Online behavioural advertising (OBA) has become a hot topic for social media and Internet advertisers over the last few years, and compliance with both legal and self-regulatory regimes has never been more important. Simply put, OBA is the practice of tracking the activity of an Internet user across multiple websites in order to serve them ads that correspond with their inferred interests or preferences. The practice raises complex questions about privacy, the protection of personal information, and the transparency of Internet operators and advertisers.
While there appears to be a consensus in the Western world that consumers should be informed when their personal information is being collected and be offered the option not to be tracked, the implementation of these principles differs between nations. The practice of OBA often does not respect political boundaries, but each region addresses the issue from a unique framework of laws and a different understanding of the right to privacy. A summary of the regulation of OBA in Canada, the U.S., and the EU follows.
The Office of the Privacy Commissioner of Canada (OPC) released a new policy position on OBA in June 2012. The OPC’s policy guidelines serve to inform and clarify the application of Canada’s federal privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA), to OBA.
The guidelines state that the OPC will view all information collected for OBA as “personal information” for the purposes of PIPEDA, regardless of whether that information can be reasonably used to identify an individual. However, the guidelines do allow the collection of personal information for OBA so long as certain requirements are met. Key among these requirements are the criteria that the user be informed that their information is being collected and how it is being used, and that the user be given an option to immediately and persistently opt out of being tracked for OBA. Depending on the sensitivity of the information, opt-in consent may be required instead.
Canada is also currently in the process of implementing a self-regulatory framework similar to the existing self-regulatory system in the U.S., which is described below. The framework is being established jointly by the Interactive Advertising Bureau of Canada, the Council of Better Business Bureaus and Advertising Standards Canada. The Privacy Commissioner of Canada has publicly supported the implementation of this program.
The U.S. does not currently have any federal legislation addressing OBA. However, both the Federal Trade Commission and the White House have published privacy guidelines that are applicable to OBA. While these documents do not have legal force, they are intended to help guide future legislation and industry self-regulation.
As mentioned above, a self-regulatory program is currently in place in the U.S. The program requires participants to adhere to a number of principles, and divides up responsibilities between website operators, ad networks, and Internet service providers. The principles primarily call for participants to ensure transparency and the consent of users, and, like Canada, require an opt-out mechanism for users. To facilitate this, a single opt-out webpage has been established, where users can opt out of being tracked by any or all participating ad services. Additionally, a universal icon has been created which is to be displayed near all OBA advertisements. This icon links to a full disclosure about OBA and the collection and use of personal information, and provides access to the central opt-out page.
More information about the U.S. self-regulatory regime, and the central opt-out page, can be found at AboutAds.info.
Similar to policies in both the U.S. and Canada, Europe’s e-Privacy Directive requires companies collecting personal information to provide “clear and comprehensive information” about the collection and storage, including the identity of the data controller, the purposes of the data storage, and whether there is a right to access or amend the individual’s stored data.
Diverging from the North American approach, however, Europe’s e-Privacy Directive also requires opt-in consent for the storage of personal information, except in very limited circumstances. This requirement is often known as the “cookie law,” as its implementation would prevent the placing and tracking of Internet cookies on users’ computers. Twenty European nations have adopted the Directive. Some nations, like France and Cyprus, now require opt-in consent for the storage of personal information or the tracking of cookies online. Other nations, such as the U.K., Germany, Denmark, Finland and Hungary will allow implied consent. This implied consent is to be determined from a user’s browser or application settings. The exact legal requirements will vary from nation to nation.