Self- certification Criteria for companies participating in the European Self- Regulatory Programme on OBA. Document version: 1.1

Transcription

1 Self- certificatin Criteria fr cmpanies participating in the Eurpean Self- Regulatry Prgramme n OBA Dcument versin: 1.1 Date: 16 Nvember 2012

2 Table f cntents 1. Intrductin 3 2. Criteria fr self- certificatin f cmpliance Third Parties Data security Safeguards Data Strage Sensitive Segmentatin Children s segmentatin Other sensitive segments Educatin Cmplaints handling Third Party Privacy Ntice Third Party Enhanced Ntice User Chice Explicit cnsent Best- practice recmmendatins fr self- certificatin f cmpliancebest practice recmmendatin Advertisers Best practice recmmendatin Agencies Best practice recmmendatin Publishers 9 3. Ntificatin f self- certificatin Frequently Asked Questins 11 2

3 1. Intrductin The Eurpean Interactive Digital Advertising Alliance ( EDAA ) is a nn- prfit rganisatin based in Brussels and is respnsible fr enacting key aspects f the self- regulatry initiative fr Online Behaviural Advertising ( OBA ) acrss Eurpe. EDAA principally acts as the central licensing bdy fr the OBA Icn and prvides technical means fr cnsumers t exercise transparency and cntrl ver OBA thrugh the nline cnsumer chice platfrm at EDAA is gverned by EU- level rganisatins which make up the value chain f OBA within Eurpe and acts t ensure Eurpean (and glbal) cnsistency in apprach. The Self- Regulatry Initiative n OBA is based n IAB Eurpe s Eurpean Framewrk fr Online Behaviural Advertising (herein referred t as the IAB Eurpe OBA Framewrk ), aimed t increase transparency and cntrl fr Online Behaviural Advertising, and being an integral part f the Eurpean Advertising Standards Alliance s ( EASA ) cmprehensive self- regulatry Best Practice Recmmendatin ( BPR ) fr Online Behaviural Advertising; tgether, these dcuments utline the Principles f the Eurpean Self- Regulatry Prgramme fr OBA. Under Principle VI Cmpliance and Enfrcement Prgrammes, the IAB Eurpe OBA Framewrk states that: Fllwing the adptin f this Framewrk and the Icn each Cmpany shuld cmply and self certify by 30 June Cmpanies adpting the Framewrk later than 1 January 2012 shuld cmply and self certify within 6 mnths f adpting the Framewrk and the Icn. In line with the abve, this dcument aims t prvide cmpanies participating in the Eurpean Self- Regulatry Prgramme n OBA with a cmprehensive set f criteria fr self- certificatin f cmpliance. Self- certificatin f cmpliance shall be limited t thse requirements applicable t each signatry s business mdel; hwever, shuld a signatry be subject t multiple bligatins, self- certificatin must cver all such applicable prvisins. In ther wrds, if a signatry fulfils mre than ne rle in the advertising ec- system, then it shuld cmply with the requirements applicable t each f these rles. Self- certificatin f cmpliance under this dcument and the Eurpean Principles Dcuments des nt exempt Cmpanies frm fulfilling their bligatins under applicable natinal laws. This dcument is based n the IAB Eurpe OBA Framewrk, EASA Best Practice Recmmendatin n Online Behaviural Advertising and the Technical Specificatins fr implementing the IAB Eurpe OBA Framewrk and EASA BPR in Eurpe. 3

