Online Behavioural Advertising: New rules in force from the ASA

Posted by Simon Stokes on

How does Online Behavioural Advertising work?

When you view a website third parties who are interested in providing ("serving") advertising to you may collect data about what you view, in order to tailor the advertising that you are shown in future.

This is called Online Behavioural Advertising (OBA). These third parties ("ad networks") usually operate in collaboration with the person or company operating the website (the host) using cookies to track users' behaviour.

This is a controversial practice and the Advertising Standards Authority (ASA) has now issued rules to regulate this area and protect users. In addition the use of cookies by websites continues to be regulated in the UK by the Information Commissioner – this aspect of OBA is outside the ASA's remit.

What are the ASA's new rules?

As of 4 February 2013 several new requirements came into effect which will apply to those who are carrying out the collection of viewing data for the purposes of OBA. The requirements are as follows:

  1. Third parties (ie those who are not hosting or under the same control as the host) must have a clear and comprehensive notice on their own website, stating that they collect and use online viewing data for OBA. They must also have a mechanism on their website to allow users to 'opt-out' of having their data collected and being used for OBA;
  2. Third parties must have a clear and comprehensive notice visible either on, or around the advert on the host website where the OBA appears, which states that they collect and use online viewing data for OBA. They must also provide users with a link either on, or around the advert, allowing users to 'opt-out' of having their data collected and being used for OBA;
  3. Third parties must obtain 'explicit consent' before using technology to collect and use viewing data from all, or substantially all of the websites that users visit; and
  4. A ban will be placed on creating 'interest segments' specifically designed to target people under 12 years old.

In summary the new rules (which are contained within Appendix 3 to the CAP Code) require that third parties must ensure their use of OBA is clear and transparent by containing a notice in or around the display advertisement.

This notice must link to a mechanism whereby users can opt out of receiving OBA from that third party or that third party and other third parties. Third parties must provide a notice on their own website making clear they collect and use data for OBA purposes and provide a mechanism whereby a user can opt out.

Most third parties will choose to link to an industry-wide website where a user can exercise their choice and control over a range of third parties, such as www.youronlinechoices.eu, not just limited to the third party that served them the ad.

Do the rules apply to everyone?

The new rules are aimed at third parties (businesses serving ads and collecting user viewing information through cookies) rather than the person (host) operating the website where the ads are actually served and viewed – here existing data privacy laws will apply to the use of cookies and collecting personal data from users.

Similarly 'contextual advertising', such as that used by websites like Amazon, which show users products that may be of interest to them based on what they currently viewing (for example "Customers who bought this item also bought…"), is not prevented by the new rules.

The rules also do not apply to web analytics, ad reporting or ad delivery, or the use of OBA in rich media, in-stream videos online or on mobile devices.

What will happen if people do not comply with the new rules?

The Advertising Standards Authority (ASA) will monitor compliance with the new rules.

Also, in the unlikely event that the ASA is unable to identify which third party has served a particular OBA advertisement, a new rule in the Compliance section of the CAP Code requires advertisers to co-operate with the ASA in good faith to help them identify the third party responsible.

The ASA has various powers including:

  1. To investigate, undertake an adjudication to determine any breach and potentially 'Name and shame' those who breach the rules; and
  2. for third party signatories of the EU Industry Framework on OBA, which comprise the vast majority of UK operating third parties, the ASA will have two additional sanctions at its disposal: the ability to remove the trading seal of approval that signifies their compliance with the Framework, and the removal of the licence to use the single European icon to provide notice.

In addition breach of data protection laws in this regard could lead to substantial fines by the Information Commissioner as well as other enforcement action by ICO.

About the Author

Leading the firm's technology practice in London, Simon specialises in information technology law, including outsourcing, cloud services, protecting software IP and licensing of market leading data analytics software.

Simon Stokes
Email Simon
020 7814 5482

View Profile