disadvantage. To resolve these concerns, commenters called on the Commission to provide guidance on how
future practices relate to the “commonly accepted” category.
Similarly, one commenter suggested that
the practices identiﬁed in the preliminary staﬀ report should serve as illustrative guidelines rather than an
exhaustive and ﬁnal list.
Commenters also supported adding additional practices or clarifying that the “commonly accepted”
category includes certain practices. Some industry commenters suggested, for example, expanding the
concept of fraud prevention to include preventing security attacks, “phishing,”
and spamming or to
protect intellectual property.
Other recommendations included adding analytical data derived from
devices that are not tied to individuals, such as smart grid data used for energy conservation and geospatial
data used for mapping, surveying or providing emergency services.
With respect to online behavioral
advertising in particular, some trade associations recommended clarifying that the “commonly accepted”
category of practices includes the use of IP addresses and third-party cookie data when used for purposes
such as “frequency capping,” “attribution measurement,” and similar inventory or delivery measurements
and to prevent click fraud.
More generally, some commenters discussed the “repurposing” of existing consumer data to develop new
products or services. For example, one company supported expanding the “internal operations” category to
include the practice of product and service improvement.
One commenter recommended treating any
uses of data that consumers would “reasonably expect under the circumstances” as commonly accepted.
Another noted that, whether a new use of consumer data should be considered commonly accepted would
depend upon a variety of factors, including the extent to which the new use is consistent with previously
In contrast to the calls for expanding the “commonly accepted” practice categories to cover various
practices, a number of consumer and privacy organizations advocated for a more restrictive approach to
determining the practices that do not require consumer choice. Although agreeing that choice is not
necessary for product and service fulﬁllment, one commenter stated that most of the other practices
enumerated in the proposed framework – including internal operations, fraud prevention, and legal
compliance and public purpose – were vague and required additional description. 周e commenter called on
172 Comment of eBay, cmt. #00374, at 6-7; Comment of Phorm Inc., cmt. #00353, at 5.
173 See Comment of AT&T Inc., cmt. #00420, at 18.
174 Phishing uses deceptive spam that appears to be coming from legitimate, well-known sources to trick consumers into
divulging sensitive or personal information, such as credit card numbers, other ﬁnancial data, or passwords.
175 See Comment of Microsoft Corp., cmt. #00395, at 8 (security attacks, phishing schemes, and spamming); Comment of Business
Software Alliance, cmt. #00389, at 5-6 (security access controls and user and employee authentication, cybercrime and fraud
prevention and detection, protecting and enforcing intellectual property and trade secrets).
176 See Comment of IBM, cmt. #00433, at 5 (energy conservation); Comment of Management Ass’n for Private Programming
Surveyors, cmt. #00205, at 2-3 (mapping, surveying or providing emergency services).
177 See Comment of Online Publishers Ass’n, cmt. #00315, at 5 (frequency capping, click fraud); Comment of Interactive Advertising
Bureau, cmt. #00388, at 9 (attribution measurement).
178 See Comment of AT&T Inc., cmt. #00420, at 18-19.
179 See Comment of Microsoft Corp., cmt. #00395, at 8.
180 See Comment of Future of Privacy Forum, cmt. #00341, at 5.
the Commission to deﬁne these terms as narrowly as possible so that they would not become loopholes used
to undermine consumer privacy.
One privacy advocate expressed reservations about the breadth of the “internal operations” category of
practices – speciﬁcally, the extent to which it could include product improvement and website analytics.
周is commenter stated that, if viewed broadly, product improvement could justify, for example, a mobile
mapping application collecting precise, daily geolocation data about its customers and then retaining the
data long after providing the service for which the data was necessary. Similarly, this commenter noted
that companies potentially could use analytics programs to create very detailed consumer proﬁles to which
many consumers might object, without oﬀering them any choice. 周is commenter recommended that the
Commission revise the proposed framework’s internal operations category to make it consistent with the
“operational purpose” language contained in H.R. 611 from the 112th Congress, which would include,
among other things, “basic business functions such as accounting, inventory and supply chain management,
quality assurance, and internal auditing.”