4 2. Criteria fr self- certificatin f cmpliance Third Parties Under the terms f the Eurpean Principles Dcuments, a number f prvisins apply t signatry cmpanies acting as Third Parties. In practice, a signatry cmpany may simultaneusly play several rles; in such circumstances, self- certificatin must cver all applicable prvisins. Fr the purpses f this dcument, a number f rles have been identified: Advertisers. An Advertiser is an entity that pays fr the prductin, executin, and placement f an nline advertisement, usually fr ne f its wn prducts r services. Agencies. An Agency is an entity that manages the prductin, executin, r placement f an nline advertisement n behalf f the Advertiser. Third Parties. As defined by the IAB Eurpe OBA Framewrk, an entity is a Third Party t the extent that it engages in Online Behaviural Advertising n a web site r web sites ther than a web site r web sites it r a an entity under Cmmn Cntrl wns r perates. The fllwing (but nt limited t) can be examples f Third Parties: Ad Netwrks. An Ad Netwrk is an entity that cnnects Advertisers t web sites that hst nline advertisements, ptimizing value fr bth Advertiser and Publisher. Ad Servers. Ad Servers are entities that prvide specialized sftware t Publishers, Advertisers and Ad Netwrks t deliver and reprt n nline advertising campaigns. OBA Prviders. An OBA Prvider is an entity that develps and uses r prvides in the marketplace technlgy t cllect data fr OBA purpses and t deliver OBA Ads 1. Ad Exchanges. Ad Exchanges represent technlgy platfrms that facilitate autmated auctin- based pricing and buying f nline advertising inventry in real- time. Ad Exchanges represent a sales channel t Publishers and Ad Netwrks, and a surce f nline advertising inventry fr Advertisers and Agencies. Demand Side Platfrms. A Demand Side Platfrm (DSP) is a system that allws Advertisers t manage their bids acrss multiple Ad Exchanges in rder t minimize expenditure while maximizing results. Supply Side Platfrms. A Supply Side Platfrm (SSP) is a system that allws Publishers t autmate the management f their inventry acrss multiple Ad Exchanges r Ad Netwrks, in rder t maximize incme. Publishers. A Publisher is the wner, cntrller r peratr f the web site with which the web user interacts. The IAB Eurpe OBA Framewrk refers t the Publisher as being the Web Site Operatr. 1 As defined in the Technical Specificatins fr implementing the IAB Eurpe OBA Framewrk and EASA BPR in Eurpe 4

5 2.1. Data security Safeguards Cmpanies shuld maintain apprpriate physical, electrnic, and administrative safeguards t prtect the data cllected and used fr OBA purpses, including any backups. Sme examples fr hw this culd ptentially be dne but nt limited t: 1. Apprpriate physical safeguards. Cmpanies may implement internal prcesses fr ensuring OBA data security frm a physical perspective. Physical access t OBA data culd, even within the cmpany, be granted nly based n business reasns and all access shuld be mnitred and lgged as part f standard business practice. 2. Apprpriate electrnic safeguards. Cmpanies culd implement electrnic data prtectin tls against unauthrised access, including (but nt limited t) data encryptin r firewalls. 3. Apprpriate administrative safeguards. Cmpanies culd implement apprpriate administrative measures, such as, if applicable, specific clauses in cntracts with emplyees, partners r cntractrs, r any internal prcedures designed t prevent unauthrised access Data Strage Cmpanies shuld retain data that is cllected and used fr OBA nly fr as lng as necessary t fulfil a legitimate business need, r as required by law. Sme examples fr hw this culd ptentially be dne but nt limited t: 1. Set a reasnable validity interval n any data cllected fr OBA purpses. 2. Delete data cllected fr OBA purpses when the validity interval has been exceeded Sensitive Segmentatin Children s segmentatin Cmpanies will nt create segments fr OBA purpses that are specifically designed t target children (age 12 and under). While this des nt mean that ad delivery will cease, it means that n advertisements specifically targeted fr age 12 and under will be delivered t this categry Other sensitive segments Shuld a Cmpany seek t create r use such OBA segments relying n use f sensitive persnal data, as defined under Article 8.1 f Directive 95/46/EC (racial r ethnic rigin, plitical pinins, religius r philsphical beliefs, trade- unin membership, health, sex- life), they must btain a web user s Explicit Cnsent, prir t engaging in OBA using that infrmatin Educatin Cmpanies that engage in OBA shuld prvide infrmatin t infrm individuals and businesses abut OBA, including easily accessible infrmatin abut hw data fr OBA purpses is btained, hw it is used and hw web user chice may be exercised. Sme examples fr hw this culd ptentially be dne but nt limited t: 5

