2013 ANA Advertising Law & Public Policy Conference

The exciting potential of R(eal) T(ime) M(arketing) and other new tools that use computer algorithms: just don't forget about some legal implications.

By Keri S. Brucei and Felix Hoferii

Recently we found ourselves debating the explosive attention marketers and related businesses have dedicated, over the past 12 months, to new techniques to target more efficiently their existing or prospective customers. Every day, numerous articles discuss the rapid expansion of the use of Real Time Bidding (RTB), Real Time Marketing (RTM) or some other programmatic buying system. New magazines are even specifically dedicated to the topic. Increasingly, similar words are coined at impressive speed, according to the perspective chosen for approaching the topic.

In the end, however, all these terms and acronyms simply stand for the concept of "delivering the right commercial communication, to the right person, at the right moment (or place) through the right device." Nothing exactly revolutionary or new, as many advertisers have been using advertising that employs online behavioral advertising (OBA) for some time.

The key to RTB is its algorithms. These algorithms, like those that are used in financial high-frequency trading, are subsets of computer programs that make calculations and process and analyze data in real time. In the context of RTB, these algorithms enable marketers to buy media automatically in real time, aggregate the results of a buy, and build on those results over time to identify connections, gain knowledge and optimize marketing plans. It is becoming a game changer for marketers. The technical progress in using very large, diverse data (often referred to as "Big Data") to deliver commercial communication provides not just advantages, but also challenges for advertisers and media and advertising agencies, as well as search engines and Big Data companies.

On one hand, traditional media, such as radio, television, press, outdoor, and sponsored links, face tough competition from new devices (and their applications) such as smart phones and tablets, and new media platforms, such as social media. It has been reported that RTB will grow at a rate of 53 percent per year in the United States between 2011 and 2016i, and that in 2012 RTB accounted for nearly 13 percent of all U.S. display advertising spending.ii According to recent studies, at the end of 2013, mobile search clicks are likely to attract approximately 20 percent 25 percent of the total amount of search clicks. Not such an impressive number by itself, but up by a double-digit number compared with the past year (and deemed to increase at similar speed in near future), which is very impressive.

On the other hand, new technology always goes hand-in-hand with an increased level of sophistication and a need for refined strategies: "predicting" search terms or content will soon be increasingly more important for efficient marketing in an on-line environment. Exciting times are definitely ahead for the advertising industry. But, not all that shines is necessarily made of gold.

The legal implications raised by these more advanced technologies are continuing to get lots of attention from regulators and law makers around the world. Advertisers, agencies, exchanges, publishers, search engines and the like that are taking advantage of RTB should understand the current legal landscape and should properly minimize risk before diving in.

1. The United States approach

   While myriad legal issues can arise when using RTB, regulators, consumers groups and class action lawyers in the United States continue to be highly focused on privacy and data protection in online and mobile environments. The focus on this area is driven by many factors, including the general anxiety consumers have about being "tracked" and wanting to ensure their personally identifiable information (PII) and personal and private data is kept safe. and that it is not shared or used in ways that were not intended or disclosed. While anonymization and aggregation of data has provided some comfort in the past to data sharing, it's not perfect. There are real-life examples of where anonymization of data has failed, thereby allowing such information to be re-identified.iii Further, with the rapid advancement of technology, there is the possibility that re-identifying data may become easier.

   While privacy and the protection of PII is already subject to a variety of U.S. laws and regulations, such as the Graham-Leach-Bliley Act (governs personal information collected by financial institutions), the Health Insurance Portability and Accountability Act (which regulates medical and health information), and numerous state laws, such as the California Online Privacy Protection Act, the online and mobile industries continue to be targeted for new legislation and regulations. In February 2013, U.S. Senator Jay Rockefeller introduced a law coined the "Do-Not-Track Online Act of 2013," which would require all web browsers, online companies, and app makers to give users a choice of opting out of being tracked online.iv In addition to laws and regulations directly relating to data protection in certain industries, other federal laws come into play and have been the basis of litigation and regulatory investigations, including:

   Electronic Communications Privacy Act (ECPA), which prevents tracking and access to user behavior without consentv Federal Wiretap Actvi, part of the ECPA that provides for statutory damages if the contents of electronic communications are intentionally intercepted using a device Stored Electronic Communications Actvii, which provides penalties for anyone who "intentionally accesses without authorization a facility through which an electronic communication service is provided or ... intentionally exceeds an authorization to access that facility; and thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage in such system" Computer Fraud and Abuse Actviii, which is an anti-computer hacking law that prevents tracking of user behavior if it causes economic damage of $5,000 or more Section 5 of the FTC Actix, which prohibits deceptive acts and practices Children's Online Privacy Protection Actx, which was updated in December 2012 to expand privacy protections for children In addition to data and privacy issues, anti-competition concerns can come into play. We've already seen one major investigation by the FTC into whether a search engine's search algorithms and restrictions on use of certain data by advertisers across competitive platforms resulted in anticompetitive practices.xi While anti-competitive practices in the area of RTB may not necessarily pose direct liability for advertisers and agencies, the practices can nevertheless cause harm (and frustration) to advertisers and agencies.

   So, what should advertisers and agencies do to manage risk as they delve into RTB?

   Disclose and Abide By Privacy Policies

   Companies should ensure that they are disclosing their privacy practices and abide by them. Seems simple, but many companies haven't reviewed or updated their privacy policies since they first launched their websites years ago. It's highly likely that the technology used to collect data and their data-sharing practices have evolved since that time. The Federal Trade Commission (FTC) views a company's website terms of use and privacy policy as an express representation to consumers as to how their information and data will be collected, stored and (if applicable) shared. Failure to disclose and abide by a privacy policy can expose a company to an action for unfair and deceptive acts or practices under Section 5 of the FTC Act and similar state laws, and breach of contract claims. For example, in December 2012, the FTC entered into a consent order against a large advertising network that used "history sniffing" technology to track data, including sensitive financial and medical information, about consumers on websites outside of the website's own network. This practice was deceptive because the ad network's privacy policy disclosed only that it would collect information about consumers' visits to websites in its own network.xii Under the terms of the settlement, the ad network must cease "history sniffing" practices and delete and destroy all data collected using it. Also in December 2012, the California attorney general sued an airline for violating the California Online Privacy Protection Act (OPPA) and the state's Unfair Competition Law by failing to conspicuously post a privacy policy on its app, and failing to comply with its own website privacy policy.xiii These are just two of many cases where a company's failure to abide by the terms of its privacy policy had legal implications.

   Privacy policies should be robust and cover all potential data uses and transfers now and in the future so as to reduce the need to revise the policy. Policies should have an effective date or "last revised" date, so that users can identify if and when the policy was changed. Before implementing a revision to a privacy policy, special attention should be paid to whether the change is material and whether it will have an effect on previously collected data. If, for instance, the change will increase the ways in which PII previously collected from users will be used, then express consent to the new change will likely be required before historical data can be used in the new ways. Companies should carefully consider the most effective manner of disclosing a change. For instance, the need for express consent may alter how a change is communicated to users, such as via email, on the website, during check out, etc. Perhaps more importantly, before implementing a change, companies should consider the potential consumer reactions to the change. It's not uncommon for companies to receive backlash from consumers to proposed privacy policy...