Background

On July 2, 2009, a consortium of advertising-industry associations released the Self-Regulatory Principles for Online Behavioral Advertising. The principles are aimed at creating a uniform code of conduct for those parties engaged in online behavioral advertising. Their development was prompted by increased pressure from legislators and the Federal Trade Commission (FTC).

The consortium consists of the American Association of Advertising Agencies (4A's), the Association of National Advertisers (ANA), the Direct Marketing Association (DMA), the Interactive Advertising Bureau (IAB), and the Council of Better Business Bureaus (BBB). The principles have garnered support from Google, Microsoft, and the Network Advertising Initiative. The BBB and DMA are aiming to have an implementation program in place by the beginning of 2010. Whether the adoption of these principles will be widespread and whether or not they will satisfy legislators and the FTC, however, remains to be seen.

Focus and Scope

The Guidelines address online behavioral advertising (OBA) (i.e. serving ads based on an Internet user's movement across websites), but primarily apply to "third parties" and "service providers," who collect data across several unrelated web sites, as opposed to a single web site that collects data only from its own visitors. However, there are certain provisions for which all web sites that engage third party ad networks should be aware.

For the purposes of the guidelines, a "Third Party" is any "entity . . . to the extent that it engages in Online Behavioral Advertising on a non-Affiliate's website." An entity is a "Service Provider to the extent that it collects and uses data from all or substantially all URLs traversed by a web browser across Web sites for Online Behavioral Advertising in the course of the entity's activities as a provider of Internet access service, a toolbar, an Internet browser, or comparable desktop application or client software and not for its other applications or activities."

The focus of the principles is to provide consumers with notice that data is being collected for OBA purposes and a means to opt out of the collection and use of that data. To implement these goals, the self-regulatory program is divided into seven principles: Education, Transparency, Consumer Control, Data Security, Material Changes (to OBA policy), Sensitive Data, and Accountability. The guidelines place requirements, including the requirements for notice and choice, on third parties and service providers – however, as discussed below, some of the compliance obligations may shift contractually to web sites that do business with third parties and service providers that engage in OBA.

Specifically, the guidelines exclude data-gathering conducted by first parties. "First Party" is defined as "the entity that is the owner of the Web site or has Control over the Web site with which the consumer interacts and its Affiliates." An "Affiliate" is "an entity that Controls, is Controlled by, or is under common Control with, another entity." "Online Behavioral Advertising" is defined as "the collection of data from a particular computer or device regarding Web viewing behaviors over time and across non-affiliate Web sites for the purpose of using such data to predict user preferences or interests to deliver advertising to that computer or device based on the preferences or interests inferred from such Web viewing behaviors."

Thus, the guidelines are inapplicable to any information an entity gathers from its own site(s).

Considerations for First Party Web Sites

Although the guidelines are not primarily applicable to first party web sites, there are some provisions that web sites should consider as they do business with third parties to serve ads on their sites.

The Notice Provision: The Transparency principle requires third parties to satisfy both a standard-notice provision and an enhanced-notice provision. The standard-notice provision requires a disclosure of OBA activities to be placed on the third party's own website. The enhanced-notice provision is satisfied most simply by the third party providing a link "in or around" advertisements placed on the first party's website. That link directs to the standard-notice disclosure on the third party's website.

However, where a third party does not include a disclosure link in or around the advertisement, it must ensure that the first party's web site features a "clear, meaningful, and prominent link" to disclosures. The link will lead to one of three locations:

(1) To the disclosure on the third party's site – The parties may negotiate for the web site to include a link from its page to the standard-notice disclosure on the third party's site.

(2) To the web site's privacy disclosures – The parties may also negotiate to list the third party individually within the first-party site's disclosure section, disclosing that the third party is a collector of data for OBA purposes. If the disclosure section is located within the first party's privacy policy, the link must point directly to the OBA disclosure.

(3) To an industry-developed website – A mainstay of the principles is the development of a website by the OBA industry. The website is to function both to educate the public on OBA generally and to aid parties in satisfying their transparency obligations. If the parties have not negotiated for a link as discussed in sections (1) and (2), the web site should link to the industry-developed site.

The owners of web sites from which data is collected should be aware that their responsibilities shift depending on whether or not third parties have provided a link in or around their advertisements. In renewing contracts, owners should be aware that third-party gatherers may seek to implement new terms, shifting the onus of disclosure to the first party.

Choosing Vendors and Business Partners: In addition, should these guidelines be widely adopted, owners of first-party sites need to consider whether they wish to remain in business with third parties that do OBA but are not in compliance with the guidelines.

Sensitive Data: All parties are barred from collecting "personal information" from children known to be younger than 13 or from sites directed to those younger than 13. The guidelines defer to the definition of "personal information" provided by the Children's Online Privacy Protection Act (COPPA). COPPA is available here. Additionally, all parties are barred from collecting and using financial-account numbers, Social Security numbers, prescriptions, or medical records about any individual for OBA purposes without that person's consent.

The full text of the Self-Regulatory Principles is available here.