Self-Regulatory Programs

The emergence of e-commerce in the late 20th century has allowed for the creation of a continually expanding online marketplace. However, the ease with which online companies can collect information from their customers has raised concerns about consumer privacy. The advantage of self-regulation as a means of addressing this issue is considered to be that it provides the necessary flexibility to address evolving online business models.

Online Behavioral Advertising (OBA) involves the tracking of consumers’ online activities in order to deliver personal advertising. This practice allows business to specifically target their advertisements towards individual customers. The data collected is generally not personal identity information, but data relating to their browsing history. The below principles have been drafted from a number of sources and are intended as a means of applying consumer-friendly standards to OBA.


The Federal Trade Commission (FTC) published their “Self-regulatory principles for online behavioral advertisements.” Their principles are:

i)                    Transparency and Consumer Control

Every website where data is collected should provide a clear, concise, consumer-friendly, and prominent statement that (i) data about consumers’ activities online is being collected for use in providing advertisements about products and services tailored to individual consumers’ interests, and (ii) consumers can choose whether or not to have their information collected for such purposes.

Furthermore, where the data collection occurs outside the traditional website context, the FTC recommends that companies “develop alternative measures of disclosure and consumer choices that meet the standards required.”

The Better Business Bureau (BBB) recommends that compliance with this principle will result in new links and disclosures on the web page or advertisement where online behavioral advertising occurs. It will offer consumers the ability to exercise choice regarding the collection and use of data for online behavioral advertising.

The BBB Transparency and Consumer Control Principles also have provision for Service Providers (ISPs). These provide that ISPs must provide additional notice regarding the online behavioral advertising that occurs by use of their services, obtain the consent of users before engaging in online behavioral advertising, and take steps to de-identify the data used for such purposes.

ii)                   Reasonable security, and limited data retention, for consumer data

Companies should provide reasonable data security measures so that behavioral data does not fall into the wrong hands, and should retain data only as long as necessary for legitimate business or law enforcement needs. The FTC states that “the protections should be based on the sensitivity of the data [and] the nature of a company’s business operations, the types of risks a company faces, and the reasonable protections available to a company.”

iii)                 Affirmative express consent for material changes to existing privacy promises

Before a company uses previously collected behavioral data in a manner that is materially different from promises made when the company collected the data, it should obtain affirmative express consent from the consumer.

The FTC states that this principle is limited to retroactive changes. Therefore it would not include prospective changes, such as where a company may change its privacy policy and then collect and use new data under the new policy.

iv)                 Affirmative express consent to (or prohibition against) using sensitive data for behavioral advertising

Although the FTC did not provide any definition of ‘sensitive data’, they stated that the most prominent examples included financial data, data about children, health information, precise geographical location information, and Social Security numbers.

The BBB stated that the heightened protection for children’s data should be taken into consideration along with the protective measures contained in the Children’s Online Privacy Protection Act 1998.


Further to these principles, the BBB considered a number of further principles to be advantageous in promoting self-regulation.

v)                  Educate consumers and businesses about online behavioral advertising.

The National Telecommunications & Information Administration (NTIA) states that “public education is essential to assessing and shaping attitudes. When people can be presented with rationale for the collection of such data, and the safeguard provided, an appropriate balance between collection and privacy can be struck.”

vi)                  Entities involved in OBA advertising should be accountable and should implement policy programmed to further adhere to these principles.

The BBB calls for programs to have mechanisms by which they can police entities engaged in online behavioral advertising and help bring these entities into compliance. Programs will also publicly report instances of uncorrected violations.


The above principles are the most widely accepted relating to self-regulation. At the outset, it was stated that self-regulation provided businesses with the flexibility to apply regulations. However, it is debatable whether privacy self-regulation is ever likely to fully succeed in its goals. Without legislation or regulation to make companies accountable, how can customers be assured that their data is secure? At present, the FTC has no effective means of statutory regulations due to limits on its authority. However, the sheer size of the internet makes it unlikely that sufficiently secure regulations can ever be fully applied and advances in technology could mean that regulations would become obsolete almost as soon as they are published.


This article takes a look at common principles that relate to self-regulation. The article explores how self-regulation offers the advantage of providing the necessary flexibility to address evolving online business models. The article also briefly explores the FTC’s “Self-regulatory principles for online behavioral advertisements.”

CIPP Exam Preparation

In preparation for the Certified Information Privacy Professional/United States (CIPP/US) exam,  a privacy professional should be comfortable with topics related to this post, including:

  • Self-regulatory programs and trust marks (I.A.d.vii.)

Leave a Reply




You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>