By Lou Mastria
Big Idea: Digital advertising is a dynamic industry. Is your business keeping up with the latest best practices? Staying in the lead of the digital ad ecosystem while adhering to DAA Principles requires proactive action and diligence.
A day before this year’s Digital Advertising Alliance (DAA) Summit 2017, we held our inaugural “Digital Advertising Accountability Workshop,” which provided the latest insights in responsible data collection and transparency through a series of engaging presentations and panel discussions. We were able to offer Continuing Legal Education credit in eligible states, an added benefit for attorneys that also heard practical compliance advice for their clients’ benefit. We thank our workshop partners at the Council of Better Business Bureaus (CBBB), Data & Marketing Association (DMA), IAB Tech Lab and Network Advertising Initiative -- as well as our counsel at Venable LLP -- for helping us pull this program together.
The following day, a panel of compliance practitioners -- Genie Barton, vice president and director of the Advertising Self-Regulatory Council (ASRC) Online Interest-Based Advertising Accountability Program and president of the Better Business Bureau Institute for Marketplace Trust; Xenia “Senny” Boone, senior vice president of corporate and social responsibility at the Data & Marketing Association; and DAA Counsel Michael Signorelli, partner with Venable LLP -- gathered on stage to summarize the workshop’s most important points for those attending the summit.
Here are the ten takeaways for staying on top of compliance with DAA Principles.
#1. “If in doubt, ask us”
This is what Genie Barton calls the “golden rule.” As she and Senny Boone stressed, any concern or question about compliance is best brought to DMA or the CBBB so that they can work with the company to help solve any compliance issue confidentially. There’s a corollary to this tip: If the CBBB discovers that a firm is out of compliance before the company reaches out to them, the findings of their inquiry may well wind up published.
#2. Know your role
“Know what you're doing, what your role is in the ecosystem at any time,” Barton stressed. Compliance obligations differ depending on what role an organization is playing at a given time. The DAA Principles apply to First and Third Parties differently; it is possible to be both depending on your function. If you have a website, you are a First Party, even if your primary role in the interest-based advertising (“IBA”) ecosystem is as a Third Party. All First Parties that allow Third Parties to collect data for IBA must work with the Third Party to provide enhanced notice of collection and use of data for IBA on the mobile app or site.
#3. Understand enhanced notice
“Enhanced notice is real-time and it needs to take consumers directly to the place […] where you tell the consumer about IBA -- your interactions with third parties -- and where you provide access to an easy-to-use tool to opt-out,” Barton said. Consumers should not have to hunt through a privacy notice to discover this information.
“We want to make sure that [transparency and control mechanisms are] actually working and that there is a point at which the consumer has the correct information and can make their choices,” Boone added.
#4. Share responsibilities
The party that “owns” the digital real estate is the ablest to provide enhanced notice. Parties should collaborate to provide notice. For example, a First Party may be better positioned to provide notice on its site about data collection activity on its website, while a Third Party may have the responsibility to provide notice while serving the ad. While specific circumstances may vary, all parties involved should work together and hold themselves accountable for giving consumers clear, meaningful, and prominent notice. DAA’s Enforcement in Action 2.0 accountability casebook is packed with examples demonstrating the importance of this point.
#5. Expect compliance from your partners
Marketers should have “reasonable assurance [...] that partners and vendors are as committed to the Principles as [they themselves] are,” said Barton. Placing strong terms that ensure adherence and shared appreciation for the Principles into commercial agreements benefits all.
Signorelli attested that in the past few years he’s noticed a stark “shift to include [DAA compliance] obligations in contracts. It’s a deal point now, it’s a part of the conversation, and it certainly helps with moving past the contract stage to partnership.”
#6. Understand opt-out options
There have been significant updates and changes to DAA’s choice tools in just the last six months (the Consumer Choice Page, now known as WebChoices as well as AppChoices and AppChoices en Espańol), so it’s a good time to review the choice sections in your online privacy notices and disclosures to make sure the “opt-out” options are up-to-date.
Boone agreed: “Give [consumers] a level set of what they can expect after they opt out [...] you want to make sure you describe the scope of those choices and what actually is supposed to happen.”
#7. Educate and communicate internally
Enterprise education about privacy and the DAA Principles goes beyond the legal and marketing teams. It should include communicating with IT and design departments -- it can be easy to overlook the functionality of notice links while redesigning a site, but the consequences of non-compliant notices can be serious. A privacy or legal team should not be a silo; every department should know its role in keeping the company’s practices in compliance.
The interest-based advertising ecosystem is complex, and can impact multiple groups within the enterprise. This means that cross-enterprise communication is necessary to make sure every party and business unit understands their roles and responsibilities. “When you are working with third parties, the legal team may not realize they need to go back to the marketing team and vice versa to help ensure compliance needs are being met,” Boone stated.
#8. Understand mobile SDKs
Understand what data software development kits (SDKs) integrated into your app may collect and transfer for IBA, and what compliance requirements they may trigger. All parties should provide necessary transparency and choice about covered data collection, use and transfer as required by the Principles.
#9. Always be vigilant about COPPA Obligations
Self-regulatory principles may not be the only standard to meet, the panel stated. In some cases, laws may apply -- the Children’s Online Privacy Protection Act (COPPA) being a prime example.
#10. Collect precise location data with consent
Precise location data should be acquired with consent, or with reasonable assurances from the First Party that the consumer’s affirmative consent has been obtained prior to collection, the panel agreed.
Following the Summit 2017 session, DMA’s Senny Boone provided us a few comments on its role as an Accountability Partner for DAA – echoing similar comments from CBBB Advertising Self-Regulatory Council President Lee Peeler last year.
In conclusion, it’s thanks to DAA participants’ adherence to responsible practices, and the Accountability Programs’ continued efforts, that the DAA continues to be recognized as a “program with teeth,” as Signorelli put it, “which is an important facet when we’re doing self-regulation […] to have that level of independence and rigor when it comes to enforcing principles.”
Thank you to Charlie Tomb for his editorial support toward our Summit Snapshot 2017 blog series.