周e Commission believes that for some practices, the beneﬁts of providing choice are reduced –
either because consent can be inferred or because public policy makes choice unnecessary. However, the
Commission also appreciates the concerns that the preliminary staﬀ report’s deﬁnition of “commonly
accepted practices” may have been both under-inclusive and over-inclusive. To the extent the proposed
framework was interpreted to establish an inﬂexible list of speciﬁc practices, it risked undermining
companies’ incentives to innovate and develop new products and services to consumers, including innovative
methods for reducing data collection while providing valued services. On the other hand, companies could
read the deﬁnition so broadly that virtually any practice could be considered “commonly accepted.”
周e standard should be suﬃciently ﬂexible to allow for innovation and new business models but
also should cabin the types of practices that do not require consumer choice. To strike that balance, the
Commission reﬁnes the standard to focus on the context of the interaction between a business and the
consumer. 周is new “context of the interaction” standard is similar to the concept suggested by some
commenters that the need for choice should depend on reasonable consumer expectations,
intended to provide businesses with more concrete guidance. Rather than relying solely upon the inherently
subjective test of consumer expectations, the revised standard focuses on more objective factors related to the
consumer’s relationship with a business. Speciﬁcally, whether a practice requires choice turns on the extent
181 See Comment of Consumer Federation of America, cmt. #00358, at 6.
182 See Comment of Center for Democracy & Technology, cmt. #00469, at 8-9 (citing BEST PRACTICES Act, H.R. 611, 112th
Congress § 2(5)(iii) (2011).
183 See Comment of Microsoft Corp., cmt. #00395, at 8; Comment of National Cable & Telecommunications Ass’n, cmt. #00432, at
23-26; Comment of Pharmaceutical Research & Manufacturers of America, cmt. #00477, at 13.
to which the practice is consistent with the context of the transaction or the consumer’s existing relationship
with the business, or is required or speciﬁcally authorized by law.
周e purchase of an automobile from a dealership illustrates how this standard could apply. In
connection with the sale of the car, the dealership collects personal information about the consumer and his
purchase. 周ree months later, the dealership uses the consumer’s address to send him a coupon for a free
oil change. Similarly, two years after the purchase, the dealership might send the consumer notice of an
upcoming sale on the type of tires that came with the car or information about the new models of the car.
In this transaction the data collection and subsequent use is consistent with the context of the transaction
and the consumer’s relationship with the car dealership. Conversely, if the dealership sells the consumer’s
personal information to a third-party data broker that appends it to other data in a consumer proﬁle to
sell to marketers, the practice would not be consistent with the car purchase transaction or the consumer’s
relationship with the dealership.
Although the Commission has revised the standard for evaluating when choice is necessary, it continues
to believe that the practices highlighted in the preliminary staﬀ report – fulﬁlment, fraud prevention,
internal operations, legal compliance and public purpose, and most ﬁrst-party marketing
illustrative guidance regarding the types of practices that would meet the revised standard and thus
would not typically require consumer choice. Further, drawing upon the recommendations of several
the Commission agrees that the fraud prevention category would generally cover practices
designed to prevent security attacks or phishing; internal operations would encompass frequency capping
and similar advertising inventory metrics; and legal compliance and public purpose would cover intellectual
property protection or using location data for emergency services.
It should be noted, however, that
even within these categories there may be practices that are inconsistent with the context of the interaction
standard and thus warrant consumer choice. For instance, there may be contexts in which the “repurposing”
of data to improve existing products or services would exceed the internal operations concept. 周us, where
a product improvement involves additional sharing of consumer data with third parties, it would no longer
be an “internal operation” consistent with the context of the consumer’s interaction with a company. On the
184 As noted above, focusing on the context of the interaction is consistent with the Respect for Context principle in the
Consumer Privacy Bill of Rights proposed by the White House. See White House, Consumer Data Privacy in a Networked
World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy, App. A. (Feb. 2012),
available at http://www.whitehouse.gov/sites/default/ﬁles/privacy-ﬁnal.pdf. 周e Respect for Context principle requires
companies to limit their use of consumer data to purposes that are consistent with the company’s relationship with the
consumer and with the context in which the consumer disclosed the data, unless the company is legally required to do
otherwise. If a company will use data for other purposes it must provide a choice at a prominent point, outside of the privacy
