Two digital advertising companies, Adbrain and Exponential Interactive, were cited in recent decisions by the Better Business Bureau’s Online Interest-Based Advertising Accountability Program (OIBAAP) for not complying with the online advertising industry’s requirements for interest-based advertising (IBA), the practice of tracking users across time and services to build interest profiles on them in order to serve more relevant ads.
The latest in a series of enforcement actions by the OIBAAP for noncompliance with the Digital Advertising Alliance (DAA) Self-Regulatory Principles (Principles), these two cases provide important takeaways for digital advertisers.
1. No Excuses: Third Parties Are Responsible for Providing “Enhanced Notice”
2. Consumer “Opt-Out” Mechanisms Must Be “Easy-to-Use”
As in previous cases, the OIBAAP cited Adbrain for not providing an “easy-to-use” tool for consumers to opt out of its IBA data collection activities on nonaffiliate mobile apps. The Principles to the Mobile Environment state that Third Parties engaged in the collection of cross-app data for IBA must provide “an easy-to-use mechanism for exercising choice with respect to the collection and use of such data or the transfer of such data to a non-affiliate for IBA.” Although Adbrain had an opt-out mechanism that worked, it was so difficult to use that the OIBAAP found it to be in violation of the Principles, stating that “Adbrain’s opt-out solution was easy for the company, not for the consumer.” When designing opt-out mechanisms, digital advertising companies need to ensure that they are “clear, meaningful, and easy-to-use” or risk violating the Principles.
3. The Compliant Collection of “Precise Location Data” Requires Partnership Between First and Third Parties
The OIBAAP found Exponential Interactive to be noncompliant with the Principles with regard to its obligations as a collector of “Precise Location Data” for IBA from nonaffiliate mobile apps. Precise Location Data is defined under the Principles as “data obtained from a device about the physical location of the device that is sufficiently precise to locate a specific individual or device.” The Principles to the Mobile Environment require that, prior to collecting or using Precise Location Data for IBA, Third Parties must give “clear, prominent, and meaningful” notice of their IBA data collection activities, obtain consumer consent, provide consumers with a way of withdrawing their consent to the data collection activity and explain their adherence to the Principles. This notice should be provided on the Third Party’s own website or through the First Party’s website or mobile app. Although Exponential Interactive was not using Precise Location Data for IBA at the time of the OIBAAP’s investigation, it promised to make sure that future Precise Location Data collection complies with the Principles. In its decision, OIBAAP identified placing notice of a Third Party’s Precise Location Data collection activities on a First Party’s website or mobile app as a best practice. To achieve this best practice, Third Parties and First Parties need to work together to make this information available to the consumer.
4. Watch Out for Savvy Consumers
In light of recent high-profile cybersecurity incidents, consumers are becoming more concerned about the security and privacy of their data and, in turn, are submitting an increasing number of complaints to government and industry regulatory agencies for perceived violations of their rights. For example, the OIBAAP investigation into Adbrain was prompted by a consumer complaint. Digital advertisers need to ensure that they are complying with the Principles or else they too may be subject to consumer complaints and potential OIBAAP investigations.
We have previously blogged about the IBA self-regulatory programs here, here and here. The BakerHostetler Privacy and Data Protection team regularly advises First Parties and Third Parties on how to comply with these programs. For more information, contact the authors.