Questions regarding the OBA framework

Transcription

1 Questions regarding the OBA framework Helsinki, 21 March 2013 Questions answered by Ionel Naftanaila, EDAA Law office: Only IAB members are obliged to follow the OBA framework (=use the icon etc.). The Framework applies to the whole ecosystem. It is endorsed by all representative associations of the advertising value chain, and it is open to all players where applicable. IAB members were quicker to get on board because we re better organized and because the FW is addressed primarily to third parties and most IAB members would act as such. Does IAB Europe plan to do something about non-members, in order to get them onboard, too? The compliance and enforcement mechanism is three folded: a) through the SROs who in some (not all) countries have the possibility of bringing people in compliance even if they are not signatories b) through the Trust Seal mechanism c) through the partners already in the programme (ex. Google asking smaller players who want to join their ad exchange to be compliant with the Programme). If many operators are not following the framework, doesn t that weaken IAB s arguments to local data protection authorities, if IAB wants to state that self-regulation is adequate and no new laws are needed? This is why it s essential that players are aligned and committed. Who is considered the first party? The Framework does not define First Party as such, but it rather refers to it as a Web Site Operator: A Web Site Operator is the owner, controller or operator of the web site with which the web user interacts. Who is considered the third party? The Framework definition: An entity is a Third Party to the extent that it engages in Online Behavioural Advertising on a web site or web sites other than a web site or web sites it or a an entity under Common Control owns or operates. (see Common Control definition below) What about group of companies with mother company and subsidiary companies? Are they all treated first parties even when they place banners ads to each other s web site and use OBA internally (=is no icon needed)? 1

2 Yes. Common control definition in the Framework: Entities or web sites under Common Control include ones which Control, for example parent companies, are Controlled by, such as subsidiaries, or are under common Control, such as group companies. They also include entities that are under a written agreement to process data for the controlling entity or entities, and do such processing only for and on behalf of that entity or entities and not for their own purposes or on their own behalf. There s one caveat though: if the Web Site Operators are doing OBA by acquiring OBA data from third parties, which OBA data was collected from websites outside common control, this is in fact Third Party OBA. Therefore Web Site Operators, when are serving the ads, they must place the OBA Icon on top, as there s no one else who can do it. If BMW uses OBA and places its ad to the Guardian s web site, who is obliged to place the icon in practice to BMW s banner? BMW? The Guardian? BMW s media agency (if any)? BMW s advertising agency (if any)? The affiliate network through which the banner was placed to the Guardian s network (if any)? Someone else (who)? Responsibility lies with the party making the OBA decision regarding that ad (i.e. deciding to deliver that ad based on an OBA profile/data). Any of the players can do it, depending on who s actually making that decision. In practice, lacking a meta-data mechanism, the Icon will be placed on all ads, and at least it will have to be placed by the player who actually delivers the ad (liability is not with the adserver, as this is most times merely a contractor for one of the other players) Who places the cookies to the consumer s browser? Advertiser? Advertising agency? Media agency? Affiliate network? Advertising handling companies? Other? Not sure I understand the question. Who needs to pay the icon licence fee? How is double fees avoided (=two parties pay the licence fee related to the same OBA activities, e.g. advertiser and its media agency)? Fees are yearly, and don t refer to a specific ad-delivery effort. Therefore if throughout one year a player needs to use the Icon, they need to pay the licence fees. But it is important to note that fees are just a way to support the self-regulatory initiative, and this should not be seen as some kind of tax companies benefit from doing OBA and should provide consumers with the appropriate transparency and choice mechanisms to continue being able to practice it. How YOC applies to shared computers such as a computer at home when 4 people use the same computer? Who decides whether to opt-out or not? How can the advertiser know who made the opt-out at YOC? This is a known limitation as with any device used by more than one consumer, in multiple scenarios. Alma Media (Media/Publisher): There is one situation in which we as a publisher need to use OBA icon. That is when there is re-targeting pixel in the advertiser s site and we show advertising in our sites according to that pixel. Correct. 2

