Embed Size (px)
DESCRIPTION
Recent Online Behavioural Advertising (OBA) rules are now enforcing ad networks, advertisers, and publishers to remain transparent with their consumers. Learn how to comply with the new rules, as well as easily provide consumers the notice and choice that they desire through TRUSTe's EU Solutions. Visit http://www.truste.com/consumer-privacy/about-oba/ to learn more about OBA.
Citation preview
Building Trust in Targeted Online Advertising
Giving Consumers Transparency, Notice and Choice in the EU
TRUSTe WHITEPAPER
TRUSTe Inc.
EU: +44 (0) 203 626 0109
www.truste.co.uk
US: 1-888-878-7830
www.truste.com
Building Trust in Targeted Online Advertising – Giving Consumers Transparency, Notice and Choice 2
This TRUSTe Whitepaper will provide advertisers, agencies, third parties and publishers with advice on:
• Background and regulatory context for the new UK Committee of Advertising Practice (CAP) guidelines for Online Behavioural Advertising (OBA)
• Insight into UK consumer views on OBA
• Outline of Egulatory Programme on OBA
• Obligations for third parties under new CAP guidelines
• Examples of best practice for advertisers, agencies & publishers
• Potential consequences of non-compliance
Building Trust in Targeted Online Advertising – Giving Consumers Transparency, Notice and Choice 3
BACKgrOUnd And rEgUlAtOry COntExt
In November 2012, the UK Committee of Advertising Practice (CAP) published new rules covering Online
Behavioural Advertising, which came into force on 4th February 2013. For the first time the Advertising
Standards Agency (ASA) will regulate the way that ad networks and other third parties engage with end-users
about their use of online behavioural tracking and targeting technologies such as cookies.
These new rules mean that from the 4th February ads presented to consumers based on previous web
browsing history, known as Online Behavioural Advertising (OBA) will have to include information within or near
the ad explaining to consumers that they have been targeted using OBA. The new rules also require that third
parties provide users with a way to opt out of this practice.
The new CAP rules are based on the European Self-Regulatory Programme on OBA set out in the IAB Europe
Framework for Online Behavioural Advertising published in April 2011. This means that if businesses are
complying with the EU Self-Regulatory Framework then they will be compliant with the new rules in the CAP
Code. National Self Regulatory Organisations (SROs) across the EU are working on implementing similar rules.
nick Stringer, director of regulatory Affairs, IAB UK said, “the EU self-regulation initiative for
behavioural advertising seeks to provide greater transparency and control to consumers, backed by a
robust and independent enforcement mechanism and ‘tried and tested’ complaints-handling process. It
has strong political support from the UK government and European Commission.”
Most online behavioural advertising is delivered through cookies and other technologies. Under the EU Cookie
Directive, enforced by the ICO in the UK since 26 May 2012, websites are required to provide notice and gain
consent for the use of cookies on their site. Following the CAP guidelines does not mean that all businesses
are compliant with the EU Cookie Directive (in the UK or any other EU markets) so it is important to ensure
compliance with each regime on their own terms. For guidance on how Ad Networks can comply with the EU
Cookie Directive see sources of further information at the end of this Whitepaper.
WhAt COnSUmErS thInK ABOUt OnlInE BEhAvIOUrAl AdvErtISIng
The TRUSTe UK 2012 Consumer Data Privacy Study showed that 79% of UK consumers were aware of Online
Behavioural Advertising (OBA) and 53% did not like it. One in three users had felt uncomfortable about
targeted advertising.
Has OBA Ever Made You Favourability Toward OBA Feel Uncomfortable?
Do Not LIke It
Neither LIke Nor Dislike It
Like It
Yes
No
NoNot Sure53%
38%
9%
35%
45%
20%
Building Trust in Targeted Online Advertising – Giving Consumers Transparency, Notice and Choice 4
However, the research also showed that good privacy practices make a difference and 51% would be more
inclined to click on an advertisement that gave them the option to opt-out of Online Behavioural Advertising.