185 See supra at Section IV.C.1.
186 See supra note 175.
187 With respect to use of geolocation data for mapping, surveying or similar purposes, if the data cannot reasonably be linked
to a speciﬁc consumer, computer, or device, a company collecting or using the data would not need to provide a consumer
choice mechanism. Similarly, if a company takes reasonable measures to de-identify smart grid data and takes the other steps
outlined above, the company would not be obligated to obtain consent before collecting or using the data. See supra Section
other hand, product improvements such as a website redesign or a safety improvement would be the type of
“internal operation” that is generally consistent with the context of the interaction.
b First-Party Marketing Generally Does Not Require Choice, But Certain Practices Raise
周e preliminary staﬀ report’s questions regarding ﬁrst-party marketing generated a large number of
comments. As discussed, the Commission has revised the standard for determining whether a practice
requires consumer choice but believes that most ﬁrst-party marketing practices are consistent with the
consumer’s relationship with the business and thus do not necessitate consumer choice. Nevertheless, as a
number of the commenters discussed, there are certain practices that raise special concerns and therefore
merit additional analysis and clariﬁcation.
(i) Companies Must Provide Consumers With A Choice Whether To Be Tracked Across Other
Commenters raised questions about companies and other services that have ﬁrst-party relationships with
consumers, but may have access to behavioral activity data that extends beyond the context of that ﬁrst-party
relationship. For example, in response to the question in the preliminary staﬀ report regarding the use of
deep packet inspection (“DPI”),
a number of commenters cited the ability of ISPs to use DPI to monitor
and track consumers’ movements across the Internet and use the data for marketing.
周ere appeared to
be general consensus among the commenters that, based on the potential scope of the tracking, an ISP’s use
of DPI for marketing purposes is distinct from other forms of marketing practices by companies that have a
ﬁrst-party relationship with consumers, and thus at a minimum requires consumer choice.
Similarly, commenters cited the use of “social plugins” – such as the Facebook “Like” button – that allow
social media services to track consumers across every website that has installed the plugin.
stated that, as with DPI, consumers would not expect social media sites to track their visits to other websites
or that the proﬁles created from such tracking could be used for marketing.
188 Moreover, even if a given practice does not necessitate consumer choice, the framework’s other elements – e.g., data collection
limits and disposal requirements, increased transparency – would still apply, thereby preventing a company from exploiting
189 Deep packet inspection (“DPI”) refers to the ability of ISPs to analyze the information, comprised of data packets, that
traverses their networks when consumers use their services.
190 See Comment of AT&T Inc., cmt. #00420, at 21-22 & n.34; Comment of Berlin Commissioner for Data Protection & Freedom
of Information, cmt. #00484, at 2-3; Comment of Computer & Communications Industry Ass’n, cmt. #00434, at 15; Comment
of Phorm Inc., cmt. #00353, App. A at 3-4; Comment of U.S. Public Policy Council of the Ass’n for Computing Machinery, cmt.
#00431, at 6.
191 See Comment of Phorm Inc., cmt. #00353, App. A at 3-4; Comment of Center for Democracy & Technology, cmt. #00469, at 14-
15; Comment of AT&T Inc., cmt. #00420, at 21-22 & n.34.
192 See Comment of Consumer Federation of America, cmt. #00358, at 8 (citing Justin Brookman, Facebook Pressed to Tackle
Lingering Privacy Concerns, Center for Democracy & Technology (June 16, 2010), available at https://www.cdt.org/blogs/
justin-brookman/facebook-pressed-tackle-lingering-privacy-concerns); Comment of Berkeley Center for Law & Technology,
cmt. #00347, at 8; see also Arnold Roosendaal, Facebook Tracks and Traces Everyone: Like 周is!, (Nov. 30, 2010), available at
http://papers.ssrn.com/so13/papers.cfm?abstract_id=1717563 (detailing how Facebook tracks consumers through the Like
button, including non-Facebook members and members who have logged out of their Facebook accounts); Nik Cubrilovic,
Logging Out Of Facebook Is Not Enough, New Web Order (Sept. 25, 2011), http://nikcub.appspot.com/posts/logging-out-of-
周e Commission agrees that where a company that has a ﬁrst-party relationship with a consumer for
delivery of a speciﬁc service but also tracks the consumer’s activities across other parties’ websites, such
tracking is unlikely to be consistent with the context of the consumer’s ﬁrst-party relationship with the
entity. Accordingly, under the ﬁnal framework, such entities should not be exempt from having to provide
consumers with choices. 周is is true whether the entity tracks consumers through the use of DPI, social
plug-ins, http cookies, web beacons, or some other type of technology.
