What are the self-regulatory principles for behavioral advertising?
The self-regulatory principles were adopted in July 2009 by five major industry groups, including the Better Business Bureau, the Direct Marketing Association and the Interactive Advertising Bureau. The principles call for "enhanced disclosure" of behavioral or interest-based ad targeting. To meet the disclosure requirements, a link to company-specific information about privacy practices must be placed on webpages where user information is collected or used, or placed within or near the advertisements themselves.
The summary of the principles provided by the Internet Advertising Bureau includes the following provisions most relevant to websites:
- The Transparency Principle calls for clearer and easily accessible disclosures to consumers about data collection and use practices associated with online behavioral advertising. It will result in new, enhanced notice on the page where data is collected through links embedded in or around advertisements, or on the Web page itself.
- The Consumer Control Principle provides consumers with an expanded ability to choose whether data is collected and used for online behavioral advertising purposes. This choice will be available through a link from the notice provided on the Web page where data is collected.
Note: It will no longer be sufficient to put links to ad networks in your site's privacy policy. The new principles require disclosure on pages throughout your site.
Click here to see the full text of the principles.
How do I know if the ad networks I use are engaged in behavioral targeting?
The new self-regulatory principles apply to the collection of information from users in order to "predict user preferences or interests" to deliver related advertising. Over 100 ad targeting companies employ this kind of ad targeting in one way or another. The challenge for you as a website publisher is that ad networks typically do not outline their targeting practices in detail; nor do they often expressly disclaim the use of behavioral factors. Also, if you are using ad optimizers and exchanges or offering inventory through demand-side networks, you may not have a practical means to determine which ad networks are used on your site from time to time. The PrivacyWidget simplifies this process for you by sampling your pages and evaluating which networks are present and providing key excerpts so you can understand and evaluate their policies.
Under the new Self-Regulatory Principles, which pages on my website need to have a PrivacyWidget?
The new principles require links on each page where targeting information may be collected or used in connection with behavioral targeting for advertising. To ensure compliance, you should embed the PrivacyWidget on all pages on your site that carry third-party ads. In most cases, it's straightforward for your webmaster to include links on all pages in your site, and you may already do so with the link to your privacy policy. The guidelines do not specifically say where on the page the link should appear or the size of the type, so use your discretion. Burying the link in small type is not recommended.
The PrivacyWidget was designed with experimentation in mind. You can try it on a subset of your site and try different placements. Let analytics and user feedback be your guide!
My privacy policy links to the Network Advertising Initiative or DoubleClick's opt-out page. Do I need to do more according to the new industry principles?
If you include these links, you are ahead of many sites in terms of network privacy disclosure, but still behind the best practices called for in the new guidelines. Here are some things to keep in mind:
- Your list needs to be complete. Based on our scans, websites tend to have more ad networks who are not NAI members than networks who are NAI members.
- Your list should account for changes over time. Many sites see their network list change frequently, especially those using ad exchanges or optimizing platforms that may deliver ads from multiple networks.
- Including a list of networks in your privacy policy is not sufficient. The principles say that it should be linked directly and separately from any page where user information may be collected or used for targeting.
- The PrivacyWidget automatically provides the best disclosure experience for your users. In one simple interface they can find links to full privacy policies of your partners, key excerpts and opt-out pages. This way you demonstrate a strong commitment to user privacy while supporting an important industry initiative.
Aren't ad networks putting the required disclosure in the advertisements themselves?
The new self-regulatory principles say that if an ad network provides enhanced disclosure and links in or around the advertisement itself, then the website showing the ad does not need to provide further disclosure. However, only a handful or networks provide this disclosure, and the guidelines place a responsibility on you, as a website publisher, to confirm compliance for all behavioral advertising that may appear on your site. Also, disclosure in ads doesn't cover data collection that is not related to an ad on your site, such as if you employ retargeting of ads to customers after they leave your site. Also, even if users can look at disclosure for some ads, the best experience for your users is also to provide a combined list of all ad networks on the page or on your site, rather than forcing them to sort through privacy information on an ad-by-ad basis.
What about tracking companies that are not ad networks?
In addition to ad networks, many companies track user behavior across websites, including research and site analytics companies and content delivery networks. In many cases, even companies that are not thought of as ad networks are starting to leverage their installed base across websites to deliver or improve the delivery of advertising. Nearly all of these companies publish privacy policies about how this information may be used, and in many cases provide a process for consumers to opt-out of data collection. You have the option to include or exclude these kinds of companies in your PrivacyWidget list.
