Login   /  Logout   /  Resources for Consumers  /  Create a FREE Online Account  /  Contact Us
Consumer Help Membership Centers of Excellence Advocacy Events Who We Are Careers Blog

 


DMA Online Behavioral Advertising (OBA) Compliance Alert & Guidelines for Interest-Based Advertising

Learn about membership in DMA


Background
DMA has a lengthy history in leading industry efforts to develop self-regulatory guidelines and build consumer confidence in the interactive online marketplace. DMA began self-regulating online marketing practices in the mid-1990s and continuously amends its guidelines to help its members stay ahead of the regulatory curve and abreast of technological innovations affecting multi-channel marketers. DMA recently expanded its guidelines to address online behavioral advertising (OBA) – a topic of much debate and interest to policymakers, regulators, consumer advocates, and business. DMA’s Guidelines for Ethical Business Practices cover each marketing channel, both traditional and emerging.

The focus on OBA and interest-based advertising is significant, as behavioral advertising continues to fuel the growth of rich online content choices for consumers without adding costs. More effective, relevant advertising based on consumer interest and preferences is the goal. Recently, the Federal Trade Commission (FTC) called for more robust and effective self-regulation of OBA, releasing a staff report inFebruary 2009 outlining several self-regulatory principles for OBA

DMA’s OBA guidelines underscore the seven Self-Regulatory Principles set forth by DMA and several other advertising organizations and the BBB, and aim to answer the FTC’s calls to foster transparency, knowledge and choice for consumers.

Industry-Wide Self-Regulatory Effort & New Resources!  Leading marketing and advertising industry associations initiated a comprehensive, self-regulatory effort to develop and implement consumer-friendly principles and enforcement standards regarding OBA.

More information about the work of the industry-wide effort by the DMA, the American Association of National Advertisers (ANA) the Interactive Advertising Bureau (IAB), and supported by the Council of Better Business Bureaus (BBB) can be found on the industry-developed website www.AboutAds.info. This site includes detailed fact sheets and FAQs as well as the advertising icon that is available for users to demonstrate compliance with the principles. If you or your third party is engaging in OBA, go to this site to determine whether you are a first party publisher, a third party serving the ads, or a service provider, or possible all three, dependent upon your business practices.

Purpose of This Alert
Understanding and implementing OBA best practices in a manner that effectively balances the needs of consumers and business, while building consumer trust in the online marketplace, is a critical, but complex task.  To assist members, this alert outlines the steps marketers should take to comply with DMA’s online behavioral advertising guidelines and the self-regulatory principles as well as traditional privacy protections. Additionally, please also go to www.AboutAds.info to ensure you review the full scope as either a first party publisher, a third party ad network, or as a service provider.  You should also visit www.AboutAds.com, this site includes the Advertising Option Icon, a specific mark created by the participating trade associations that, together with approved wording, can be used by those engaged in OBA to signify their adherence to the Principles.


Guide for Complying with DMA's OBA Guidelines

A.  What is OBA?

For purposes of this guide, online behavioral advertising (OBA) refers to the collection of information about online activities and Web viewing behaviors, over time and across non-affiliate websites, to deliver tailored ads.  In a nutshell, OBA allows companies to match ads to a consumer's interests, determined over time.

  • Relevant Ads Using Anonymous Data. OBA relies on anonymous, aggregated data to deliver an ad to a computer based on the computer browser’s activity, not the activities of a specific individual. Companies use cookies to make this happen. 
  • Different from Contextual or “First Party” Advertising. OBA does not include “first party advertising,” in which no data is shared with third parties, or contextual advertising, where an ad is based on a single visit to a web page or a single search query. 
  • It does not include ad reporting, the collection or use of information for statistical reporting, Web analytics/analysis and advertising metrics.
  • OBA Examples. Imagine that you are online and you visit five different sports websites and then a news website. You might see a sports ad on the news site, even though you're reading about fashion.  You’re served that ad because your online behavior suggests you’re interested in sports. Or imagine that you are shopping for a birthday gift for your husband, a Star Trek fan. One month after his birthday, you might get ads about Star Trek served on your computer when you sign on.