As an example of how this standard can apply, consider a company with multiple lines of business,
including a search engine and an ad network. A consumer has a “ﬁrst-party relationship” with the company
when using the search engine. While it may be consistent with this ﬁrst-party relationship for the company
to oﬀer contextual ads on the search engine site, it would be inconsistent with the ﬁrst-party search engine
relationship for the company to use its third-party ad network to invisibly track the consumer across the
To use another example, many online retailers engage in the practice of “retargeting,” in which the
retailer delivers an ad to a consumer on a separate website based on the consumer’s previous activity on the
Because the ad is tailored to the consumer’s activity on the retailer’s website, it could be
argued that “retargeting” is a ﬁrst-party marketing practice that does not merit consumer choice. However,
because it involves tracking the consumer from the retailer’s website to a separate site on which the retailer is
a third party and communicating with the consumer in this new context, the Commission believes that the
practice of retargeting is inconsistent with the context of consumer’s ﬁrst-party interaction with the retailer.
周us, where an entity has a ﬁrst-party relationship with a consumer on its own website, and it engages in
third-party tracking of the consumer across other websites the entity should provide meaningful choice to
(ii) Aﬃliates Are 周ird Parties Unless 周e Aﬃliate Relationship Is Clear to Consumers.
Several trade organizations stated that ﬁrst-party marketing should include the practice of data sharing
among all of a particular entity’s corporate aﬃliates and subsidiaries.
In contrast, a number of commenters
– including individual companies and consumer advocates – took a more limited approach that would treat
aﬃliate sharing as a ﬁrst-party practice only if the aﬃliated companies share a trademark, are commonly-
branded, or the aﬃliated relationship is otherwise reasonably clear to consumers.
One consumer advocate
also suggested restricting data sharing to commonly-branded aﬃliates in the same line of business so that the
data would be used in a manner that is consistent with the purpose for which the ﬁrst party collected it.
193 See infra at Section IV.C.2.d. (discussing special concerns that arise by comprehensive tracking by large platform providers).
194 For example, a consumer visits an online sporting goods retailer, looks at but does not purchase running shoes, and then visits
a diﬀerent website to read about the local weather forecast. A ﬁrst party engages in retargeting if it delivers an ad for running
shoes to the consumer on the third-party weather site.
195 See Comment of Direct Marketing Ass’n, Inc., cmt. #00449, at 16; Comment of Interactive Advertising Bureau, cmt. #00388, at
8; Comment of National Cable & Telecommunications Ass’n, cmt. #00432, at 24.
196 See Comment of Yahoo! Inc., cmt. #00444, at 11; Comment of IBM, cmt. #00433, at 6; Comment of AT&T Inc., cmt. #00420,
at 20; Comment of Catalog Choice, cmt. #00473, at 10; Comment of Consumers Union, cmt. #00362, at 10-11.
197 See Comment of Consumers Union, cmt. #00362, at 10-11.
周e Commission maintains the view that aﬃliates are third parties, and a consumer choice mechanism
is necessary unless the aﬃliate relationship is clear to consumers. Common branding is one way of making
the aﬃliate relationship clear to consumers. By contrast, where an aﬃliate relationship is hidden – such as
between an online publisher that provides content to consumers through its website and an ad network that
invisibly tracks consumers’ activities on the site – marketing from the aﬃliate would not be consistent with a
transaction on, or the consumer’s relationship with, that website. In this scenario consumers should receive a
choice about whether to allow the ad network to collect data about their activities on the publisher’s site.
