Online Behavioral Advertising

James Chiodo, Certified Information Privacy Professional CIPP/US

Enhanced Notice” It IS Your Problem

Do you know what “just-in-time” notices are? Or who or what OBA is? If you are like most people, “just-in-time” notices are when your kid tells you they have to “go” right before it’s too late. And OBA was a 70’s pop band whose time has come and gone. As long as you don’t have a website or blog that utilizes any of the numerous advertising services then you should be fine without a firm and clear grasp of those terms.

You may not have designed your website yourself. You may just have a simple blog that generates you a little extra income with a service like Google Adsense or any other of the numerous services.

Whether you are the next Amazon or just running a blog to tell others of your travels to Zanzibar or what your grand kids ate for breakfast, if you are displaying advertisements, either yourself (unlikely) or through one of those ad services (more likely), that is considered Online Behavioral Advertising (“OBA”), you as the site owner have to provide notice in a very particular manner at a very particular time, i.e. enhanced notices provided just in time (described below).

The advertising that is within the definition of Online Behavioral Advertising and is covered by the new rule that involves the following:

 “The collection of online data from a particular computer or device regarding Web viewing behaviors over time and across non-Affiliate web sites for the purpose of using such data to predict user preferences or interests to deliver advertising to that computer or device based upon the preferences or interests inferred from such web viewing behaviors.” 

This is the definition used by the D.A.A. as authored by the A.A.A.A (American Association of Advertising Agencies). Are your eyes glossed over yet? If not, the “Enhanced Notice” requirement that is coming up in January, 2014, required for any consumer facing site that uses OBA.

These self-regulatory online behavioral advertising rules are promulgated by the Digital Advertising Alliance (D.A.A), which is an industry run organization that hopes to avoid more stringent federal regulations by imposing rules upon its member and even non-member advertisers designed to protect consumers’ privacy rights. And should you fail to adequately provide this enhanced notice that the D.A.A. “suggests,” then they will turn you over to the FTC.

That’s right. If you don’t properly advise visitors to your website of stuff that is going on that you aren’t yourself doing, don’t necessarily understand much less possess the ability to explain and certainly are not able to provide adequate notice of, then the responsible party is you and not just the company that is gathering the information and providing the advertisements. It’s not enough that the advertising service that provides the service on your site provides notice. You must do so as well, and do it fully and properly.

If your eyes just glossed over don’t panic; it’s not as confusing as it sounds. Take the following example. You go to the Ford site to look at the F150 you are interested in purchasing. Using the nifty tool on the site, you build your fantasy Ford and pick the color blue for the paint. On your screen pops a beautiful blue Ford F150. Now Ford knows you like blue. If Ford uses that data to market you a blue Ford F150, or even other blue Ford vehicles, you may decide to look at while on the site that is NOT what OBA. That’s just contextual advertising.

Instead, if Ford allowed an advertising service to access data on its site and learned from Ford that you like the color blue, then put that information together with information that you had recently searched for flights to Las Vegas from Travelocity, that you enjoy crappy music from a blog dedicated to crappy music lovers, and finally that you are looking for show tickets also in Las Vegas, and compiled all that information to advertise tickets to The Blue Man Band’s Vegas show to you, that, my friends IS OBA. And it is extremely effective.

Now that you have an understanding of what OBA is, you should next understand that it is not bad thing. Sure, there is the fringe, tin foil hat wearing privacy nuts that harp on privacy rights. But most consumers prefer ads, which are relevant to their needs; and advertisers who use OBA to advertise do so because it is effective. Further, if you are not currently using OBA yourself or through an ad service, the very strong likelihood is that you will in the near future: it IS the future of all advertising, not just internet ads. Sooner (as in by Jan 1, 2014) or later you are going to have to deal with this.

In other words, YOU have obligations and liability as the result of allowing those third parties to collect and use data on your site. It’s not sufficient to say that those services are the ones that are responsible for notifying your users. DO NOT try to wing this or gloss over the requirements. The notices cannot just be general “we may do this; we may do that” type general statements.

The just in time principle simply means that the notice must be provided at the time that the targeted ad is being displayed and not at a general “click through” in order to access the site. And this “just-in-time” notice is not what was previously required or commonly done before the new DAA guidelines, it is enhanced. In part, what makes it enhanced is that it requires that both third parties such as ad networks and first parties (i.e. you), ensure that the consumer has real-time notice and an easy-to-use way to exercise choice whenever third parties collect a consumer’s browsing activity for OBA and use the data to determine what to advertise to the user.

The “opt out” portion of the OBA enhanced notice is the only part that can, and probably should be general, such as from a link to the DAA Consumer Choice page opt out provisions (sort of a “do not call” list of websites) or by listing all of the third parties that are using OBA on your site; and clear directions and links for how to opt out of each of them.  After here it gets a bit more complicated. You must list each and every type of data that will be collected and for what purpose it will be collected. What makes this difficult is that you may not know what the third party sites are collecting and using.

Have you ever tried to pick up the phone to call Google and ask them a question? They don’t send out those fridge magnets with their phone number on it. It’s not exactly easy to coordinate with the large OBA advertisers, much less ask them the specifics of what they are collecting and whether they are going to be transferred or sold to anyone else.

What’s more, the methods and protocols of those OBA advertisers are often secretive and tightly guarded. One way or another, the obligation to coordinate with your third party advertisers, keep the list current, and the information readily available and accurate is both yours and the third party advertiser’s.

Come Jan 1, 2014, you will need to know what type of data is being collected, describe that thoroughly and completely, and keep that current at all times. Further, you will need to provide opt out links for each of the services that you are allowing to use your site to comply with the DAA’s guidelines. To protect consumers, the DAA plans on increasing enforcement of the enhanced requirement notice.

If you are a website or blog operator who lets third parties gather online behavioral advertising information, you are required to have a “clear, meaningful, and prominent disclosure link” on EVERY page on your website or blog that contains an advertisement which has been delivered through online behavioral advertising data collection methods.

For help with complying with these requirements visit

New California & Nevada Privacy Laws Affect Website and Mobile App Owners ➞ Read More