3 We have a problem, because our ad server provider Emediate is not making the OBA opt out possibility to their system. Instead Emediate offers us the possibility to use custom-made opt out for re-targeting cookie. In this case Emediate will not be compliant with the Programme, unless they integrate with youronlinechoices.eu. As a consequence, as clients of Emediate, you will not be able to be compliant too. In this kind of custom-made situation, how do we work with Your Online Choices site? Ask Emediate, as Provider, to become compliant as committed. They are signatories of the Framework, thus committed to the Principles of the Self-Regulatory Programme, and should act accordingly. Do we need to put our publisher name on the opt out list or how should we handle this? Not necessarily. If Emediate is there as a retargeting provider, it should be enough, as consumers will have the choice of opting out. Some companies want to be listed on youronlinechoices.eu though, as a marketing tool. So, if the technical ad server provider does not offer OBA opt out, but it can be done some other way, how do we work with YOC? Is this even our responsibility? The Industry Coalition has always portrayed YOC as being a one-stop-shop for consumers regarding OBA. It is therefore extremely important that companies are integrated here, so that this promise can actually be kept. This is not preventing companies to use a more advanced preference management tool where consumers can further refine their choices however this preference management tool must be linking to YOC, and the company opt-out should be there. Responsibility / liability are a legal term in this context. If Emediate is merely a contractor for you, then probably you do take the liability. Answer is really dependant on your contract with them. Are the User Choice platform and Icon licenses granted in group level? Is it enough that the parent company of the group purchases the license? Yes and yes. However some kind of proof (not defined yet) will need to be provided to the EDAA when acquiring the licences. If the parent company has made the undertaking to follow OBA guidelines, does it cover all group companies in Europe? How about non-european group companies? Yes. The OBA Framework covers European OBA activities, so it not really dependent on the location of the company but rather on where its ad-delivery activities are mainly targeted. Could you clarify the definition of common control? The underlying principle is that if one or more websites are maintained, owned, etc. by a certain party, that party is a web site operator for those websites (even if they are not commonly branded for instance) and should comply just with the web site operator requirements. EDAA s join the program website says the following: 3

4 (i) If you are actively involved in Third-Party OBA by partnering directly with websites that you do not own or operate and collect data for OBA purposes from these sites then you should participate on the industry-developed User Choice platform (follow STEP 5 below). (ii) If you are actively involved in Third-Party OBA by partnering directly with websites that you do not own or operate and use OBA data to deliver ads on these sites, then you should licence the OBA Icon (follow STEP 4 below) and display it according to the Technical Specifications. More details on the Icon Providers that are approved by the EDAA to deliver the OBA Icon can be found here. (iii) Naturally, if you collect and use OBA data from these sites, then you should both obtain a licence for the OBA Icon AND participate on the User Choice platform. So these two activities are separate? If we are actively involved in Third-Party OBA (i) by partnering directly with websites that we do not own or operate and collect data for OBA purposes from these sites BUT NOT (ii) by partnering directly with websites that we do not own or operate and use OBA data to deliver ads on these sites, are we a Third-Party? You are a Third Party if you collect OR use data from/on sites that are not under Common Control. We are not doing any activities at the moment that would require us to license the OBA Icon. If we start doing Third-Party OBA later, how soon we should license the icon? When needed. However please note that the license fee is yearly so not pro-rated. Guidelines say that Publishers have no direct icon responsibility unless they are self-managing sales and delivery of OBA Ads directly from advertisers, in which case they should add the Ad Marker. What if the Third-Party OBA activity is all carried out by our (=Publisher s) subcontractors on our behalf with their software but we own the data, are we Third-Parties? You are doing Third Party OBA if the data is collected also from outside your Common Control websites, even if you use it only on these sites. Therefore you must display the OBA Icon. What if the Third-Party OBA activity is carried out by ourselves but using a subcontractors technology? The terms of the existing agreements with subcontractors cannot be changed one-sidedly, what if they do not want to follow OBA guidelines? This is where the compliance and enforcement mechanisms come into place. There are specific SRO mechanisms, plus the Trust Seal and pressure of the market. We also have extensive support of the Commission, who was open to sending letters to key players that would decline becoming compliant. Is the list in User Choice platform a list of companies or technologies or both? It is a list of companies. Some are technology providers and wish to be listed in clear, while some are just users of technology but want to be listed too for marketing/transparency purposes. The list in the User Choice platform is not complete, the consumer does not understand the link between different operators and how to block certain activity by certain players. If certain technology is blocked, this will block all player using such technology, not only the one which the consumer wanted to block. Is this the intention? It depends on the way the opt-out is implemented. Technically it is possible to stop OBA only from the intended player, and this should be the preferred behavior of the platform. However some technology providers (unilaterally) do not provide an individual opt-out for their clients, thus leading to the situation described above. We re working to find a solution to clarify for consumers what is going on in such cases. 4