I would be more inclined to click on anadvertisement that gives me the option toopt out of Online Behavioural Advertising
36%15%
51%
Strongly Agree Somewhat Agree
EUrOPEAn SElf-rEgUlAtOry PrOgrAmmE On OBAThe majority of users want control over their privacy on the internet. However they also acknowledge the
important role advertising online has to play in making content and services available at little or no cost. The
EU Self-Regulatory Programme for Online Behavioural Advertising seeks to strike that balance by providing
consumers with greater contextual transparency and control.
At the heart of the European Self-Regulatory Programme on OBA is an interactive pan-European icon to
identify ads on all websites that are delivered to internet users through Online Behavioural Advertising (OBA).
This icon is a consumer-facing, interactive symbol that links consumers to mechanisms for users to control
preferences, including an online portal, www.youronlinechoices.eu, where they can find easy-to-understand
information on the practice of OBA as well as a mechanism for exercising informed choice – if they so wish,
consumers may ‘turn off’ OBA by some or all companies.
The European Interactive Digital Advertising Alliance (EDAA) is the organisation responsible for administrating
the EU Self-Regulatory Programme for OBA across Europe and licensing the use of the icon. You can find out
more details at http://www.edaa.eu
Participants in the programme will be granted a Trust seal to demonstrate their compliance.
In the TRUSTe 2012 UK Consumer Data Privacy Study 42% of consumers were more favourable towards digital
advertising if presented with the Self-Regulatory Programme on OBA.
I would be more inclined to click on anadvertisement that gives me the option toopt out of Online Behavioural Advertising
32%10%
Strongly Agree Somewhat Agree
42%
Building Trust in Targeted Online Advertising – Giving Consumers Transparency, Notice and Choice 5
OBlIgAtIOnS & gUIdAnCE fOr thIrd PArtIES UndEr thE EUrOPEAn SElf-rEgUlAtOry PrOgrAmmE On OBA
The guidelines under the European Self-Regulatory Programme apply predominantly to ad networks and other
third parties using behavioural targeting techniques to deliver the ads. These parties may be ad servers, OBA
providers, data aggregators, retargeting companies, Demand Side Platforms (DSP) and Supply Side Platforms (SSP).
However, in practice companies will benefit from working closely with publishers, advertisers and agencies to
provide notice on their site. As the in-ad notice applies to an OBA ad, having the icon or a link always available
on a publishers’ site makes the information more easily accessible to the user. Publishers may choose to do this
to provide more transparency to their users and enhance trust. They may also use the icon on web pages (eg as
a footer) – see below.
However since the obligation to comply with the guidelines lands with third parties there are a number of steps
third parties can take when working with their first party publishers to implement the guidelines.
For example: third parties may contractually require their first party publishers to provide the notice and choice
mechanism. If third parties do this then they should always remember that the responsibility lies with them
and verify and monitor their publishers to make sure the mechanism is in place. Even if the third party places
obligations on its publishers to provide notice – ultimate compliance with the guidelines is the responsibility of
the third party hence why monitoring is important.
At the core of the guidelines is the requirement to ensure transparency and choice for consumers. Taking each in turn:
1. Transparency
1.a. Pan-European OBA icon
Fundamental to the guidelines is the requirement that third parties should provide “enhanced notice” to users
of the collection and use of data for OBA purposes via the OBA icon in or around the advertisement.
Regardless of any arrangements with publishers or agencies/advertisers, the responsibility to display the
enhanced notice belongs to third parties. And should a third party fail to comply, it is the third party and not the
web site operator or agency/advertiser that the ASA (and any other self-regulatory organisation across Europe)
will consider to be non-compliant.
In order to display the OBA icon, the third party must have a license; in the EU/EAA the relevant license can
only be obtained from the EDAA, under specific terms and conditions.
