expulsion from membership. If you would like to learn more about Program enforcement, or to report a complaint, see the enforcement section of the DAA’s website.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) applies to healthcare providers, insurers, and third-party business associates who handle and process health and medical information. Some of the provisions of the HIPAA Privacy Rule are listed below:
- Providing a detailed privacy notice at the date of first service delivery
- Obtaining authorizations for use and disclosure for certain purposes outside the score of treatment, payment, and operations
- Making reasonable efforts to limit the use and disclosure of private health information to the minimum necessary to accomplish the entity’s intended purpose
- Allowing individuals to access and copy their own private health information
- Creating administrative, physical, and technical safeguards to prevent unauthorized use or disclosure of private health information.
In addition to the HIPAA Privacy Rule, the HIPAA Security Rule establishes minimum security standards for covered entities that handle electronic private health information. These standards are enumerated below:
- Ensure the confidentiality, integrity, and availability of all electronic private health information the covered entity creates, receives, maintains, or transmits
- Protect against any reasonably foreseen threats or hazards to the security or integrity of the electronic private health information
- Protect against any reasonably anticipated uses or disclosures of such information that are not permitted ore required under the Privacy Rule
- Ensure the entity’s workforce complies with the Security Rule.
When creating a reasonable level of security (as stated in the Security Rule), it is imperative that the covered entity accounts for the following factors:
- The size, complexity, and capabilities of the covered entity
- The covered entity’s technical infrastructure, hardware, and software security capabilities
- The cost of security measures
- The probability and criticality of potential risks to electronic protected health information.
The Children’s Online Privacy Protection Act of 1998 (COPPA) regulates the online collection and use of children’s personal information by commercial website operators. This applies both to the operators of commercial websites and online services directed to children under the age of 13 (including mobile application developers) and the general-audience websites and online services that have actual knowledge they are collecting personal information from children under the age of 13. The FTC considers many aspects of a website or app to determine whether it is directed to children and must comply with COPPA regulations, including the following factors: the subject matter; visual or audio content; the age of models on the site or app; language; whether advertising on the website or app is directed to children; information regarding the age of the actual or intended audience; and whether a site or app uses animated characters or other child-oriented features.
If an online service (website or app) is directed to children (as defined under COPPA), it is required to do the following, among other things:
- Post a clear and prominent link to a privacy notice on the homepage of the website and link to the privacy notice on every page where personal information is collected from children under 13. For apps, link to a privacy notice that is clearly and conspicuously available within the app and where the app is downloaded or purchased. COPPA requires specific disclosures in these privacy notices.
- Notify parents of the site or app’s information collection practices
- Obtain verifiable parental consent prior to collecting children’s "personal information" as defined by the FTC's COPPA regulations.
- Allow parents to choose whether their children’s personal information will be disclosed to third parties
- Provide parents access to and the opportunity to delete their children’s personal information, and opt out of future collection or use of the information
- Refrain from conditioning a child’s participation in a game, contest, or other activity on the child’s disclosing more personal information than is reasonably necessary to participate in the activity
- Maintain the confidentiality, security, and integrity of personal information collected from the children.
In addition to COPPA, certain states have adopted additional laws regarding children’s privacy. Most notably, California’s “Eraser Button” law (SB 568) further restricts the types of content that can be advertised to minors (persons under the age of 18) residing in California, and requires that they be able to remove content they posted on the website. This law goes into effect on January 1st, 2015.
To encourage self-regulation of COPPA rules, the FTC created a “safe harbor” provision allowing industry groups to create self-regulatory guidelines for participating companies. The FTC has approved five safe harbor programs that implement COPPA protections, beginning with the Children’s Advertising Review Unit (CARU) of the Better Business Bureau. The approved self-regulatory safe harbor programs are listed here.
There are several pieces of legislation that focus on the privacy of financial information:
- The Fair Credit Reporting Act (FCRA) regulates the consumer reporting industry and establishes privacy rights in consumer reports. This covers any agency that evaluates a consumer based on credit worthiness, reputation, and character to determine eligibility for credit, insurance, employment, or other purposes outlined in the statute.