5 Icon license is free of charge for web site operators such as publishers, advertisers. etc. on websites with a purely national focus and readership, what does this mean? As web site operators (as defined in the Framework) are not strictly within the scope, they wanted to use the Icon in the footer to provide appropriate disclosure as per the Framework. This is merely to spread the use of the icon, as the Framework allows to use something else than the icon (i.e. text). Therefore this compromise has been found, allowing them to use the icon free of charge for this purpose on sites with national readership. If OBA activities are done with national focus but the group of companies includes also companies in other countries, how would this group of companies be treated? Not applicable, as per the explanation above. Media-agency: Why haven t IAB / EDAA communicated clearly about the OBA license - at least not from the beginning of the icon discussion? The setup of the programme lasted 2 years, trying to strike the right balance between the concerns of consumers, European Commission and politicians, on one hand, and the need for consistency of the Industry. Initially the Programme was setup somewhat reactively (Kimon s presentation in 2011 in Helsinki) as an Industry response to a poorly drafted legal text, which was the eprivacy Directive. Costs did not become clear until mid 2012, when they were communicated through various channels to signatory companies and local IABs. However the existence of some costs was clearly signalled from the beginning of the Programme it was unavoidable that such an initiative will have to be supported by the Industry. Why aren t EDAA tech partners been able to communicate of the OBA license, in fact been unaware of the license needed to use the icon, and what is their role in the license issue? Not sure I understand the question. If the question is related to Evidon and TRUSTe, as Approved Providers, they were fully aware of the need for and Icon licence. However the EDAA was officially launched in October 2012, and prior to that there was no European Organisation able to licence the Icon and manage the European Self-Regulatory programme. Both Approved Providers were relying on the DAA (US sister association) licence at the time. Once the EDAA became fully functional, the European Self-Regulatory Programme became effective and payment of fees was required to keep it running. Can you explain the rationale behind the cost structure and what the costs are based on? It is alarming that the costs are not related to company size / icon usage or something clear and measurable can you comment on this, please? The principle behind determining icon fees was to try to estimate the costs needed to run the programme, then splitting these to a conservative number of signatories. As this is the first year to run the programme, this number was very low, as some companies still have issues understanding 5

6 why/how much they have to pay. The size of the company is actually taken into account, and also its role: a) SMEs have a discounted rate, and b) Web Site Operators can use the icon for free on websites with a purely national focus and readership (definition below) Purely National Focus and/or Readership shall, for the purposes of this agreement, imply the website for which a Website Operator intends to licence the OBA Icon must be principally and mainly directed to one country. The designated country shall be determined in particular by the language, which is predominantly used by the website and the Website Operator's registered address. Sections in other languages may not be more than a supplement. For the purposes of this agreement, a Website Operator of a website with a Purely National Focus and/or Readership shall have a registered address in the designated country Do we need to assume that these costs are to be paid from here to eternity? As per the above these are to cover the running costs of the Programme, closely supervised by all founding associations of the EDAA. What are the main concerns in other markets and how have those being solved? To be further discussed during the meeting. Ad Network: What are the fees related to the icon and YOC integration? Each is 5 k EUR / year, with a reduced fee of 3 k EUR/year for SMEs. There has been no mention about the start up fees but apparently there are these kinds of fees as well? The programme was launched in 2012, and significant costs were incurred in 2012 to set it up. The EDAA budget was built taking into account revenue from 2012 fees as well. However the EDAA (for various reasons) has only been launched in October 2012, thus leaving important amounts, already spent for the setup, to be covered. Recognising though that the Programme was not functional through the whole 2012, the fees are going to be charged just at 50%, which combined with postponing some of the costs to 2013, should keep the lights on and allow the programme to function. Who needs to buy the icon and who the YOC integration if the technical provider and media house/media representative are different companies? The party placing the ads based on behavioural profiles need to place the icon hence licence is needed. The party collecting data and crunching profiles must provide choice therefore integration with YOC is needed. 6