Building Trust in Targeted Online Advertising – Giving Consumers Transparency, Notice and Choice 6
1. Render
2. Upon hover on icon
3. Links to http://www.youronlinechoices.com/uk/
Example of how the “enhanced notice” works through the interactive icon:
1.b. notice on third parties’ websites
In order to build trust in OBA, third parties need to be transparent with users about their OBA data collection
and use practices. Third parties should have a notice on their website with the following information:
• Thirdparty’sidentityandcontactdetails
• ThetypesofdatacollectedandusedforthepurposesofOBAincludingwhetheranyofthisispersonaldata
as defined in the European data protection legislation
• ThepurposesforwhichOBAdataisprocessedandwhoitisprovidedto
• AlinktotheOBAUserChoicesite(i.e.www.youronlinechoices.eu)
• AwayforuserstoexercisechoicewithregardtocollectionanduseofdataforOBApurposes;thiscanbe
either a link to the opt-out page of the OBA User Choice Site (i.e. www.youronlinechoices.eu) or a more
advanced User Preference Management tool implemented by the third party on its own website
• AstatementtotheeffectthattheCompanyadherestotheseprinciples
Under the guidelines there are additional obligations for third parties. These include putting in place adequate
safeguards to ensure data security, having an effective mechanism for dealing with complaints and consumer
education. For further details see the Self-Certification Criteria for companies participating in the European
Self-Regulatory Programme on OBA.
Building Trust in Targeted Online Advertising – Giving Consumers Transparency, Notice and Choice 7
2. User Choice
Under the guidelines, each third party should make available a simple way for users to exercise choice and turn
off Online Behavioural Advertising. In practice this means:
• ThereshouldbeaclearlinkfromtheOBAicontotheOBAUserChoiceSite(i.e.www.youronlinechoices.eu)
• IntegrationofthethirdpartywiththeuserchoicemechanismhostedontheOBAUserChoiceSitemustbe
in place and work reliably over time; this obligation refers mainly to OBA providers or any third parties using
their own means to uniquely identify a browser
• Usingtechnologiestocircumventuser’sexpresschoices(forexamplebydeliberately“re-spawning”deleted
cookies) is not regarded as compliant with data protection law and should not be used
3. Explicit Consent
Certain practices, such as using OBA segments relying on sensitive personal data as defined in the European
data protection legislation, or collecting or using data via technologies that are intended to harvest all or
most URLs visited from a particular computer, require explicit consent from users. Details of exactly when
this is required and how this should be obtained are included in the Self Certification Criteria for companies
participating in the European Self-Regulatory Programme on OBA.
BESt PrACtICE fOr AdvErtISErS, AgEnCIES And PUBlIShErS
Advertisers & Agencies
Advertisers and agencies do not have specific obligations under the new guidelines. However if the advertiser
on its own site permits data to be collected by third parties in order to be used on a web site for OBA purposes
then the advertiser is acting as a publisher and should inform users appropriately. For further details please see
advice for publishers below.
Agencies play a key role in serving the OBA icon; while this does not mean that agencies take responsibility or
assume liability that the OBA icon will always be served correctly, in practice the OBA icon is often served by
the originating ad server (which may be the agency ad server). Please note: the ad server will require its client
to have a license to use the icon.
Advertisers and agencies should also be aware that it is envisaged that the penalties for non compliant players
(ad networks, third parties, publishers) are removal of the Trust seal and communication of the failure to comply
to the market and the public. Advertisers and agencies should therefore consider the compliance status of their
suppliers when doing business.
