The Digital Advertising Alliance (DAA) has announced a new set of guidelines that significantly expands the requirements for member companies that collect data online. The Self-Regulatory Principles for Multi-Site Data establish broad and comprehensive standards governing the collection and use of data from an individual's device, regarding internet viewing over time and across non-affiliated web sites - what DAA is calling "Multi-Site Data." These guidelines go well beyond DAA's existing guidelines governing the collection and use of data for online behavioral advertising (OBA). They apply to data that is collected for any and all purposes (not just OBA), with limited exceptions (discussed below), and explicitly prohibit the collection of data for specific purposes related to employment, health care, credit and insurance.
The guidelines apply to "any entity" that collects Multi-Site Data: (i) First Parties (defined as "the entity that is the owner of the Web site or has Control over the Web site with which the consumer interacts and its Affiliates"); (ii) Third-Parties (defined as an entity that "collects Multi-Site Data on a non-Affiliate's Web site"); and (iii) Service Providers (including, for example, an internet service provider or provider of a toolbar or internet browser).
The new guidelines will become part of the DAA's self-regulatory program and member companies will be required to comply with them some time in 2012. Companies that fail to comply may be investigated and if a potential violation is found to exist, the company will be advised on how it can achieve full compliance. In cases where a company does not cooperate and there is evidence of continued non-compliance, results of the investigation may be made public. Enforcement actions may also include censure, suspension or expulsion from membership of the DAA's member organizations. Non-compliance that may also be a violation of federal or state law will be referred to the appropriate law enforcement authorities.
Below is a summary of key provisions contained in the new guidelines.
Broader Scope. The new guidelines define Multi-Site Data as "data collected from a particular computer or device regarding Web viewing over time and across non-Affiliate Web sites." For the same reasons set forth in the OBA Principles, contextual advertising or data collection based on a consumer's current visit to a web page or search query is not included within the scope of Multi-Site Data or these Principles.
The Multi-Site Data guidelines direct companies to provide consumers with "transparency and consumer control" related to the collection and use of Multi-Site Data for all purposes except: (a) operations and system management purposes, (b) market research or product development, or (c) where the data has or will within a reasonable time go through anonymization.
New Prohibition. The new guidelines explicitly prohibit the collection and use of a person's internet surfing data for determining his or her eligibility for employment, credit, insurance and medical treatment.
Sensitive Data and Data from Children. The new guidelines mirror the OBA guidelines by requiring opt-in consent for the collection or use of financial account numbers, Social Security numbers, pharmaceutical prescriptions, or medical records about a specific individual. The new guidelines also follow the OBA guidelines by requiring compliance with the Children's Online Privacy Protection Act (COPPA) when collecting or using information from children.