B.  How to Comply with DMA’s Guidelines for OBA

If your organization operates an online website and is engaged in online behavioral advertising (as described above), you should review DMA’s OBA guidelines and take the following steps to ensure appropriate collection and use of OBA information, thereby building consumer trust in the online space:

1.  Publish a Privacy Policy and Abide by It. 
Be transparent about your information collection and use practices for OBA purposes and allow consumer control over those practices. How?

  • Review your organization’s online privacy policy and ensure that it is easy to read and understand, and that it is consistent with your current information collection and use practices, especially in relation to any online behavioral advertising (OBA).
  • Make sure your website privacy policy is easily accessible and available prior to or at the time information used for online behavioral advertising purposes is collected.
  • If you operate a website and collect or use information for OBA purposes, include the following information in your online privacy policy:
    • What information you collect online for marketing purposes and how you use that information, including for online behavioral advertising purposes;
    • Whether you transfer information to third parties for use by them for their own marketing or online behavioral advertising purposes and the mechanism by which consumers can exercise choice not to have such information transferred;
    • Whether personally identifiable information is collected by, used by, or transferred to agents (entities working on your behalf) as part of the business activities related to the visitor’s actions on the site, including to fulfill orders or to provide information or requested services;
    • Whether you use cookies or other passive means of information collection, and whether such information collected is for internal purposes or transferred to third parties for marketing purposes, including online behavioral advertising purposes;
    • What procedures your organization has put in place for accountability and enforcement purposes; and
    • That your organization maintains appropriate physical, electronic, and administrative safeguards to protect information collected online.
  • In addition, refer to Article #32 (Personal Data) of DMA’s Guidelines to assure that marketing data are used only for marketing purposes. The DMA guidelines mandate that a consumer’s information is to be used only for marketing purposes.
  • For help with your privacy policy statement, use the DMA’s members-only privacy policy generators available at http://www.dmaresponsibility.org/#3.

2.  Provide An Enhanced Notice Link to Consumers and Honor Their Choices. 

  • On any non-affiliate websites where you engage in OBA, provide a “notice and choice” button on the page where the data is collected, ideally via a link embedded in or around the advertisement itself
  • Make sure this “notice and choice” button is easily accessible and links to (1) clear disclosures about your data collection and use practices for online behavioral advertising, and should offer (2) choice to consumers about whether or not their information is collected for online behavioral advertising purposes.  
  • Note: If you are a “service provider,” a term that refers to Internet access service providers and providers of desktop applications software such as Web browser “tool bars,” you need to take extra precaution and obtain consumer consent before engaging in online behavioral advertising, as well as take steps to de-identify the data used for such purposes.  Refer to DMA’s OBA guidelines for full details on the requirements for service providers.

3.  Ensure Reasonable Security and Limited Data Retention.

If your company collects, stores and/or uses consumer information for behavioral advertising, provide reasonable security to protect that information, and retain the information only as long as it is needed for a legitimate business or law enforcement purpose.  Consistent with DMA Guidelines:

  • Maintain appropriate physical, technical and administrative safeguards and use appropriate security technologies and methods to protect information collected or used online, and to guard against unauthorized access, alteration, or dissemination of personally identifiable information during transfer and storage. 
  • Ensure that the level of security you provide is based on: the sensitivity of the information, the nature of your business operations, the types of risks your company faces, and the reasonable protections available to your company.
  • Require that employees and online behavioral advertisers, and your agents who have access to covered consumer data, use and disclose that information only in a lawful and authorized manner. 
  • Establish information security policies and practices to assure the uninterrupted security of information systems.
  • Implement staff policies and training to protect consumer data handled in the everyday performance of duties.
  • Routinely reassess protective physical safeguards and technological measures.
  • Require business partners and service providers to maintain a level of security consistent with your own.
  • Inform those consumers who may be affected by a security breach where there is a reasonable likelihood of material harm.

4.  Offer Notice and Choice for Material Changes to Your Policies.

DMA Guidelines require that a company keep its privacy promises, even if it decides to change its policies at a later date.  For example, if consumers have signed up for a service with the knowledge that data about their online behavior is going to be used in a specific way, then a company should ensure that data is used only in the manner to which the consumers agreed -- or offer notice and choice if the company’s policy changes materially. 