Publishers
The IAB Europe EU Framework for Online Behavioural Advertising strongly recommends that publishers inform
internet users about OBA data collection by third parties on their sites. When the publishers on their own
site(s), permit data to be collected by third parties in order to be used on a website for OBA purposes and
the OBA icon is not provided by these third parties, the publisher should provide adequate disclosure of this
arrangement via a link in the footer with these characteristics:
• Thelinkisplacedinthefooterofallpagesandisdistinctfromthe“TermsandConditions”link
• Theexactwordingisnotprescribedbutitshouldbecleartoavisitortothesitethatbyclickingonthelink
they would be redirected to a page with information about data collection on the site
Building Trust in Targeted Online Advertising – Giving Consumers Transparency, Notice and Choice 8
• Auserclickingonthelinkispresentedwithaninformationpagecontainingthefollowing:
– A list of third parties who are active on the site and with which the user wittingly or unwittingly may be
interacting
OR
– Links to further information on OBA and online privacy such as the OBA User Choice site (i.e. www.
youronlinechoices.eu)
– Optionally, any other information that supports user understanding and the aims of the IAB Europe OBA
Framework
Consequences of non-compliance
If businesses are not compliant with the EU Self-Regulatory Programme for OBA and hence the new CAP
rules, then from 4th February 2013 the ASA’s enforcement sanctions could involve remedial action; a formal
investigation, leading to the adjudication being published on the ASA website or bringing a company’s
continued non-compliance to the attention of a third party’s potential clients and partners.
ASA’s enforcement is based on the consumer complaints they receive and any unresolved consumer complaints
may be dealt with by other self-regulatory organisations across Europe depending on the business’ ‘country of
origin’ (eg ASA in Ireland).
Two further sanctions apply if the third party is a signatory to the EDAA mechanism: removal of the trust seal
and communication of the failure to comply to the market and the public.
So if businesses want to avoid:
• Costlyinvestigations
• Negativemediacoverage
• Lossofpublictrust
Then, whether they are a third-party ad network, advertiser, agency or publisher they need to think about their
strategy for providing transparency, notice and choice.
Building Trust in Targeted Online Advertising – Giving Consumers Transparency, Notice and Choice 9
Further information
For a copy of the CAP Regulatory Statement:
http://www.cap.org.uk/News-reports/Media-Centre/2012/~/media/Files/CAP/Misc/Regulatory statement OBA.ashx
For a copy of the CAP Help note on OBA:
http://www.cap.org.uk/Advice-Training-on-the-rules/Help-Notes/Online-Behavioural-Advertising.aspx
For the IAB Europe EU Framework for Online Behavioural Advertising:
http://www.iabeurope.eu/media/107311/2012-12-11_iab_europe_oba_framework.pdf
For the Self-Certification Criteria for Signatories to the IAB Europe OBA Framework:
http://www.iabeurope.eu/media/94639/oba_fw_self_certification_criteria_v1.pdf
For the IAB UK guide to the EU Self-Regulatory Programme for OBA:
http://www.iabuk.net/iab-uk-s-guide-to-the-eu-self-regulatory-initiative-for-behavioural-advertising
For details of EDAA, the icon and a list of participating companies visit:
http://www.edaa.eu
For information about TRUSTed Ads EU:
http://www.truste.com/products-and-services/enterprise-privacy/TRUSTed-ads-eu
For information about how Ad Networks can comply with the EU Cookie Directive:
http://download.truste.com/dload.php/?f=V4Y74DAT-366
For details of TRUSTe privacy research:
http://www.truste.com/resources/?sec=2
ABOUT TRUSTe
TRUSTe is the leading global provider of online privacy solutions for business, offering a broad suite of
technologies and certifications to help companies build trust and increase engagement across their online
channels, including websites, mobile apps, advertising, and cloud services. Over 5,000 companies, including top
international brands like Apple, eBay, LinkedIn and Microsoft, rely on TRUSTe to build trust and address evolving
and complex privacy challenges. TRUSTe’s green Certified Privacy Seal is widely recognised and trusted by
millions of consumers worldwide as a sign of responsible privacy practices. For additional information on
TRUSTe please visit http://www.truste.co.uk.
CONTACT US EU: +44 (0) 203 626 0109 www.truste.co.uk | US: 1-888-878-7830 www.truste.com