6 1. Prvide infrmatin regarding their OBA business practices, either via pages n Cmpanies wn site(s), r by linking t the OBA User Chice Site. This infrmatin shuld cntain, at a minimum, a descriptin f: a. What OBA means and hw OBA wrks b. Hw OBA is used by the Cmpany c. Hw data fr OBA purpses is cllected, stred, prcessed and used d. Hw user chice may be exercised 2. Infrmatin prvided shuld be made easily accessible fr users; this can be dne by creating a link n the fter f the site, n the hme page r n the general Terms and Cnditins page, unless stated therwise in the Best- practice recmmendatins fr self- certificatin f cmpliance sectin belw 3. Infrmatin shuld be prvided in a language easily understd by the average Internet user (i.e. aviding where pssible technical terms and specialised wrding) 2.4. Cmplaints handling Web users may make cmplaints abut incidents f suspected nn- cmpliance with the Principles f the Eurpean Self- Regulatry Prgramme n OBA. While web users will have available a number f ways t make cmplaints, Cmpanies must ensure that, regardless f what means the user uses t submit the cmplaint (whether directly t the Cmpany r thrugh an industry r self- regulatry bdy), prper prcesses are in place t ensure a timely and satisfactry respnse and reslutin f the issue, if necessary. In rder t be cmpliant, cmpanies shuld: 1. Implement and ensure efficient and timely functining f internal cmplaint handling mechanisms. It is recmmended that the time interval t respnd t user cmplaints shuld nt be mre than 7 days and shuld address the substance f the cmplaint. 2. Implement an easily accessible mechanism fr cmplaints t be filed directly with cmpanies. 3. Ensure an efficient prcess in place fr respnding t enquiries made by natinal self- regulatry bdies n OBA- related issues and frmal unreslved OBA cmplaints. 4. Adhere t the enquiring self- regulatry rganisatin s prcedures fr cmplaint handling Third Party Privacy Ntice Third Parties shuld give clear and cmprehensible ntice n their websites describing their OBA data cllectin and use practices. Fr the purpses f this dcument, clear and cmprehensible shuld be defined as simple, layman s language; als, the link t the respective ntice shuld be easily accessible fr the users (i.e. clear link n the hmepage) and shuld be distinct frm the Terms and Cnditins sectin. The ntice shuld include the fllwing infrmatin: Third party s identity and cntact details; 2 Different natinal self- regulatry bdies may apply slightly different cmplaints handling prcedures; as such, shuld a cmplaint be filed- in with a self- regulatry bdy, the enquiry t be further made by the SRO t the cmpany will be accmpanied by the relevant set f prcedures. Pan- Eurpean cmpanies wishing t receive infrmatin in advance abut the generic prcedures fllwed by the self- regulatry bdies in Eurpe can address a request t the Eurpean Advertising Standards Alliance (EASA). 6

