Increased Enforcement of Online Data Collection Standards Coming

The independent agency that enforces the principles that govern online behavioral advertising issued a strong warning to Website operators: Adopt the self-regulatory standards or face the risk of an enforcement action.

At the start of next year, Website operators that fail to adequately notify consumers that they are tracking their online browsing activities, or allowing third parties to track them for the purposes of interest-based advertising, could potentially face an enforcement action by the Federal Trade Commission.

The Better Business Bureau issued the compliance warning as part of its ongoing effort to step up enforcement against Website operators that fail to fully comply with the Self-Regulatory Principles for Online Behavioral Advertising (OBA Principles), which govern the collection of consumer information for online advertising. Administered by the BBB, the Online Interest-Based Advertising Accountability Program is the independent enforcement agency charged with enforcing the principles.

The Digital Advertising Alliance, a self-regulatory body, developed the industry standards for online behavioral advertising in 2010, after the FTC threatened increased regulation if the industry didn't increase efforts to police itself. It put the BBB in charge of enforcing compliance with the standards. “The FTC became increasingly concerned that there was not sufficient transparency surrounding interest-based advertising,” explains Barton. As a result, industry associations responded to the FTC's recommendations accordingly, she says.

The OBA Principles consist of seven standards governing the collection of consumer information, including how to educate consumers about online behavioral advertising; how to properly disclose to consumers data collection and use practices; and how to enable users the ability to opt out.

If the self-regulatory program does not work, the FTC will be forced to enact regulations that are far more aggressive, "and something marketers would rather not have,” says Douglas Wood, a partner with law firm Reed Smith, and co-chair of the firm's advertising, technology, and media group. “So the DAA has some serious teeth to it.”

Traditionally, when a Website operator was not in compliance with any of the requirements of the OBA Principles, the Accountability Program would work with the Website operator to resolve any issues of non-compliance. After Jan. 1, however, the BBB will not be so lenient with non-compliant companies.

“We want industry to work with us,” says Genie Barton, director of the BBB's online behavioral advertising program. “We are here to help companies be compliant.”

If a company chooses, however, not to implement the Accountability Program's recommendations on a finding of non-compliance, Barton adds, the BBB will not hesitate to refer that company to the FTC. “We will not view sympathetically companies that take no action to come into compliance,” she says.

“Nobody wants to be on the radar of the FTC,” says Wood. Even if a company agrees to improve its marketing practices, it will still have to deal with a negative press release. “The best outcome you can get in an enforcement proceeding is to cooperate and get a negative press release,” he says. “That's a win, and that's not a very nice win.”

According to the compliance warning, companies that cannot meet this deadline, “despite making all commercially reasonable efforts to do so,” may avoid a potential enforcement action by contacting the Accountability Program prior to Jan. 1, explaining the issue, and providing a reasonable date as to when it can come into compliance.

Enforcement Risk

Even though the Accountability Program has given Website operators fair warning, “I think you're going to find a number of companies that are still asleep at the wheel,” says Wood.

In particular, many Website operators are having a difficult time meeting the “enhanced notice” provision of the OBA Principles, explains Barton. Under the enhanced notice provision, Website operators must provide consumers with a “clear, meaningful, and prominent link” on every Web page where they allow third parties to collect online browsing activity for purposes of behavioral advertising.

“As long as a Website publisher is dealing with a network advertiser that's a member of the DAA then you don't have any worries.”

—Jerry Cerasale,

SVP of Government Affairs,

Direct Marketing Association

This link should be separate from the privacy policy and at least as prominent and should appear as a recognizable icon, such as the Digital Advertising Alliance's Advertising Option Icon (AdChoices Icon) or a legend that says “AdChoices.”

When consumers click on the link, they should be directed to either an industry-developed Web page, such as the DAA's Consumer Choice Page, where they can choose whether to participate in behavioral advertising, or to a list of all the third parties engaged in data collection on its Website with links to each of their respective opt-out mechanisms.

The trouble is that many Website operators mistakenly believe that their enhanced notice obligations are automatically satisfied by the advertisements provided by third parties on their Websites. In most instances, this assumption is true, says Jerry Cerasale, senior vice president of government affairs for the Direct Marketing Association, but in some cases it is not.

On virtually every Website with advertisements on it, Cerasale explains, most tracking of online browsing activities is done by way of advertisements that are issued through Network Advertising Bureaus, most of which are part of the Digital Advertising Alliance and, thus, require the enhanced notice icon (AdChoices icon) on their ads.

THE PRINCIPLES

Below are the official self-regulatory principles for online behavioral advertising:

The Education Principle calls for entities to participate in efforts to educate consumers

and businesses about online behavioral advertising. It is expected that there will exist

a robust industry-developed Web site(s) that provide consumers with educational

material about online behavioral advertising. Additionally, it will result in numerous

online impressions educating the public about how online behavioral advertising

works and the choices that are available to consumers.

