On April 14 2011 IAB Europe, a body representing the European digital industry, released a Europe-wide self-regulatory framework for online behavioural advertising (OBA). The framework includes best practices for enhancing transparency and greater user control over OBA within the European Economic Area.
The OBA framework is the result of a collaboration between IAB Europe and key European advertising associations, supported by the European Advertising Standard Alliance, a Brussels-based non-profit organisation that promotes ethical standards in commercial communications through self-regulation.
The framework has been signed by leaders in the online industry, including Google, Microsoft and Yahoo!; it creates obligations only for its signatories that self-certify their compliance with its principles.
The framework encourages signatories to apply consumer-friendly standards to OBA and to the collection of online data that facilitates the delivery of targeted advertising. It begins by clarifying that OBA involves the collection of online data in order to:
- facilitate the delivery of advertising based on the potential preferences or interests of web users; or
- advertise a product in which users have previously shown an interest – a technique known as ‘re-targeting’. Users who show an interest in a specific product or category of products on a particular website are presented with advertising for that product or category of products on other websites.[i]
OBA does not include:
- the activities of website operators that are limited to their own websites or websites controlled by them; or
- contextual advertising (eg, advertising based on the content of the website being visited, a consumer’s current visit to a website or a search query).
When a consumer visits a website, he or she is not necessarily aware that a third party (ie, an entity engaging in OBA on a website that it does not operate) may be delivering advertising and collecting web-viewing data from his or her computer. In order to inform consumers that such data collection may occur, the framework requires companies to give clear and comprehensible notice on their websites, describing their OBA data collection and use policies. Such notice should include:
- the company’s identity and contact details;
- the types of data being collected and used for the purpose of providing OBA, including an indication of whether such data qualifies as ‘personal data’ or ‘sensitive data’;
- the purposes for which OBA data is processed and the recipients or categories of recipient to whom data may be disclosed;
- an easy-to-use mechanism for exercising choice with regard to the transfer, collection and use of data for OBA purposes;
- the fact that the company adheres to the framework principles; and
- a link to a new pan-European website – http://www.youronlinechoices.eu/ – providing further information on OBA in an appropriate language, as well as a tool to manage data preferences, including turning off OBA – this is termed the OBA user choice site.
Once companies fully comply with their obligations, which they must do by June 30 2012, all OBA advertisements will display an icon. This interactive symbol, placed in or around an OBA advertisement, will signify to consumers that OBA is being used. When a consumer clicks on the icon, he or she will be directed to a company website with user-friendly information regarding the data collection and use practices associated with the advertisement. The website will also allow the user to turn off OBA advertisements, with a link to an easy-to-use consumer control tool on the user choice site. In addition, companies may use the icon to provide notice that data is collected for OBA purposes, if there is an arrangement with the website operator[ii] to that effect.
If a company uses technology for collecting uniform resource locators (URLs) on a computer or any other device with a view to using such data for OBA, it will need the consumer’s free and explicit consent.[iii] It will also need to provide a user-friendly mechanism for web users to withdraw consent for the collection and use of such data for OBA.
Thus, the framework gives users full transparency and control without limiting their online experience.
The framework also makes provision for:
- education for consumers and businesses about OBA in general and the framework in particular;
- appropriate security for data that is collected and used for OBA purposes, as well as a limited data retention principle – data may not be stored for longer than is necessary to meet a legitimate business need or to comply with data retention obligations under law;[iv]
- limits on targeted advertising for children – for the purpose of the framework, this applies to users aged 12 or under;
- limits on the collection and use of sensitive personal data for OBA[v]; and
- compliance and enforcement mechanisms to ensure the effectiveness of the framework. Companies that comply with the framework’s requirements will receive a periodically renewable business-to-business certification. This will signify to other businesses that the company is part of the self-regulation system and that it has passed its compliance checks. If a company fails to remedy a significant breach of its obligations within a limited time, the seal of approval may be withdrawn. Signatories must choose a compliance programme provider that can demonstrate expertise in online assessment or auditing. Compliance providers will be chosen by means of a competitive tender carried out by IAB Europe, which will be published in 2011. The compliance provider will then conduct an audit to confirm compliance with the obligations under the framework.
Companies have until June 30 2012 to comply and self-certify. Companies signing after January 1 2012 should comply and self-certify within six months of adopting the OBA framework. Signatories will review the framework at least every three years in response to the development of OBA and business practices.
It is worth noting that the framework expressly recognises that compliance with its principles does not guarantee compliance with any applicable law and is not a substitute for such compliance. In this regard, Italian data protection law under the Data Protection Code (Legislative Decree 196 of June 30 2003) seems more restrictive than the OBA framework.
The delivery of OBA and the collection of online viewing data from a consumer’s personal computer could be regarded as ‘profiling activities’ for the purposes of the code; such activities would therefore need to be notified to the Italian Data Protection Authority.[vi]Obtaining the consent of the user or consumer, which is required under the framework, would be insufficient to comply with the terms of the code. It will be interesting to hear the authority’s opinion on the framework and on the duties imposed on its signatories.
[i]The framework itself defines OBA as: “the collection of data from a particular computer or device regarding web viewing behaviours over time and across multiple web domains not under Common Control for the purpose of using such data to predict web user preferences or interests to deliver online advertising to that particular computer or device based on the preferences or interests inferred from such web viewing behaviours.” [ii]According to the framework, “a website operator is the owner, controller or operator of the website with which the web user interacts”. [iii]Principle II. [iv]Principle III. [v]Principle IV. ‘Sensitive data’ is defined as “personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and the processing of data concerning health or sex life” (Section 8(1) of Directive 95/46/EC of the European Parliament and of the Council of October 24 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, which uses for such data the expression of “special categories of data”). [vi]Section 37(1) of the code states that “[a]data controller shall notify the processing of personal data that he/she intends to perform exclusively if said processing concerns… (d) data processed with the help of electronic means aimed at profiling the data subject and/or his/her personality, analysing consumption patterns and/or choices, or monitoring use of electronic communications services.”