How Do the Principles Apply to Third Parties?
You have identified yourself as a Third Party, which means that you engage in online behavioral advertising (“OBA”) on a non-affiliate’s website. This guidance for Third Parties is directed primarily to advertising networks and data companies that collect website viewing data across multiple unaffiliated sites and use such data to serve online interest-based advertising.
An advertiser (i.e., a company whose product or service is being promoted in an advertisement) may also be a Third Party if it engages in data collection and use for online interest-based advertising. However, if the advertiser uses an ad network or other entity to collect data for interest-based advertising purposes and that entity does not provide such data to the advertiser for its independent use, the advertiser is not a Third Party and not subject to the Principles in that capacity.
NOTE: If your company also operates websites and/or exercise control over other affiliated sites, then you may also be a First Party and you should also comply with the sections of the Principles and the Implementation Guide directed to First Parties engaged in those activities.
As a Third Party that operates across multiple unaffiliated sites, you should do the following to comply with the Principles:
- Provide a clear, meaningful and prominent notice on your website disclosing your OBA practices;
- Provide a clear, meaningful and prominent link (i.e., the “enhanced notice link”) to the information in your website notice. This can be accomplished either by linking directly from the advertisements you place (i.e., notice in or near the ad) or from other places on the web page where you collect or use data for OBA purposes (likely accomplished through collaboration with a First Party);
- Provide easy-to-use ways for consumers to choose whether data is collected and used for OBA purposes or is transferred to another, unaffiliated entity for OBA purposes;
- Provide appropriate security for, including limiting the retention of, the data you collect and use for OBA purposes;
- Obtain consumer consent before materially changing your OBA data collection and use policies; and
- Limit the collection of certain sensitive information for OBA purposes.
Below is a more detailed explanation of each of these obligations.
1. Ensuring Transparency
The Principles assign responsibility for consumer transparency and control concerning OBA practices to Third Parties (i.e., the entity collecting the data for OBA purposes is responsible for complying with this aspect of the Principles).
You should provide notice of your data collection practices on your own website. This notice should be clear, meaningful and prominent, and should describe the following:
- The types of data collected online, including any personally identifiable information collected for OBA purposes;
- The uses of such data, including whether it will be transferred to another, unaffiliated entity for OBA purposes;
- An easy-to-use way for consumers to exercise choice with respect to the collection and use of data for OBA purposes or transfer of such data to other, unaffiliated entities for OBA purposes; and
- The fact that you adhere to the Principles
In addition to the notice on your website, you should also provide “enhanced notice” to consumers whenever you are collecting or using data for OBA purposes on a non-affiliated website. This enhanced notice should take the form of a clear, meaningful and prominent link (the “enhanced notice link”) to the information in your website notice. The link may be provided either by you or by the operator of the non-affiliated website (First Party) on which you are collecting or using data for OBA purposes.
If you provide the enhanced notice link:
- You can place a link within an advertisement by placing it within the content of the advertisement, for example, an overlay;
- You can place a link outside an advertisement by placing it within an area around the ad that you control; or
- With agreement from the First Party website operator, you can place a link in another place on the web page where the OBA data is collected, as long as it is clear, meaningful, and prominent.
If the First Party Website operator provides the enhanced notice link on its site, it should place the link on the web page(s) where the data is collected or used for OBA purposes. The link should connect directly to a disclosure statement on the website itself that:
- Links to the www.digitaladvertisingalliance.org site if you are registered and listed on it; or
- individually lists you as a Third Party and provides a link to the information in your website notice.
The First Party website operator’s provision of the enhanced notice link to the industry web page will be particularly useful for Third Parties that are collecting data for OBA purposes on pages where they are not serving OBA advertisements.
2. Providing Choice
You should provide consumers with the ability to exercise choice with respect to the collection and use of data for OBA purposes and the sharing of this data with other unaffiliated entities. An example of a mechanism that would satisfy the choice requirement is one that allows a user to stop the collection and use of data for OBA purposes.
In all cases, the choice mechanism should be easy to use.
You should provide consumers with a choice mechanism in at least one of three locations:
- In the notice on your website regarding OBA practices linked to by an “enhanced notice link” placed within or outside the advertisement or elsewhere on the page with agreement from the website operator;
- From your listing on www.digitaladvertisingalliance.org that provides a choice mechanism. This approach will be particularly useful for entities that do not place a link to a notice in or around the advertisement, or that are collecting data for OBA purposes on pages where they are not serving advertisements, or in situations where multiple Third Parties are collecting and using data from a single advertisement; or
- In instances where you are individually listed in the First Party website operator’s disclosure on the web page where OBA data is collected, your choice mechanism should be available in the notice information on your website linked to from the website operator’s listing.
3. Maintaining Data Security
You should maintain appropriate physical, electronic and administrative safeguards to protect the data collected and used for OBA purposes.
You should retain data that is collected and used for OBA only if it’s necessary to fulfill a legitimate business need or as required by law.
The Principles identify the following four additional steps that you should take regarding data collection and use when you are engaged in OBA:
- Alter, randomize or make anonymous (e.g., through “hashing” or substantial redaction) any personally-identifiable information or unique identifiers to prevent your data from being reconstructed into its original form in the ordinary course of business;
- Disclose the circumstances in which data that is collected and used for OBA is subject to the above process;
- Take reasonable steps to protect the non-identifiable nature of your data if it is distributed to unaffiliated entities by not disclosing the algorithm or other mechanism you utilize for randomizing or making it anonymous. In addition, obtain written assurance that such entities will not attempt to re-construct your anonymous data and will only use or share it for an agreed purpose, such as OBA, that was specified to consumers during the process to obtain their initial consent. This assurance is considered met if another entity, by contract, does not have the right to use your data for its own purposes; and
- Take reasonable steps to ensure that any unaffiliated entity that receives your anonymous data will itself ensure that further unaffiliated entities to which your data is disclosed also agree to the restrictions and conditions you are imposing. This requirement is also considered met if such unaffiliated entities, by contract, do not have the right to use your data for their own purposes.
4. Changing Data Collection/Use Policies
You should obtain consumer consent before making any material changes to your OBA data collection or use policies and practices. A material change might be a decision to use or share previously collected OBA data in a new way. A change that results in less collection or use of data would not be considered material for purposes of the Principles. Consent requires an individual’s action in response to a clear, meaningful, and prominent notice.
5. Refraining from the Collection of Sensitive Information
You should not collect “personal information,” as defined in the Children’s Online Privacy Protection Act (COPPA) from children that you have actual knowledge are under the age of 13 or from sites directed to children under the age of 13 for OBA purposes, or engage in OBA directed to children that you have actual knowledge are under the age of 13 except as compliant with the COPPA.
In addition, you should obtain consent before collecting financial account numbers, Social Security numbers, and pharmaceutical prescriptions or medical records related to a specific individual for OBA purposes. Consent requires an individual’s action in response to a clear, meaningful and prominent notice.
About the DAA
The Digital Advertising Alliance (DAA) establishes and enforces responsible privacy practices across industry for relevant digital advertising, providing consumers with enhanced transparency and control through multifaceted principles that apply to Multi-Site Data and Cross-App Data gathered in either desktop or mobile environments. The DAA is an independent non-profit organization led by leading advertising and marketing trade associations.