Somebody’s Watching You: What Are the Rules?

In 1984, Kennedy William Gordy, better known as pop artist Rockwell, released his first and ultimately biggest hit: Somebody’s Watching Me.  One can only imagine how Rockwell would have felt if the Internet was in full swing when he sang about his fears.

Our behavior on the Internet is of great interest to many different people, including advertisers. They want to know what sites we visit, in part, to provide targeted ads. In other countries, it is common for governments to require that consumers opt-in to user tracking and targeting. But in the United States, several advertising industry associations, supported by the Council of Better Business Bureaus, have sought to self-regulate, in order to avoid legal requirements imposed by the government.

As part of that effort, in July 2009 those associations and the Council issued the Self-Regulatory Principles for Online Behavioral Advertising. The Principles are designed in large part to educate consumers about online behavioral advertising and promote transparency about data collection. The Principles define online behavioral advertising as the practice of collecting “data from a particular computer or device regarding Web viewing behaviors over time and across non-Affiliate Web sites for the purpose of using such data to predict user preferences or interests to deliver advertising to that computer or device based on the preferences or interests from such Web viewing behaviors.” (The definition also clarifies what online behavioral advertising does not include.) The Principles cover three major types of entities: First Parties, such as website publishers/operators; Third Parties, such as advertising networks and data companies; and Service Providers, such as any Internet access provider or other service that enables the provider to have access to all or substantially all URLs accessed by its users.

Under the Principles, website publishers are required to provide visitors with enhanced notice when Third Parties are collecting information. That notice includes the Advertising Option icon, a symbol similar in appearance to a play button that often appears on or near various ads. The icon, together with approved wording such as “AdChoices,” should direct consumers to the proper disclosure notice required by the Principles. By clicking on the icon, consumers should be able to learn about the data collection and use practices associated with the ad and opt-out if they so desire.

Several years after the publication of the Principles, the Online Interest-Based Advertising Accountability Program (OIBAAP), one of two agents charged with enforcing the Principles, realized that the responsibility for providing enhanced notice was misunderstood by a significant minority of otherwise compliant websites, and issued a Compliance Warning in 2013. OIBAAP was concerned that if enhanced notice was not provided, consumers might have a “creepy feeling” that they were “silently being followed around the Internet.” The warning put website owners on notice that more vigorous enforcement of the enhanced notice provision would begin on January 1, 2014.

Advertising-Option-IconFollowing up on the warning earlier this year, OIBAAP conducted a formal review and issued decisions regarding four popular websites: Etsy, Imgur, TWiT, and 247 Sports. All four had similarly failed to include the required enhanced notice on all pages where data collection was taking place. There were differences as well. For example, Etsy included a disclosure of third-party data collection for Internet advertising, while TWiT did not. All four companies changed their practices in response to the OIBAAP review, and all four decisions conclude by noting “practices voluntarily corrected.” Voluntary compliance is key, as the OIBAAP does not have the force of law. The Principles do call, however, for entities in the online behavioral advertising world to develop programs that will “publicly report instances of uncorrected violations to the appropriate government agencies.”

Web publishers need to be aware of more than just their specific responsibilities. They also need to consider issues such as the larger framework for monitoring the collection of consumer data and the responsibilities of others. For all these reasons and more, notices to web visitors and privacy policies need to be carefully drafted to provide clear and accurate information.

Finally, although the Principles technically apply to apps, apps are not browser-based. As a result, OIBAAP released its Mobile Guidance in July 2013. OIBAAP will begin enforcement of this Guidance on September 1, 2015. Anyone involved in advertising in the mobile space should be familiar with the Mobile Guidance.

This entry was posted in Corporate Data Policies, e-Commerce, Privacy, Privacy & Information Management and tagged , , . Bookmark the permalink.

Leave a Reply