Interest-based advertising has been heavily discussed with the impending advent of CCPA. However, companies that rely on interest-based advertising should remember to periodically check their adherence to industry standards and self-regulatory principles – regardless of whether they are subject to CCPA.
The Digital Advertising Alliance (DAA) online accountability program recently issued a decision in its continued efforts to compel website and app operators to provide users with enhanced notice about third-party data collection as prescribed in the self-regulatory principles for online behavioral advertising (OBA Principles). The case involved Dine Brands Global, the California-based owner and operator of the International House of Pancakes and Applebee’s (Dine Brands).
A review of Dine Brands’ websites by the DAA’s accountability program as part of its regular monitoring activities revealed a number of third-party entities known to engage in interest-based advertising collecting data about the DAA’s visit. However, the websites did not appear to provide both notice and enhanced notice (as described below) about the collection of information for interest-based advertising purposes, as required under the OBA principles. In particular, in reviewing the privacy notices for the dine brands’ websites, the DAA found that (a) one of the websites did not contain explicit language stating that third parties may collect data for interest-based advertising purposes, and (b) links to an industry-developed opt-out page or to third parties with corresponding opt-out links – a core requirement of the DAA Principles – were nowhere to be found.
Under the OBA principles, first parties must comply with a number of obligations if they allow third parties to collect visitors’ browsing data for use in interest-based advertising on their websites (such as via a SDK), or if they transfer such data to third parties for tailoring ads on non-affiliate websites.
First, they must disclose this activity to consumers with appropriate transparency as well as provide the opportunity to exercise control over interest-based advertising. This is usually done in the privacy notice, The disclosure must contain either a link to an industry-developed consumer choice page (such as http://aboutads.info/choices) or a list of every third party conducting interest-based advertising activity on the first-party website, which is often a difficult feat for first parties engaged in significant interest-based advertising with multiple partners. In addition, a first party must state its adherence to the DAA Principles.
One often-overlooked obligation under the OBA principles is that first parties must provide consumers with real-time “enhanced notice” when third parties are collecting or using data for interest-based advertising on a first party’s website. This real-time indicator must be in the form of a “clear, meaningful, and prominent” link that directs consumers to the first party’s interest-based advertising disclosure – not just to the top of a privacy notice. The link must be separate from the first party’s privacy notice link and must appear on every page where data collection or use for interest-based advertising occurs on the first party’s website. The link may be provided either directly by the first party or by one of the third parties active on its website. The rationale is that by drawing real-time attention to this otherwise undetectable background activity, explaining it in plain language, and providing one or more opt-out choice mechanisms, the enhanced notice enables consumers to understand how interest-based advertising works and make informed choices about the use of their data. Given how many unsuspecting users’ data is consumer for interest-based advertising, this should come as no surprise to those who have been paying attention to existing and developing user-friendly privacy rules and guidelines.
To meet its obligations, Dine Brands agreed to add an enhanced notice link labelled “Your Advertising Choices” to the two websites at issue. When clicked, this link takes users directly to the updated sections of the privacy notices, which each include a disclosure about third-party interest-based advertising and links to industry-developed consumer choice pages. The company also committed to ensuring that an enhanced notice link would be available on any other website controlled by Dine Brands that authorizes third-party data collection for interest-based advertising. And, in all cases, Dine Brands committed to updating its privacy documents to include a statement of adherence to the DAA Principles.
As interest-based advertising comes under increasing scrutiny, it is important to review your organization’s privacy disclosures and notice mechanisms, to ensure that that any interest-based advertising in which it engages does not run afoul of the DAA Principles.