The Internet Advertising Bureau (IAB), a UK online trade association, recently published its own “Good Practice Principles for Online Behavioral Advertising,” which take effect on September 4, 2009. These principles, produced with input from the trade association’s members — including AOL, Google, and Microsoft Advertising — are intended to complement and supplement existing UK data protection laws found in the Data Protection Act 1998 and the Privacy and Electronic Communications Regulations 2003.
In its introduction to the principles, the IAB recognizes a need for good practice guidance and to balance between companies’ use of Online Behavioral Advertising (OBA) and individuals’ rights to privacy and data protection. It offers an explanation of the importance of online advertising, particularly to small and emerging companies, and promotes OBA as a means of matching advertisements to appropriate audiences: “Providers of OBA create audience segments based on websites visited over a period of time with a particular browser. These audience segments are then used to provide relevant advertising to users within that segment.”
In so doing, OBA providers collect data relating to individuals which, if classified as “personal data” (data from which individuals can be identified), will fall under the protection of UK data protection legislation and other, anonymous information, which will also be covered by the principles.
Companies also will be required to implement a complaints and inquiries procedure, before raising matters with the OBA Board. In turn, the OBA Board intends to review the principles regularly, as OBA develops, and will modify or add to the principles where necessary.
The IAB aims to promote the image of online behavioral advertising by building trust and understanding and by improving Internet users’ ability to control the use of data. As drafted, the principles are divided into three particular themes: notice, user choice, and education, and can be summarized as follows:
- Clear and unambiguous notice to users that the company collects data for the purposes of OBA, including the types of data, how data is to be used, and how users can decline OBA.
- Companies shall include these notice requirements in contracts with third parties and, upon discovering any breach of the same, shall make reasonable efforts to enforce the contract provisions.
- User Choice
- Companies must provide an approved means for users to decline OBA and give information on how to decline OBA on their Web sites.
- Companies must obtain consent to the processing of personal data for the purposes of OBA, if such consent is required (e.g., in relation to “sensitive personal data” as defined by the Data Protection Act 1998).
- Companies must provide easily accessible information to educate users about OBA, the collection of data, and how to decline OBA.
- Companies must provide the IAB with an up-to-date URL with this information and provide a link to the IAB’s information portal.
The principles have already attracted criticism, on the grounds that: the measures do not adequately protect Internet users; the prompts for consent amount to “pestering” users to agree to OBA and above all, they are not compulsory for OBA providers.
So, while the introduction of these principles might be viewed as a step forward in the context of this industry and data protection, there may be a ways to go to convince the public that OBA is acceptable at all.