7 The types f data cllected and used fr the purpse f prviding OBA, including an indicatin as t whether any data cllected is persnal data r sensitive persnal data as defined by the relevant natinal implementatin f Directive 95/46/EC; The purpse r purpses fr which OBA data is prcessed and the recipients r categries f recipients nt under Cmmn Cntrl t whm such data might be disclsed; A link t the OBA User Chice Site; An easy- t- use mechanism fr allwing Internet users t exercise chice with regard t the cllectin and use f data fr OBA purpses and t the transfer f such data t Third Parties fr OBA; this mechanism can be either a link t the pt- ut page f the OBA User Chice Site r a mre advanced User Preference Management tl implemented by the Third Party n its wn web page. A statement t the effect that the Cmpany adheres t these Principles: 2.6. Third Party Enhanced Ntice Third Parties shuld prvide enhanced ntice f the cllectin and use f data fr OBA purpses via the Ad Marker in r arund the advertisement, in accrdance with the prvisins f Technical Specificatins fr implementing the IAB Eurpe OBA Framewrk and EASA BPR in Eurpe. Regardless f varius arrangements with Web Site Operatrs r Agencies/Advertisers, the respnsibility t display the enhanced ntice belngs t Third Parties. Fr this reasn, shuld a Third Party fail t cmply with the enhanced ntice bligatins, it is the Third Party and nt the Web Site Operatr r Agency/Ad Server that will be cnsidered t be nn- cmpliant. In rder t display the Enhanced Ntice, the Third Party must have a licence; in the Eurpean Unin/Eurpean Ecnmic Area (EU/EEA) the relevant licence can nly be btained frm the Eurpean Digital Advertising Alliance, under specific terms and cnditins User Chice Each Third Party shuld make available a mechanism fr web users t exercise their chice with respect t the cllectin and use f data fr OBA purpses and the transfer f such data t Third Parties fr OBA. In practice, this means: 1. There shuld be a clear link frm the Ad Marker r frm the interstitial page 3 t the OBA User Chice Site. 2. Integratin f the Third Party with the user chice mechanism hsted n the OBA User Chice Site must be in place and wrk reliably ver time; this bligatin refers mainly t OBA Prviders r any Third Parties using their wn means t uniquely identify a brwser (i.e. ckies r any ther technical slutins). 3. The practice f using technlgies in rder t circumvent the user s express chices (fr example by deliberately re- spawning deleted ckies), is nt regarded as cmpliant with data prtectin law and shuld nt be used. 3 As per the Technical Specificatins fr implementing the IAB Eurpe OBA Framewrk and EASA BPR in Eurpe 7

8 2.8. Explicit cnsent T the extent that Cmpanies cllect and use data via specific technlgies r practices that are intended t harvest data frm all r substantially all URLs traversed by a particular cmputer r device acrss multiple web dmains and use such data fr OBA, they shuld first btain Explicit Cnsent. Als, any Cmpany seeking t create r use such OBA segments relying n use f sensitive persnal data as defined under Article 8.1 f Directive 95/46/EC will btain a web user s Explicit Cnsent, in accrdance with applicable law, prir t engaging in OBA using that infrmatin. Sensitive persnal data, as defined under Article 8.1 f Directive 95/46/EC, represent: racial r ethnic rigin, plitical pinins, religius r philsphical beliefs, trade- unin membership, health, sex- life. Explicit Cnsent is defined by the IAB Eurpe OBA Framewrk as an individual s freely given specific and infrmed explicit actin in respnse t a clear and cmprehensible ntice regarding the cllectin and use f data fr Online Behaviural Advertising purpses. As a cnsequence, in rder fr a cmpany t be cmpliant, the fllwing cnditins must be fulfilled simultaneusly: 1. The user must have been infrmed, in wn language and with simple, nn- technical wrding, that all r mst f their brwsing activities will be cllected and stred, in rder t be used later fr OBA purpses. 2. The cnsent must be given specifically fr the cllectin and use f data fr OBA purpses (i.e. a cmpany is nt cmpliant if the user gives Explicit Cnsent t data cllectin and use, but OBA is nt specifically mentined r is mentined in an ambiguus manner). 3. Explicit Cnsent must be freely given, meaning that it must nt be induced in any way, by (but nt limited t) suggesting users that certain brwsing functinalities wuld nt be available r their nline experience might be impaired by nt cnsenting. 4. When btaining Explicit Cnsent cmpanies must als infrm users that the Explicit Cnsent can be withdrawn at any time: a. Users must be prvided with an easy t use mechanism t withdraw their Explicit Cnsent t the cllectin and use f OBA data; b. There must be a clear, dedicated link (i.e. nt in the Terms and Cnditins r a similar page) frm the cmpany s hme page t the withdrawal mechanism; c. While the wrding that shuld appear n the link is nt prescribed, it must be easily understd by the users; d. The withdrawal mechanism shuld be simple and shuld nt ask users fr any additinal data; e. Once the user has withdrawn the Explicit Cnsent, cllectin and use f OBA data must stp Best- practice recmmendatins fr self- certificatin f cmpliancebest practice recmmendatin Advertisers Advertisers have n specific bligatins under the terms f the IAB Eurpe OBA Framewrk and EASA BPR n OBA. Hwever, if the Advertiser, n its wn site, permits data t be cllected by 8