(iii) Cross-Channel Marketing Is Generally Consistent with the Context of a Consumer’s
Interaction with a Company.
A variety of commenters also discussed the issue of whether the framework should require choice for
cross-channel marketing, e.g., where a consumer makes an in-store purchase and receives a coupon – not at
the register, but in the mail or through a text message. 周ese commenters stated that the framework should
not require choice when a ﬁrst party markets to consumers through diﬀerent channels, such as the Internet,
email, mobile apps, texts, or in the oﬄine context.
In support of this conclusion, one commenter stated
that restricting communications from a ﬁrst party to the initial means of contact would impose costs on
business without any consumer beneﬁts.
周e Commission agrees that the ﬁrst-party marketing concept should include the practice of contacting
consumers across diﬀerent channels. Regardless of the particular means of contact, receipt of a message
from a company with which a consumer has interacted directly is likely to be consistent with the consumer’s
relationship with that company.
At the same time, as noted above, if an oﬄine or online retailer tracks a
customer’s activities on a third-party website, this is unlikely to be consistent with the customer’s relationship
with the retailer; thus, choice should be required.
(iv) Companies Should Implement Measures to Improve 周e Transparency of Data
A large number of commenters discussed whether the practice of data enhancement, by which a
company appends data obtained from third-party sources to information it collects directly from consumers,
should require choice. Some of these commenters speciﬁcally objected to allowing companies to enhance
data without providing consumers choice about the practice.
For example, one academic organization characterized data enhancement without consumer choice
as “trick[ing]” consumers into participating in their own proﬁling for the beneﬁt of companies.
198 See Comment of Yahoo! Inc., cmt. #00444, at 10; Comment of IBM, cmt. #00433, at 6; Comment of AT&T Inc., cmt. #00420,
at 20; Comment of Catalog Choice, cmt. #00473, at 9-10; Comment of Direct Marketing Ass’n, Inc., cmt. #00449, at 16;
Comment of Interactive Advertising Bureau, cmt. #00388, at 8.
199 See Comment of American Catalog Mailers Ass’n, cmt. #00424, at 7.
200 Such marketing communications would, of course, still be subject to any existing restrictions, including the CAN-SPAM Act,
15 U.S.C. §§ 7701-7713 (2010).
201 See Comment of Consumer Federation of America, cmt. #00358, at 10; Comment of Consumers Union, cmt. #00362, at 11.
202 Comment of Berkeley Center for Law & Technology, cmt. #00347, at 9-10.
companies develop new means for collecting data about individuals, this commenter stated, consumers
should have more tools to control data collection, not fewer.
Similarly, a consumer organization explained that consumers may not anticipate that the companies
with which they have a relationship can obtain additional data about them from other sources, such as social
networking sites, and use the data for marketing.
周is commenter concluded that requiring companies
to provide choice will necessitate better explanations of the practice, which will lead to improved consumer
Other stakeholders also raised concerns about data enhancement absent consumer choice. One
company focused on the practice of enhancing online cookie data or IP addresses with oﬄine identity data
and stated that such enhancement should be subject to consumer choice.
In addition, a data protection
authority stated that consumers are likely to expect choice where the outcome of data enhancement could
negatively aﬀect the consumer or where the sources of data used for enhancement would be unexpected to
Alternatively, a number of industry commenters opposed requiring consumer choice for data
enhancement in connection with ﬁrst-party marketing. 周ese commenters described data enhancement as
a routine and longstanding practice that allows businesses to better understand and serve their consumers.
Commenters enumerated a variety of beneﬁts from the availability and use of third-party data, including:
development of new or more relevant products and services; ensuring the accuracy of databases; reducing
barriers to small ﬁrms seeking to enter markets; helping marketers identify the best places to locate retail
stores; and reducing irrelevant marketing communications.
One commenter noted that requiring content publishers such as newspapers to oﬀer consumer choice
before buying information from non-consumer-facing data brokers would impose logistical and ﬁnancial
challenges that would interfere with publishers’ ability to provide relevant content or sell the advertising to
Other commenters claimed that, where the data used for enhancement comes from third-party
sources, it was likely subject to choice at the point of collection from the consumer and therefore providing
additional choice is unnecessary.
