Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends
Posted in Consumer Privacy

FTC: Opt-Out Should Mean Opt-Out

The Federal Trade Commission (FTC) yesterday announced a settlement with Chitika, Inc. over its failure to honor consumers’ choice in contravention of representations made in its online privacy policy. The announcement is notable in that it comes in the wake of the FTC’s December 2010 Preliminary Staff Report and is the FTC’s first consent settlement relating to privacy with an online advertising network. As disclosed in its website privacy policy, Chitika offered consumers the choice of opting-out of its online network advertising. However, Chitika did not disclose to consumers that the opt-out cookie would expire and disappear from their browsers only 10 days after being set. The FTC therefore believes Chitika’s actions were false and misleading, constituting deceptive trade practices in violation of Section 5 of the FTC Act.     

As an online advertising network, Chitika matches advertising space on websites that participate in its network (publishers) to advertisers that seek to target online advertisements to consumers more likely to respond to them. As alleged in the FTC’s complaint, Chitika is able to facilitate targeted online advertising through the use of a tracking cookie that it places on the web browsers of consumers when they visit a participating network publisher’s website (or where a cookie has previously been set on a consumer’s browser, Chitika retrieves the cookie upon a user’s return to a participating publisher’s website). Chitika adds a consumer’s web browsing activities and sometimes search terms to the cookies. Chitika is then able to sell advertising space on the publisher websites to advertisers seeking to target consumers whose browsing activities identify a desired target audience.

Chickita’s alleged deceptive practices arise from its website privacy policy disclosures. Although Chickita’s activities were not visible to an average consumer visiting its network publisher websites, the company maintains a privacy policy on its own website.  That policy explained its use of cookies and offered consumers the choice to opt-out of Chitika cookies through a button labeled “Opt-Out.” Upon clicking that button, Chitika set an “opt-out cookie.” While in effect, the opt-out cookie prevented Chitika from setting new tracking cookies, did not allow new information to be added to previously set cookies, and did not allow existing tracking cookie data to be used for ad targeting. However, from at least May 2008 through February 2010, the opt-out cookie expired after 10 days. The FTC alleged that the privacy policy as well as a statement on the Chitika website stating “You are currently opted out” after a consumer clicked the “Opt-out” button were false and misleading. 

 

After being contacted by the FTC, Chitika changed the expiration date on its cookies from 10 days to 10 years prospectively, effective March 1, 2010. This change had no affect on cookies set before that date. Regarding specific measures under the settlement terms and proposed order, the order lasts for twenty years and Chitika:  

 

o        will not misrepresent the extent of its data collection and consumers’ ability to control that collection and subsequent use or sharing of data;

o        must place a “clear and prominent notice with a hyperlink on the homepage of its website that states: ‘We collect information about your activities on certain websites to send you targeted advertisements. To opt out of Chitika’s targeted ads, click here’”; 

o        shall, for a one year period include an additional disclosure on its homepage near the disclosure above stating “[i]f you opted out of our targeted ads before March 1, 2010, the opt-out has expired and you must opt out again to avoid targeted ads.”

o        must ensure that the mechanism to prevent further targeted ads remains in place for five years from the opt-out;

o        will disclose near the opt-out mechanism “(1) that Chitika collects information about consumers’ activities on certain websites to deliver targeted ads; (2) that by opting out, Chitika will not collect this information to deliver such ads; (3) consumers’ current choice status (i.e., whether opted in or opted out of tracking); and (4) that consumers’ choice is specific to the browser they are using”;

o        must ensure that within any behaviorally targeted ad there is a link titled “Opt out?”, when consumers place their cursor over the link it clearly and visibly states “Opt-out of Chitika’s targeted ads,” and when clicked, the link takes consumers to the opt-out mechanism;

o        is prohibited from “using, selling, or transferring ‘any information that can be associated with a Chitika user or a Chitika user’s computer or device’ that the Company obtained prior to March 1, 2010, Chitika must delete such information from its cookies, and Chitika must delete any other information in its files that could be used with such information to associate “a particular consumer or that consumer’s computer or device.”

 

This settlement is particularly noteworthy in that businesses have been looking for signals as to how network advertisers can convey clear and concise choice to consumers consistent with FTC expectations. While the settlement terms addressing consumer disclosures are clearly remedial actions for Chitika, they provide some guidance outside of the frameworks established by self-regulatory programs, such as the Advertising Option Icon established by the Digital Advertising Alliance. Also, while the FTC’s Complaint notes that Chitika’s cookies include unique identification numbers for tracking, there were no allegations that personally identifiable information was involved and the FTC did not identify as deceptive any privacy policy statements referring to tracking being anonymous. Although this settlement involves a straightforward deceptive practices action, this further highlights the FTC’s view that the distinction between personally identifiable information and non-personally identifiable information is diminishing.