New rules governing online behavioural advertising in the UK came into effect in February, with the aim of giving consumers greater transparency and control over the use of their information for targeted advertising. In this blog, we explain what the rules require and what the changes mean for advertisers and website owners/operators. 

What is online behavioural advertising?

Online behavioural advertising (OBA) is the use by advertisers of information collected about a web user’s online behaviour, for example what websites they browse, links and adverts they click on, search terms entered etc., to generate adverts tailored to that individual’s identified interests and preferences. In practice it means that one user will be served different website advertising to another based on their previous browsing history.

OBA is usually done through the use of “cookies” (small data files which are served on users’ browsers and devices when they visit a website), so these new rules, which will be enforced by the UK Advertising Standards Authority (ASA), work to supplement and complement existing legislation on cookies and other tracking technologies, namely the E-Privacy Directive (2009/136/EC) which is implemented in the UK via the Privacy and Electronic Communications (EC Directive)-Amendment Regulations 2011 (the PEC Regulations). Broadly, the PEC Regulations require that cookies and any similar tracking technology can only be placed on computers/devices where the user has given their informed consent (e.g., via an ‘opt-in’) to the collection of their data in this way (see our previous blog on cookies and the Directive here). In addition, those collecting users’ personal information for OBA must also comply with data protection/privacy laws.

What are the main requirements?

The new OBA rules (contained in Appendix 3 to the UK Code of Non-broadcast Advertising, Sales Promotion and Direct Marketing (CAP Code)) implement the EU Framework for Online Behavioural Advertising launched by the Internet Advertising Bureau (IAB) in April 2011. The EU-wide regulation of OBA means that companies using behavioural advertising as a tool across the EU will also need to comply.

Most of the new obligations fall on “third parties”, those organisations that engage in OBA via websites other than their own. This means that retailers whose goods are the subject of the targeted adverts on other websites (i.e. not their own) are not directly on the hook under the new rules, but they may be expected to cooperate with the ASA in cases where the ASA is unable to track down the third party OBA provider. 

Broadly, the main requirements are that consumers/web users should be offered the choice to opt-out of being targeted using OBA. If consumers do opt out, their information will not be collected for OBA purposes and they will not be served targeted ads (although they would still see non-tailored ads). To achieve this, adverts delivered using OBA must have a notice in or around it telling users that they are collecting and using web viewing behaviour data and third parties must give a clear a comprehensive notice about the collection and use of data for the purposes of OBA on its own website. Both of these notices should provide a mechanism enabling the user to opt-out.

Other requirements are that OBA should not be targeted at children aged 12 or under and explicit consent is required if third parties use technology to collect and use all data traffic from users on a particular computer (i.e. website history across all websites captured). This type of OBA is usually carried out at ISP level and is the most controversial form of OBA.

Interestingly, the new rules do not apply currently to mobile phones or other handheld devices (e.g. e-readers and tablets) although it seems likely that the rules will be extended at some point in the near future.

Enforcement

The CAP Code (including the new OBA rules) is enforced by the ASA, which is a self-regulatory body. The ASA can take steps to remove or have amended any adverts that breach the rules.

Arguably the new rules have a lot less bite than other existing regulations regarding the use of cookies and data protection, particularly as they are aimed predominantly at third party OBA providers and are part of the self-regulatory CAP Code. However advertisers, retailers and website operators who do not deliver their own OBA should bear them in mind and, in particular, keep an eye on any third parties they use for OBA.

Additional useful guidance in this area includes: CAP Guidance and European Advertising Standards Alliance (EASA) Best Practice Recommendation.