From 4 February 2013, organisations using targeting advertising online - known as 'online behavioural advertising' (OBA) - will be required to tell web users about their use of OBA and allow them to opt-out of having their data collected and used for OBA.
Here, we consider how OBA is currently used, what the new rules will require and their impact on the advertising industry and consumers.
Online behavioural advertising: What is it?
The Committee of Advertising Practice (CAP) defines OBA as a developed form of targeted advertising carried out by 'third parties'.
The term 'third parties' refers to organisations which do not own or operate the website on which advertising is carried out, but which work in conjunction with the website operator to collect data on users' web viewing behaviour.
These third parties collect data from a particular user's computer, analyse it, and use it to deliver customised advertising to that user.
OBA enables the third party to identify a user's particular interest or preference from the data collected and to then place a cookie on that user's computer to determine what advertising the user will receive.
Preferences may be inferred, for example, based on pages recently visited, advertisements clicked on, or products purchased or viewed online. These are often categorised to target multiple web users with similar interests (albeit anonymously).
The new rules
CAP recently announced that from 4 February 2013, new rules will govern how organisations use OBA and will be enforced by the Advertising Standards Authority (ASA).
Essentially, the rules require 'third parties' to:
- Set out a clear and comprehensive notice on the third party's own website to state that they collect and use web viewing behaviour data for the purposes of OBA, and provide users with a mechanism on their own website to opt-out of having their data collected and used for the purposes of OBA.
- Set out a clear and comprehensive notice on or around the display advertisement on the website where the OBA appears. The notice must state that they collect and use web viewing behaviour data for the purposes of OBA. The third party must also provide users with a link on or around the display advertisement enabling users to opt-out of having their data collected and used for the purposes of OBA.
- Not create 'interest segments' specifically designed for the purpose of targeting OBA to children aged 12 or under. CAP has issued a Help Note explaining that 'interest segments' are often created to categorise individuals based on data collected from a range of websites.
- If the organisation uses technology to collect and use information about 'all or substantially all' of the websites visited by a web user to deliver OBA on their computer, they must obtain 'explicit consent' from that web user before using OBA. This rule relates primarily to OBA taking place at internet service provider (ISP) level, where the ISP collects information from websites visited by a particular computer or browser to deliver advertising. The term 'explicit consent' indicates that the third party will need to get a user's express or 'opt-in' consent, confirming that the user agrees to their data being collected and used for the purposes of OBA.
The first two rules above require notices and opt-out mechanisms to be used on the third party's own site and the website operator's site. These can be in the form of an icon, symbol or text, but should be of an appropriate size and colour, making the notice easy to see and read. Notices should not be obscured by background text or the advertisement itself.
The opt-out mechanism used in conjunction with a notice must be 'effective'. If the effectiveness of an opt-out is limited by any means (for example if deleting cookies may mean that the opt-out will not operate) the third party must explain the limitations on its effectiveness in the opt-out mechanism.
Many third parties currently provide consumers with a link to the site www.youronlinechoices.eu/, enabling users to opt-out of one, many, or all third parties using OBA on a pan-European basis.
The new rules will not apply to contextual advertising (i.e. advertising based on items a user is currently viewing on the website, provided by businesses such as Amazon), web analytics (for example the web analytics service provided by Google), ad reporting or ad delivery, the collection and use of information for OBA by website operators on their own websites, or the use of OBA in rich media, in stream videos online or on mobile devices. It is, however, anticipated that the rules will be applied to OBA on mobile devices in due course.
The rules are a response to developing technologies and new marketing trends, and have been introduced in line with the provisions of the Data Protection Act 1998 and Privacy and Electronic Communications Regulations 2003 (as amended). Similar rules will be incorporated into marketing and advertising codes across Europe.
What impact will the new rules have?
The new rules aim to ensure that OBA can be used to benefit the advertising industry and consumers alike, and will have an impact on third parties, website owners and operators and consumers.
Third parties will be required to comply with the rules and set out appropriate OBA notices and opt-out mechanisms to users in accordance with the rules.
Website owners and operators will also need to be aware of the new rules if third parties operate OBA on their websites on their behalf. If the ASA cannot identify the relevant third party, the advertiser (i.e. the website owner or operator) must co-operate with the ASA to identify the appropriate third party.
It is hoped that consumers whose online web viewing data is used for the purposes of OBA will benefit from the new rules, providing them with more transparency and choice.
The aim is that the new rules will result in increased consumer trust, because users will understand how data on their web browsing behaviour is collected and used.
However, some aspects of the new rules may be difficult to put into practice, as it is not entirely clear from the rules or CAP guidance what exactly is required.
For example, whilst the notice and opt-out requirements may not be too difficult to incorporate into the OBA mechanism, the rule prohibiting the creation of interest segments for children aged 12 and under is less clear. Does this require third parties to un-write software they use to ensure that the OBA will not operate in relation to goods which children aged 12 and under may be interested in? How will this work in practice?
The new rules are yet another example of the law attempting to keep up with the rapid pace of technological change. It will be interesting to see what impact the rules will have in practice, and whether their application will be further extended, as is already anticipated, in relation to OBA used on mobile devices.