The Online Interest-Based Advertising Accountability Program (Accountability Program), which enforces the advertising industry’s self-regulatory system administered by the Council of Better Business Bureaus, has published the resolution of two formal inquiries into the privacy practices of The Hollywood Reporter (Hollywood) and Varick Media Management (Varick). According to the Accountability Program, both Hollywood and Varick violated the Digital Advertising Alliance’s (DAA) Self-Regulatory Principles (Principles) by failing to provide consumers with sufficient notice and choice relating to the collection of data for targeted advertising and the serving of interest-based ads (IBA) on their websites.

These enforcement actions reveal the following takeaways for companies, including advertisers and publishers, engaged in interest-based advertising.

Both First Parties and Third Parties Share Responsibility to Consumers

The Hollywood case involved a website publisher, Hollywood, and a company, Gravity, that displayed interest-based ads on Hollywood’s website allegedly failing to provide “enhanced notice” of the interest-based ads as required by the Principles. The Accountability Program took the position that even though Gravity was responsible for serving the interest-based ads, Hollywood shared responsibility and accountability for the failure to provide “enhanced notice.”

The takeaway is that both first parties (e.g., website operators) and third parties (e.g., ad networks) share the responsibility of complying with the Principles and will be held accountable when the Principles are not satisfied. Further, while ads typically include notice that will meet the publisher’s notice obligation, if an ad is noncompliant, the website will be noncompliant unless the website has its own About Ads link on the page with a deep link to the notice in the privacy policy. There is a need for this link where there are no interest-based ads on the page but the page is dropping tracking cookies, such as for retargeting solutions.

A Privacy Policy Alone Does Not Constitute “Enhanced Notice”

Hollywood’s website contained a privacy policy explaining the third-party interest-based ads on the website and including a link to the Network Advertising Initiative’s (NAI) consumer opt-out page, where consumers could opt out of interest-based ad activity by the companies listed there. But Hollywood’s website lacked any “enhanced notice” distinct from the privacy policy.

As the press release makes clear, the Principles require that all interest-based ads must alert consumers that the ad is based on their prior browsing and provide a link to a short explanation of interest-based ads and an opt-out. In addition, the Principles require that every web page where companies collect consumer data for interest-based ad purposes must place a link or icon next to the privacy policy link that directs consumers to a short explanation of interest-based ads and an opportunity to opt out. While the explanation and an opt-out can be in the privacy policy, the privacy policy itself does not constitute “enhanced notice.”

Broken or Missing Links Do Not Constitute “Enhanced Notice”

Varick encountered a different problem. Unlike Hollywood, Varick, both a website operator and an ad network, included an advertising option icon (AdChoices Icon) on each of its interest-based ads to alert consumers the ads were based on their prior browsing. However, Varick’s AdChoices Icons did not link to a short explanation of interest-based ads and an opt-out as required by the Principles. Further, Varick’s website did not include language adhering to the Principles or an opt-out from Varick’s collection practices.

In response to the Accountability Program’s recommendation, Varick redirected the links to its privacy policy, amended its privacy policy to include a statement of adherence to the Principles and an explanation of how to opt out of Varick’s interest-based ad practices, and ensured TRUSTe’s opt-out mechanism included the ability to opt out of Varick’s interest-based ads, among other things. The Varick case demonstrates that companies should regularly review the links within their “enhanced notice” to ensure the links function properly.

Native Advertising Also Requires Notice and Choice

The Varick case is also unique in that it involved a company engaging in native advertising. Because native advertising is based on a consumer’s interests, the Accountability Program takes the position that companies engaged in native advertising must provide “enhanced notice” and choice the same way they would with interest-based ads.

Comply with Self-Regulation, and Carefully Craft Notices

The latest enforcement actions are yet another example of the Accountability Program investigating consumer complaints and monitoring websites and applications for compliance. The Accountability Program takes the position that the Principles apply not only to DAA members but also to all companies engaged in conduct covered by the Principles. Further, most major participants in the online advertising ecosystem are members of trade associations that have adopted the Principles, and almost all ad agencies, ad servers, and ad exchanges require advertisers and publishers to comply. If you are the subject of an Accountability Program inquiry, respond quickly. The press release stresses that both Hollywood and Varick “swiftly” implemented the Accountability Program’s recommendations.

Since the Accountability Program lacks the authority to impose fines or penalties, remediation is the goal. Keep in mind, however, that if a company’s public statements are inconsistent with its practices, such as representing adoption of the Principles in a privacy policy but not following the Principles in practice, such noncompliance could be deemed a deceptive practice, subjecting a company to potential prosecution under state and federal false advertising and consumer protection laws. Accordingly, ensure that your practices are in compliance with the Principles and your public statements, and carefully craft your public statements to be accurate and to disclaim third-party acts or omissions you cannot control, such as the effectiveness of third-party opt-out programs. Also be sure not to over represent the technical capacity or scope of opt-out mechanisms, which are relatively limited.