Taking a similar approach, one company noted that the third-party
source of the data should be responsible for complying with the framework when it shares data, and the
recipient should be responsible for any subsequent sharing of the enhanced data.
203 Id., at 8-10 (describing Williams-Sonoma’s collection of consumers’ zip codes in Pineda v. Williams-Sonoma Stores, Inc., 246
P.3d 612 (Cal. 2011)).
204 Comment of Consumer Federation of America, cmt. #00358, at 10.
205 See Comment of Phorm Inc., cmt. #00353, at 5.
206 See Comment of the Information Commissioner’s Oﬃce of the UK, cmt. #00249, at 3.
207 See Comment of Newspaper Ass’n of America, cmt. #00383, at 7-8; Comment of National Cable & Telecommunications Ass’n, cmt.
#00432, at 24-26; Comment of Experian, cmt. #00398, at 5-6; Comment of Magazine Publishers of America, cmt. #00332, at 4;
Consumer Data Industry Ass’n, cmt. #00363, at 2-3.
208 Comment of Experian, cmt. #00398, at 6; see Comment of Newspaper Ass’n of America, cmt. #00383, at 6-8.
209 Comment of Newspaper Ass’n of America, cmt. #00383, at 7-8.
210 Comment of Experian, cmt. #00398, at 9 (citing the Direct Marketing Association’s Guidelines for Ethical Business Practice);
Comment of Magazine Publishers of America, cmt. #00332, at 5-6.
211 Comment of Microsoft Corp., cmt. #00395, at 8.
周e issue of whether a ﬁrst-party marketer should provide choice for data enhancement is particularly
challenging because the practice involves two separate and distinct types of consumer data collection.
One involves the consumer-to-business transfer of data – for instance, where an online retailer collects
information directly from the consumer by tracking the products the consumer purchased in the store or
looked at while visiting the retailer’s website. 周e other involves a business-to-business transfer of data –
such as where retailer purchases consumer data from a non-consumer-facing data broker.
As to the ﬁrst type of data collection, for the reasons discussed above, if the ﬁrst party does not share
information with third parties or track consumers across third-party websites, the practice would be
consistent with the context of the consumer’s interaction with the company.
周erefore, the framework
would not call for a consumer choice mechanism. In contrast, because the second type of data collection
involves the transfer of data from one business to another and does not directly involve the consumer
(and therefore is typically unknown to the consumer), it is unlikely to be consistent with a transaction or
relationship between the consumer and the ﬁrst party. 周e Commission nevertheless recognizes that it
would be impractical to require the ﬁrst-party marketer to oﬀer a choice mechanism when it appends data
from third-party sources to the data it collects directly from its consumers. As discussed in the comments,
such a requirement would impose costs and logistical problems that could preclude the range of beneﬁts that
data enhancement facilitates.
Instead, full implementation of the framework’s other components should address the privacy concerns
that commenters raised about data enhancement. First, companies should incorporate privacy by design
concepts, including limiting the amount of data they collect from consumers and third parties alike to
accomplish a speciﬁc business purpose, reducing the amount of time they retain such data, and adopting
reasonable security measures. 周e framework also calls for consumer choice where a company shares with
a third party the data it collects from a consumer. 周us, consumers will have the ability to control the ﬂow
of their data to third parties who might sell the data to others for enhancement. In addition, companies
should improve the transparency of their practices by disclosing that they engage in data enhancement and
educating consumers about the practice, identifying the third-party sources of the data, and providing a
link or other contact information so the consumer can contact the third-party source directly. Finally, to
further protect consumer privacy, the Commission recommends that ﬁrst parties that obtain marketing data
for enhancement should take steps to encourage their third-party data broker sources to increase their own
transparency, including by participating in a centralized data broker website, discussed further below, where
consumers could learn more information about data brokers and exercise choices.
周e ﬁrst parties may
also consider contractually requiring their data broker sources to take these steps.
212 See supra Section IV.C.1.b.(i).
213 周e concept of such a website is discussed, infra, Section IV.D.2.a.
Documents you may be interested
Documents you may be interested