Privacy & Security Matters Mintz Levin : Data Compliance & Security, Employee Privacy Lawyer & Attorney

The Clock is Ticking for Implementation of “Enhanced Notice”: The 6 Questions Online Service Providers Should be Asking about Online Behavioral Advertising Following Increased Enforcement Warning

Posted in Privacy Regulation

Written by Jake Romero

Walking around a department store isn’t the only time you’re being tracked while you shop.  If you’ve ever visited a web page and seen an advertisement for the exact same pair of shoes you were looking at on a different web page the day before, then you know that something similar is happening while you surf the web.  Online Behavioral Advertising (“OBA”) looks at a user’s internet browsing behavior across websites and over a period of time and uses that information to try to tailor advertising toward things that user would be responsive to.  In practice, that means that if you’re me, and you spent the afternoon looking online for a Lego figurine that looks like Ron Burgundy from the movie Anchorman, then you can expect that over the next few days, a sizable portion of the ads you see will be Lego and/or Ron Burgundy related.  The use of OBA is subject to industry-based regulatory principles that, among other things, require companies that collect OBA data and website operators that allow third parties to collect OBA data on their site to provide “enhanced notice” to consumers.  According to a recently released Compliance Warning, we can expect to see increased enforcement of these principles, and in particular the enhanced notice requirement, starting January 1, 2014.  With that in mind, here’s what you need to know:

1.      What is Online Behavioral Advertising?

OBA is officially defined as “the collection of data from a particular computer or device regarding Web viewing behaviors over time and across non-Affiliate web sites for the purpose of using such data to predict user preferences or interests to deliver advertising to that computer or device based on the preferences or interests inferred from such Web viewing behaviors.”  OBA does not include “contextual advertising,” which is the practice of delivering advertisements based on a website’s content or the user’s contemporaneous behavior on that site.

2.      How is OBA Regulated?

The above-quoted definition of OBA is from the Self-Regulatory Principles for Online Behavioral Advertising, a set of industry principles promulgated by the Digital Advertising Alliance in 2009.  The Digital Advertising Alliance has tasked two divisions with enforcing the Principles, one of which is the Online Interest-Based Advertising Accountability Program (the “Accountability Program”), the group responsible for issuing the Compliance Warning.  The Accountability Program investigates instances of alleged non-compliance and, in certain cases, will refer the OBA company or website operator to the Federal Trade Commission, which could result in FTC-imposed fines or other regulatory action.  Although the Principles are not the same as a statute or government regulation, the FTC views non-compliance with generally-accepted industry standards as an unfair practice because consumers have a reasonable expectation that companies within that industry are following those guidelines.

3.      Who is Required to Comply?

The Principles apply to the owners or controllers of consumer-facing websites that either collect, or allow a third party to collect, behavioral use data for OBA purposes, as well as the third parties that collect behavioral use data to deliver advertising on a site.  A common misconception is that providing enhanced notice is the responsibility of the entity collecting the OBA data, and not the responsibility of the site operator.  The Compliance Warning makes clear that enhanced notice is the joint responsibility shared by both parties.

4.      What Kind of “Enhanced Notice” is Required?

Companies collecting OBA data and website operators who allow third parties to collect OBA data are required to provide a “clear, meaningful, and prominent link” on each page where an advertisement that has been delivered through OBA or OBA data is collected.  Most often we see these links as small icons inside of OBA-delivered advertisements.  When a user clicks on this “enhanced notice link,” they should be directed to a disclosure that includes a statement that the entity adheres to the Principles, as well as a description of (i) the types of data collected online (including any personally identifiable information) for OBA purposes, (ii) the use of such data and whether it will be transferred to any third party non-affiliated company and (iii) the mechanism for exercising choice with regard to the collection and use of OBA data.  Generally this notice is provided either by linking to a central page developed by the industry (for example, the DAA Consumer Choice Page) or providing a list within the site of all third parties engaging in OBA data collection on that site, with a link to opt-out and choice mechanisms for each third party.  A few words of caution:

  • The link to disclose third parties engaged in OBA data collection is not the same as the link to the Site’s privacy policy.  The Accountability Program has specifically stated that this disclosure should be separate and apart from the privacy policy so that the consumer is not required to look through the privacy policy to find it.
  • If you choose to disclose OBA data collection by listing all third parties collecting data on the site, it is important to keep in mind that this list must always be complete and accurate at any given time.  Procedures should be in place to update this notice each time a third party vendor changes, and third party vendors should be required to notify you if they change the manner in which consumers can opt-out of having OBA data collected.
  • Website operators should be cautious about relying on in-advertisement notifications provided by the third party OBA data collector to satisfy the enhanced notice requirements.  The enhanced notice link is required on each page of the site on which data is being collected, and generally OBA data is collected all across the site.  If a site operator relying on the links and notifications in advertisements has a page on the site where information is collected but no advertisements appear, then that site operator is not in compliance.

5.      If the Principles Have Been Around Since 2009, Why is This an Issue Now?

According to the Compliance Warning, a “significant minority” of website operators are not currently in compliance with the “enhanced notice” requirements.  In the interest of protecting consumers and preventing the need for outside regulation, the Digital Advertising Alliance intends to increase enforcement of the enhanced notice requirement, which it regards as “one of the most important improvements for consumes created by the OBA Principles”.  The Compliance Warning puts website operators and third-party OBA firms on notice that such increased enforcement efforts will begin on January 1, 2014.

6.      What Are the Next Steps?

If your company operates a web site with advertisements or collects data for purposes of generating advertisements, the first step will be to conduct a thorough review of practices to determine whether the Principles apply to you.  If you determine that your company or your website engages in online behavioral advertising, then your practices should be carefully reviewed against the requirements set forth in the Principles.  It is important to keep in mind that while enhanced notice is the Accountability Program’s current focus, there are a number of other requirements under the Principles with which you may need to comply.  If you determine that your company is not in compliance, and it seems unlikely that you can bring your service into compliance using commercially reasonable efforts before January 1, 2014, you should contact the Accountability Program in advance of the deadline to discuss a reasonable alternative compliance deadline.

As always, you should also feel free to contact your Mintz Levin privacy & security team so that we can help you through the process.