  • If your organization’s policy changes materially with respect to the collection and/or use of consumer information for OBA purposes, you should update your policy statement and give consumers clear and conspicuous notice, including an opportunity for consumers to select their preferences. 
  • Ensure that your notice about the material changes is easy for consumers to find, read, understand and act upon. It is not enough to simply change the language in your online privacy policy.  For the notice to be truly conspicuous, you must take steps to bring consumers’ attention to the change.  
  • As appropriate, employ technologies such as hyperlinks, frames and pop ups to provide conspicuous notice and bring attention to the material change.
  • Make sure that you have appropriate mechanisms available on your website to honor your website visitors’ choices regarding collection and use of covered consumer information for OBA purposes in accordance with your stated policy.
  • If you have promised to honor visitor choices for a specific time period, and if that time period subsequently expires, then provide that visitor with a new notice and choice.  Ensure that there is an online mechanism for visitors to exercise their choices.

5.  Obtain Express Consent for Sensitive Information Collection.

Information collected from children and used for online behavioral advertising warrants heightened protection, as does certain health and financial data when attributable to a specific individual. Children’s, health and financial account information are regulated extensively under the Children’s Online Privacy Protection Act, the Health Insurance Portability and Accountability Act and the Gramm-Leach-Bliley Act, respectively.  All marketers are encouraged to review these legal requirements to ensure compliance.  And all companies that collect sensitive data about consumers should obtain express consent from individuals to collect this data.

  • In a nutshell, in no instance should sensitive data be used for behavioral advertising unless the consumer has given consent. 
  • If your organization has a site directed to children under the age of 13 or collects personally identifiable information from visitors known to be under 13 years of age, make sure you:
    • Review and comply with the Children’s Online Privacy Protection Act (COPPA) and the “Marketing to Children articles of the DMA’s Guidelines.  DMA has created a COPPA Compliance Guide to assist members with compliance.
    • Obtain prior, verifiable parental consent for any behavioral advertising to consumers known to be under 13 on child-directed websites.
    • Even with the consent of parents, offers suitable for adults should not be made to children.  In determining the suitability of an online communication for children, online behavioral marketers should carefully address the age range, knowledge, sophistication and maturity of their intended audience.
  • For sensitive health or financial information that is attributable to a specific individual, be sure to:
  • DMA has extensive resources to help you do the right thing in all your marketing endeavors, as well as meet the above requirements.  For more information on DMA’s Guidelines for Ethical Business Practices, go to www.dmaresponsibility.org/Guidelines.

6. Hold Your Company and Other Organizations Accountable. 

The DMA has in place a strong self-regulatory program to ensure responsible practices and accountability in all marketing channels.  As part of this program, DMA’s Corporate & Social Responsibility (CSR) department and Board-level “Ethics Operating Committee” investigate and resolve complaints about potential violations of the DMA Guidelines.  DMA hears cases against both member and nonmember companies. 

  • Learn more about DMA’s self-regulatory and compliance programs by visiting: www.dmaresponsibility.org.
  • To report a company for potential non-compliance with the DMA’s OBA guidelines, please complete the DMA Ethics Complaint Form and submit it to DMA’s Corporate & Social Responsibility (CSR) at: 1615 L St, NW, Ste 1100, Washington, DC 20036; ethics@the-dma.org; or 202.955.0085 (fax).

7.  Help Educate Consumers, Your Service Providers and Other Businesses.

Education of both consumers and businesses is critical to alleviating potential privacy concerns caused by behavioral advertising and ensuring DMA members stay ahead of the regulatory curve.  

Make sure you know what you need to do if you are a first party publisher, a third party, or a service provider by going to www.AboutAds.info, the Advertising Option Icon and approved wording can be accessed at www.AboutAds.info.

Support DMA, its members, and other industry partners in educating consumers, policymakers and regulators about the value of online behavioral advertising (OBA) and the mechanisms in place to provide consumers with notice and choice about OBA by contacting DMA’s Corporate & Social Responsibility (CSR) and Government Affairs departments at 1615 L St, NW, Ste 1100, Washington, DC 20036; ethics@the-dma.org; or government@the-dma.org.

 

back to top