Two digital advertising companies, Adbrain and Exponential Interactive, were cited in recent decisions by the Better Business Bureau’s Online Interest-Based Advertising Accountability Program (OIBAAP) for not complying with the online advertising industry’s requirements for interest-based advertising (IBA), the practice of tracking users across time and services to build interest profiles on them in order to serve more relevant ads.

The latest in a series of enforcement actions by the OIBAAP for noncompliance with the Digital Advertising Alliance (DAA) Self-Regulatory Principles (Principles), these two cases provide important takeaways for digital advertisers.

1. No Excuses: Third Parties Are Responsible for Providing “Enhanced Notice”

The Exponential Interactive case reiterates the takeaway from previous OIBAAP decisions that Third Parties have no excuse for not providing “Enhanced Notice” when collecting data for IBA from nonaffiliate websites. In its decision, the OIBAAP stated that First Parties (typically website and mobile app publishers) and Third Parties (typically ad tech companies) share the responsibility for providing Enhanced Notice. Under the Principles, First Parties must provide Enhanced Notice when they permit Third Parties to collect data for IBA from their services. The Enhanced Notice must be a “clear, meaningful, and prominent” link distinct from the First Party’s Privacy Policy that is placed on each webpage where the IBA data collection occurs. The Enhanced Notice link must take consumers to a disclosure that explains the First Party’s adherence to the Principles and either lists all the Third Parties engaged in IBA data collection with links to their “opt-out” programs or links to the DAA’s master consumer control mechanism at Third Parties that collect IBA data also have an obligation under the Principles to provide Enhanced Notice on their own websites and on the nonaffiliate services from which they collect data for IBA. The Enhanced Notice on the Third Parties’ websites must (a) describe the types of data collected for IBA, (b) explain how the data will be used and with whom it may be shared for IBA purposes, (c) provide an “easy-to-use” mechanism for consumers to opt out of participating in the IBA data collection activities, and (d) affirm the Third Party’s adherence to the Principles. A link to the Third Party’s Enhanced Notice must also be provided on each webpage from which it collects data for IBA. If the Third Party is serving IBA ads, in addition to collecting data for IBA, it can provide a link to its Enhanced Notice in or around the advertisements it places on the nonaffiliate website using the Advertising Option Icon (AdChoices Icon or Icon) and the phrase “AdChoices.” If the Third Party does not serve ads on the nonaffiliate website from which it collects data for IBA, it must ensure that the First Party provides Enhanced Notice or obtain access to the nonaffiliate website from the First Party to place a link to its own Enhanced Notice on each webpage where it is collecting data for IBA. Despite Exponential Interactive’s not having direct access to the nonaffiliate website from which it collected data for IBA, the OIBAAP found that Exponential Interactive was nonetheless responsible for ensuring that Enhanced Notice was being provided to consumers. Based on its investigation, the OIBAAP determined that Exponential Interactive should have either contacted the First Party to ensure that Enhanced Notice was being provided or asked the First Party for space on the First Party’s website to provide its own Enhanced Notice. Based on this case, digital ad networks and servers should review the nonaffiliate websites and mobile apps from which they collect data for IBA to ensure that Enhanced Notice is being provided to consumers.

2. Consumer “Opt-Out” Mechanisms Must Be “Easy-to-Use”

As in previous cases, the OIBAAP cited Adbrain for not providing an “easy-to-use” tool for consumers to opt out of its IBA data collection activities on nonaffiliate mobile apps. The Principles to the Mobile Environment state that Third Parties engaged in the collection of cross-app data for IBA must provide “an easy-to-use mechanism for exercising choice with respect to the collection and use of such data or the transfer of such data to a non-affiliate for IBA.” Although Adbrain had an opt-out mechanism that worked, it was so difficult to use that the OIBAAP found it to be in violation of the Principles, stating that “Adbrain’s opt-out solution was easy for the company, not for the consumer.” When designing opt-out mechanisms, digital advertising companies need to ensure that they are “clear, meaningful, and easy-to-use” or risk violating the Principles.

3. The Compliant Collection of “Precise Location Data” Requires Partnership Between First and Third Parties

The OIBAAP found Exponential Interactive to be noncompliant with the Principles with regard to its obligations as a collector of “Precise Location Data” for IBA from nonaffiliate mobile apps. Precise Location Data is defined under the Principles as “data obtained from a device about the physical location of the device that is sufficiently precise to locate a specific individual or device.” The Principles to the Mobile Environment require that, prior to collecting or using Precise Location Data for IBA, Third Parties must give “clear, prominent, and meaningful” notice of their IBA data collection activities, obtain consumer consent, provide consumers with a way of withdrawing their consent to the data collection activity and explain their adherence to the Principles. This notice should be provided on the Third Party’s own website or through the First Party’s website or mobile app. Although Exponential Interactive was not using Precise Location Data for IBA at the time of the OIBAAP’s investigation, it promised to make sure that future Precise Location Data collection complies with the Principles. In its decision, OIBAAP identified placing notice of a Third Party’s Precise Location Data collection activities on a First Party’s website or mobile app as a best practice. To achieve this best practice, Third Parties and First Parties need to work together to make this information available to the consumer.

4. Watch Out for Savvy Consumers

In light of recent high-profile cybersecurity incidents, consumers are becoming more concerned about the security and privacy of their data and, in turn, are submitting an increasing number of complaints to government and industry regulatory agencies for perceived violations of their rights. For example, the OIBAAP investigation into Adbrain was prompted by a consumer complaint. Digital advertisers need to ensure that they are complying with the Principles or else they too may be subject to consumer complaints and potential OIBAAP investigations.

We have previously blogged about the IBA self-regulatory programs here, here and here. The BakerHostetler Privacy and Data Protection team regularly advises First Parties and Third Parties on how to comply with these programs. For more information, contact the authors.