7 If it is the technical provider who buys that YOC integration, does it only buy it ones even if the technological system is used by many different media houses/representatives? Yes. Unless the clients want to join YOC for marketing/transparency reasons, in which case they would have to integrate individually even if using the same technical back-end. Who is the one putting the icon on the banner if there is more then one party doing behavioral targeting through many different systems? (Media agency --> Adform, media representative (network) --> Adtech, media house --> emediate) If more than one party is doing OBA, then all parties doing OBA must make sure that the icon is delivered. If they have control and can agree within the chain who places the icon, then this is one way to do it. Otherwise they can agree that the Icon is delivered with every ad, or can deliver the icon anyway (technical specs try to prevent icon clashing and unpleasant consumer experience). If it is the last one doing targeting by using 3rd party data that needs to show the icon, doesn't it go against the OBA framework since it is often the media agencies doing most of the behavioral targeting? See above. Not the last, but all should make sure. In this case, agency is acting as third party, and the Framework and Self-Certification Criteria clearly state that it should be complying with the provisions applicable to the role (i.e. third party in this case). If all the parties are obeying OBA framework and behavioural targeting is done by all of the parties, how can the systems talk to each other in a way that we don't end up having many icons on top of each other on the banner? Unfortunately the meta-data mechanism is not available yet. We re discussing at industry level how to make it possible, there are proprietary solutions out there (i.e. Evidon/TRUSTe or AdPlayer by AdTech), but no industry standard. Main problem is iframes, and US colleagues are trying to create a specification for a managed iframe that could pass data. For the most part, media houses are excluded from the OBA framework. Why is that? Doesn't it go against the purpose of the whole issue? (Consumers would need to have better knowledge about why certain ads are shown to them) As per the above, players acting in a certain role (ex. Third Party) need to comply with the requirements of that role. So not excluded. Do media houses need to show the icon if they use remarketing data from the customer's site to show ads based on this behavioural targeting (remarketing data) on their own sites? Yes. This is OBA by definition, transparency and choice is required. It is the technical providers/systems that are present on YOC site, right? If so, what is the reason for that? Doesn't it confuse the consumer who has wanted to stop receiving behavioural targeted ads from one particular site? The site will not be present in there. Correct. However the major issue the consumers seem to have is related to what is going on behind the scenes. People seem to understand and not be too concerned about giving some data to First 7

8 Parties, but want control over data collection and use by Third Parties, players who are not very visible to them. Has OBA framework been implement to its full extent by using the opt-out model in any of the European countries and if so, has it worked in practice? What takeaways can be taken from these? Not sure if the question refers to the OBA Framework (which is opt-out everywhere) or to the eprivacy directive. The Framework is not directly a tool to comply with the law, but an argument to defend the fact that the industry is responsible and can act towards being a trustful partners to the Commission and consumers. However in most of the EU countries the eprivacy Directive was implemented using wording that allow for implied consent (thus opt-out). In the UK the ICO is for instance very supportive and issued recommendations to companies to become compliant with the OBA Framework. If I have understood correctly, OBA framework has been implemented in some European countries by using opt in model, how has that worked in practice? What takeaways can be taken from these? Two countries to date, Croatia (outside of the EU and weak industry voice) and the Netherlands. In the Netherlands the law is under review as we speak, as they have succeeded to both shut down some businesses and annoy consumers. We get very good feedback from Dutch colleagues on how the discussions are going. Is there really a purpose of doing this OBA framework still now that we know that a stricker directive is coming from EU anyway and there seems to be many question marks of how OBA framework can really work in practice? The Data Protection Regulation (so not a Directive) is indeed being drafted in Brussels. It will take some time though until it will become effective, and Self-Regulation is one of the most effective arguments we are using at Brussels (and local!) level to get key political stakeholders to support our views. The Self-Regulatory Programme is not optional anymore from this perspective if this fails, we will only reinforce the arguments of the opponents, saying that this proves industry is not able to move and become responsible by itself- therefore strong regulation and enforcement is needed. 8