The Federal Trade Commission’s recently finalized settlement with ScanScout is ostensibly about the use of Flash cookies, which led to the enforcement action. But as is often the case, the consent decree also outlines requirements that provide all companies, not just ScanScout, with guidance on how the FTC thinks the opt-out process should work for behavioral targeting.
If your company tracks users across websites for marketing purposes, how does your notice-and-choice process stack up to the FTC’s Seven Opt-out Rules?
- You must provide a link to your opt-out from your homepage, worded like this: “We collect information about your activities on certain websites to send you targeted ads. To opt out of our targeted advertisements click here.” This can lead to a page with more details, but the user must be able then to complete the process in no more than one additional click.
- Your opt-out must operate to prevent collection of any data “that can be associated with a particular user,” which would include cookies and IP addresses, except for expressly permitted purposes (see below). Note: the FTC is talking here about the collection of data, not just the targeting of ads.
- Your opt-out must contain specific points of disclosure:
- You collect information about users’ activities across websites to target ads,
- If the user opts out, you won’t collect this information for ad targeting purposes,
- The user’s current status, read from their cookies (“opted out” or “not opted out”), and
- The circumstances that can disable the opt-out (“e.g., use of a different browser, use of a different device, or deletion of cookies”).
- Your opt-out must prevent use of “previously collected data,” as to that user or device. This can be accomplished by replacing any unique cookie identifier with a generic, non-unique indicator (cookie text = “opt out”) or a new unique ID that cannot be matched with the ID in place before the opt-out.
- Your opt-out must prevent your processes from redirecting data to other parties. This means that if you have other companies piggybacking on your tags, that must be turned off as to opted-out users.
- For each individual opted-out user, you must limit how you use data that you continue to collect. The permitted uses are limited to:
- Frequency capping (how many times the user has seen or responded to an ad),
- Fraud prevention (not defined, but this could include means to spot fraudulent clicks),
- Providing a service requested by the user (although it’s hard to think of an example), or
- Verifying the user’s age (for age-restricted ads)
- You must limit the period of retention of any data about opted-out users to “no longer than reasonably necessary” for the permitted purpose (and no longer than 24 hours or the current browsing session, in the case of the user’s age). This may mean a different length of data retention depending on the permitted purpose (for example, frequency capping data couldn’t be retained longer than the life of the campaign).