What the Newest DAA “Compliance Warning” and its Enforcement Means for Your Website or Platform
As we reported last month on this blog, as of January 1st, 2014 websites that permit the collection of third party data through ads and other means may begin receiving enforcement letters from the Online Interest-Based Advertising Accountability Program operated by the Council of Better Business Bureaus (“Accountability Program”) — the entity that enforces the Self-Regulatory “OBA Principles” on behalf of the Digital Advertising Alliance (“DAA”).
The Accountability Program issued a “Compliance Warning” recently based on its observation that “even some of the most assiduously compliance companies that consistently provide the AdChoices Icon on all interest-based ads and maintain excellent privacy policies,” are nonetheless – probably inadvertently – “failing to meet their enhanced notice requirement requiring third-party OBA collection.” In other words, many companies comply with the OBA Principles in their own ads, but do not ensure that third party ads or tracking tools on their websites, and the various third parties serving them, are complying with the OBA Principles regarding transparency. The Accountability Program has made clear that this it is their obligation to do so. In particular, the Accountability Program’s is seeking to make more widespread the use of an “Enhanced Notice” link on websites, particularly where third parties are not consistently providing Enhanced Notice within ads through the increasingly visible (but not quite ubiquitous) AdChoices Icon.
Websites and brands ought take note of this Compliance Warning, because it purports to apply to any company that serves or facilitates third party ads – even if that company has not overtly subscribed to the DAA or OBA Principles. Failure to abide by the Compliance Warning risks self-regulatory enforcement through the Accountability Program, which may involve, for instance, the issuance of a Decision upon Formal Review or a referral to the FTC.
The Accountability Program’s Guidance for First Party Websites
As noted above, the Accountability Program’s Compliance Warning is aimed particularly at websites – with a likely focus on websites that have significant traffic or are operated by significant brands.
The Compliance Warning also emphasizes that:
“Unless an ad bearing in-ad notice is served on every Web page of a publisher’s site where third parties are collecting data for OBA and that notice directs a consumer to the choice mechanisms of all third parties collecting on that Web page or to an industry-developed choice mechanisms, the Transparency Principle’s enhanced notice requirement for collection is not satisfied, and the website operator cannot rely on the third parties’ in-ad enhanced notice as provided under Section II.A.2 of the OBA Principles . . . .” (Emphasis in original)
Enforcement against First Parties and Third Parties
The Accountability Program has expanded its enforcement efforts against both First Parties and Third Parties. For instance, recent Formal Reviews of BMW and Scottrade were resolved with those companies implementing the AdChoices icon or other “enhanced notice” on their websites. See www.bmwusa.com and www.scottrade.com. (The underlying Decisions are available here and here). As suggested by the recent Compliance Warning, these companies were called to task not for the lack of Enhanced Notice in their own ads, but rather for the lack of Enhanced Notice about third party data collection on their websites.
The Accountability Program also has set a high bar in requiring third party platforms to ensure that the AdChoices icon (or another Enhanced Notice) is properly deployed. For instance, a recent Accountability Program Decision deemed the ad platform MediaMath in violation of the OBA Principles, even where that company had contractual and other precautions in place to ensure that advertisers using its technology deployed the AdChoices icon. As to such third parties operating “self-serve” platforms (e.g., platforms where advertisers largely select their own audiences), the Accountability Program noted that:
“[I]increasingly, self-serve platforms are providing advertisers or their agencies with the opportunity to manage the ad campaign on a ‘do-it-yourself’ basis . . . While the company that is employing the self-serve platform has the knowledge of the nature of the campaign (e.g., is it an interest based ad campaign) and is therefore ultimately responsible for providing the notice through the self-serve platform or otherwise, the provider of the self-service platform . . . is often in the best position to understand the compliance obligations of the OBA Principles and how to enable the use of the AdChoices Icon on its platform. As such, the providers of these sophisticated technologies that collect and use OBA data cannot be merely passive suppliers in these times of heightened privacy concerns.”
Resolving Some Common Misconceptions . . .
The Accountability Program’s recent Compliance Warning and Decisions underscore several misconceptions that sometimes prevail within the online advertising ecosystem:
- First, the Program’s reach (at least, by its own fiat) applies across the industry to advertisers, platforms and publishers alike – regardless whether those actors are members of any DAA organization or have ever subscribed to the DAA Principles.
- Publishers – as well as third parties – may have “Enhanced Notice” obligations, and these obligations go beyond merely having the appropriate language in privacy policies.
- The DAA Principles apply to retargeting as well as data collection for other purposes, as a recent Accountability Program enforcement action against “23andMe, Inc.” recognized.
In addition to all of the above, first and third parties alike have been taken to task by the Accountability Program regarding other disclosures, including the requirement that they insert into their websites a statement of compliance with the Principles.
Websites that are uncertain whether they comply (or need to comply) with the Enhanced Notice requirements should as a first step perform an audit of third party tracking occurring on their sites — whether by doing an inventory of tags placed on their site or by reviewing third party contracts (preferably, both). Third parties, in turn, should expect increasingly to be held to an “Enhanced Notice” standard regardless, given the gaps in first party compliance that are likely to occur.