The Transparency Principle requires the deployment of multiple mechanisms for clearly

disclosing and informing consumers about data collection and use practices associated

with online behavioral advertising. This Principle applies to entities collecting and

using data for online behavioral advertising and to the Web sites from which such data

is being collected and used by third parties. Compliance with this Principle will result

in new links and disclosures on the Web page or advertisement where online behavioral advertising occurs.

The Consumer Control Principle provides for mechanisms that will enable users of Web

sites at which data is collected for online behavioral advertising purposes the ability

to choose whether data is collected and used or transferred to a non-affiliate for such

purposes. The choice will be provided by the third party entities collecting and using

data for online behavioral advertising and the mechanism will be found either at their

own Web sites or at industry-developed Web sites. The new links and disclosures on

the Web pages or advertisements will direct consumers to these mechanisms.

The Transparency and Consumer Control Principles have separate provisions for

“service providers” engaged in online behavioral advertising. Under these Principles,

service providers must provide additional notice regarding the online behavioral advertising that occurs by use of their services, obtain the consent of users before engaging in online behavioral advertising, and take steps to de-identify the data used for such purposes. Internet access service providers and providers of desktop applications

software such as Web browser “tool bars” are examples of service providers under these

Principles.

The Data Security Principle requires entities to provide reasonable security for, and limited retention of, data collected and used for online behavioral advertising purposes.

The Material Changes Principle directs entities to obtain consent before applying any

change to their online behavioral advertising data collection and use policy that is less

restrictive to data collected prior to such material change.

The Sensitive Data Principle recognizes that certain data collected and used for online behavioral advertising purposes merits different treatment. The Principles apply

heightened protection for children's data by applying the protective measures set forth

in the Children's Online Privacy Protection Act. Similarly, this Principle requires

consent for the collection of financial account numbers, Social Security numbers,

pharmaceutical prescriptions, or medical records about a specific individual for online

behavioral advertising purposes.

The Accountability Principle calls upon entities representing the wide range of actors

in the online behavioral advertising ecosystem to develop and implement policies and

programs to further adherence to these Principles. It is intended that these programs

will help ensure that all entities engaged in online behavioral advertising bring their

activities into compliance with these Principles. The Direct Marketing Association,

which has more than 3,500 members, has indicated that it will integrate the Principles

into its long-standing effective self-regulatory program. The Council of Better Business

Bureaus, with a long history of successful accountability programs, has indicated that

it is developing a new program around these Principles. The Accountability Principle calls for programs to have mechanisms by which they can police entities engaged in online behavioral advertising and help bring these

entities into compliance. Programs will also publicly report instances of uncorrected

violations to the appropriate government agencies.

Sources: American Association of Advertising Agencies; Association of National Advertisers; Council of Better Business Bureaus; Direct Marketing Association; Interactive Advertising Bureau.

“As long as a Website publisher is dealing with a network advertiser that's a member of the DAA then you don't have any worries,” says Cerasale. “You as a Web page operator are in compliance with the DAA principles.”

Where issues of non-compliance arise for Website operators, Cerasale says, is when third parties are collecting data for purposes of behavioral advertising where no ad is present bearing the AdChoices Icon. “My advice to Websites operators is to make sure in your contracts with third parties that you require them to follow the DAA principles,” he says.

Formal Inquiries

To date, the Accountability Program has concluded 33 formal inquiries of companies found to be non-compliant under OBA Principles.

Last month, for example, the Accountability Program concluded two separate inquiries into the third-party data collection practices of online investing firm Scottrade, and automobile maker BMW of North America. In each case, the Accountability Program found that neither company included any sort of notice alerting consumers to third-party data collection practices occurring on their Websites.

In response to the formal inquiry, BMW took steps to come into compliance with the Accountability Program's recommendations by first adding a “cookies and tracking” section to its privacy policy, including a description of the third-party data collection practices on its Website and links to the DAA Consumer Choice opt-out page. It also updated this new section to include a required statement of adherence to the OBA Principles.

Scottrade also amended its privacy policy by adding language alerting consumers to the possibility that third-party data collection may be occurring on its Website for use in behavioral advertising and provided a link to the DAA Consumer Choice Page. It also added enhanced notice using the DAA-approved phrase “Interest Based Ads” to the footer of every page of its Website, where data collection for behavioral advertising occurs.

The compliance warning effectively serves as a reminder to companies to gain a better understanding of all the third parties that advertise on its Website. “That is not as simple as it may sound,” says Barton.

One proactive measure, advises Barton, is to conduct an audit of all the third parties that collect data on your Website. “Different departments in a large company may at some point have had a reason to allow a third party to set cookies, and maybe that's no longer necessary, but it hasn't been cleaned up,” she says. “An audit of a Website is a way to check on that.”

It is not difficult to fact-check which third parties are advertising on your Website, Barton adds. The challenge sometimes is that the ad-serving chain can be so complex in a large company that it can become unclear who is taking responsibility for what, but that's no excuse for non-compliance, she says.

How effective Website operators are at self-regulating themselves “in many ways speaks to the credibility of the whole program,” says Wood. “It has to work efficiently. Otherwise, the federal government may step in and mandate far more aggressive regulations.”