Does Your Company Engage in Cross-Device Tracking and Comply with DAA Guidance? The Digital Advertising Alliance (DAA) is a self-regulatory body that oversees online interest-based advertising. Over the years, it has issued principles and guidance to which companies in the online interest-based advertising eco-system must adhere. The DAA also set up an accountability program to oversee and ensure compliance with those principles and guidance.
The upcoming enforcement will not only impact DAA participants, but will also affect companies that contract with participants. Vendors that perform data analytics or provide advertising services frequently participate in the DAA and often contractually require their customers to comply with DAA Principles. For more information see: Enforcement of DAA Cross Device Tracking Guidance Set to Begin in Early 2017.
Does Your Website Use Google Analytics? Also in 2016, Google updated its policies with respect to its Analytics products. The updated policy requires website operators that use Google Analytics to disclose three things in their privacy policies. First, the policy must specifically list the Google Analytics advertising features that the website operator has implemented, instead of generically citing the use generally of Google Analytics as a whole. Second, the policy must describe how the website operator and its third party vendors use first-party cookies or identifiers together with third-party cookies. Third, the policy must include an opt-out section for the specific Google Analytics features the website operator has implemented, whether that is through a setting or through a broad opt-out such as the consumer opt-out provided by the NAI. Google also encourages, but does not require, websites to direct their users to Google Analytics’ opt-out for the web.
- Be clear, concise and easy to understand;
- Describe the Company’s information handling practices and the choices the Company offers individuals with respect to the use and disclosure of their personal data;
- Specifically refer to the Company’s Privacy Shield compliance, and provide a hyperlink to the Department of Commerce’s Privacy Shield website;
- Identify the Company’s independent recourse mechanism, and provide a hyperlink to the website of the recourse mechanism or to the independent recourse mechanism’s complaint submission form;
- Include a statement of the individual’s right to access his or her personal data;
- Identify the statutory body that has jurisdiction to hear claims against the Company; and
- Explain that the Company may have a requirement to disclose personal data in response to lawful requests by public authorities, including to meet national security requirements.