As problems assail self- regulatory moves by European online ad bodies to keep stakeholders out of the courts for breaches of new cookie consent laws, the equivalent system in the US has moved to enforce its rules for the first time. Could the IAB Europe draw encouragement from the outcome? George Pearse reports.
Topic: On-line advertising
Who: The National Advertising Review Council and the Council of Better Business Bureaus, Inc.
When: November 2011
Law stated as at: 29 December 2011
In the US the Online Internet-Based Advertising Accountability Program (the "Program") has now issued its first six compliance case decisions. This marks the inaugural enforcement action of the Self-Regulatory Principles for Online Behavioural Advertising (the "Principles"). Policies and procedures for the Program are set by the National Advertising Review Council (NARC). The program is administered by the Council of Better Business Bureaus (CBBB).
The Program aims to provide businesses with objective, independent oversight and enforcement of the Principles for online behavioural advertising matters. In turn, the Principles, of which there are seven, are of broad application and aim to safeguard the consumer's online experience. They apply to online behavioural advertising throughout the US. The principles require that companies collecting or using data for online behavioural advertising purposes make use of the 'Advertising Option Icon' in or around their ads. They must also serve notice on consumers regarding their data collection policies and enable consumers to opt-out of receiving targeted ads.
Enforcement lends credibility
The release of these six decisions signals the Program’s initiation of formal enforcement of the Principles. Furthermore, it helps to demonstrate that the Principles have teeth. Each company against whom action was brought has voluntarily modified its practices to comply with the Principles in light of the Program's enforcement action. The swiftness with which each of the companies involved responded to the CBBB suggests that self-regulation can work efficiently in this area and that participants subject to the Program are inclined to take it seriously.
Four of the actions related to problems with the length of the opt-out mechanism. For example two of the businesses proceeded against, FMX and Martini Media, had opt outs set to expire in less than six months, whereas the industry standard set out in the Principles stipulates 5 years. All four companies agreed to extend their opt out term to 5 years.
The other two cases related to issues with the ease, or rather lack of it, with which the required opt out opportunity could be exercised.
Why this matters:
These developments are encouraging for behavioural targeting industry stakeholders in the US. Although the underlying laws differ, they may also serve to bolster hopes on this side of "the pond" to build a viable, respected self-regulatory system for ensuring industry compliance with EU laws now requiring consent for the operation of tracking cookies.
These hopes have not necessarily borne fruit as yet and have recently taken more of a knock. This occurred when the EU's "Article 29 Working Party" of EU data protection regulators pronounced on the legality of the self regulatory model for online behavioural advertising promulgated by the Internet Advertising Bureau Europe and the European Advertising Standards Alliance (EASA).
Perhaps it has not helped that these two bodies have each published slightly different papers on the proposed system, one entitled "European Self-regulation for Online Behavioural Advertising" (IAB Europe) and the other "EASA Best Practice Recommendation on Behavioural Advertising" (EASA).
Also, the exact means by which the system's rules are to be enforced remains unclear, although rumours suggest that in the UK at least, the ASA may step in.
Be that as it may, the Article 29 Working Party has determined that compliance with this system does not assure compliance with EU cookie consent laws. This formal rejection by the regulators cannot have been welcome for IAB Europe/Alliance, although it must be said that IAB Europe for one has long accepted that as currently configured, the IAB/EASA model does not necessarily deliver bankable cookie consent.
Relevant materials can be found at these links.