9 Third Parties in rder t be used n a web site nt under Cmmn Cntrl 4 fr OBA purpses, the Advertiser is acting as a Web Site Operatr 5, and therefre shuld prvide adequate disclsure f this arrangement. Fr further details please see Sectin 2.11 belw: Best practice recmmendatin Publishers. Als, while nt an bligatin in itself, Advertisers shuld be aware that it is envisaged that the penalties fr nn- cmpliant players (Ad Netwrks, Third Parties, Publishers) are remval f the B2B seal and cmmunicatin f the failure t cmply t the market and the public 6. It is therefre recmmended that signatries acting as Advertisers cnsider the cmpliance status f their suppliers when cnducting business transactins Best practice recmmendatin Agencies Agencies have n direct specific bligatins under the terms f the IAB Eurpe OBA Framewrk and EASA BPR n OBA. Agencies, hwever, play a key rle in serving the Ad Marker; while this des nt mean that Agencies take respnsibility r assume liability that the Ad Marker will always be served in the crrect place, practical cnsideratins may dictate that the Ad Marker is served by the Originating ad server (usually the Agency ad server) 7. Similar t the situatin fr Advertisers, while nt an bligatin in itself, Agencies shuld be aware that it is envisaged that the penalties fr nn- cmpliant players (Ad Netwrks, Third Parties, Publishers) are remval f the Trust Seal 8 and cmmunicatin f the failure t cmply t the market and the public 9. It is therefre recmmended that signatries acting as Agencies cnsider the cmpliance status f their suppliers when cnducting business transactins Best practice recmmendatin Publishers The IAB Eurpe OBA Framewrk strngly recmmends that Web Site Operatrs infrm Internet users abut OBA data cllectin by Third Parties n their sites. When the cmpany, n its wn site(s), permits data t be cllected by Third Parties in rder t be used n a web site nt under Cmmn Cntrl fr OBA purpses and the Ad Marker is nt prvided by these Third Parties, the cmpany prvides Adequate Disclsure f this arrangement via a link in the fter, having the fllwing characteristics: The link is placed in the fter f all pages, and is distinct frm the Terms and Cnditins link; The exact wrding f the link itself is nt prescribed, but it shuld be self- explanatry (i.e. the average visitr t the site wuld understand that by clicking n the link he/she will be redirected t a page where infrmatin abut data cllectin n the site is presented) 10 ; A user clicking n the link is presented with an infrmatin page cntaining the fllwing: 4 As defined in the IAB Eurpe OBA Framewrk 5 As defined in the IAB Eurpe OBA Framewrk 6 As per the EASA BPR n OBA, principle IV Cmpliance and Enfrcement Prgrammes 7 As defined in the Technical Specificatins fr implementing the IAB Eurpe OBA Framewrk and EASA BPR in Eurpe 8 The Trust Seal is granted by ne f the independent Certificatin Prviders selected by the EDAA. Details f the Certificatin Prviders will be published n the EDAA website at befre the end f As per the EASA BPR n OBA, principle IV Cmpliance and Enfrcement Prgrammes 10 Examples f text can be fund in the Technical Specificatins fr implementing the IAB Eurpe OBA Framewrk and EASA BPR in Eurpe 9

10 A list f Third Parties wh are active n the site and with which the user, wittingly r unwittingly, may be interacting; OR Links t further infrmatin n OBA and nline privacy such as the OBA User Chice Site; Optinally, any ther infrmatin that supprts user understanding and the aims f the IAB Eurpe OBA Framewrk. 3. Ntificatin f self- certificatin EDAA will maintain and update, n its website, a list f cmpanies that are self- certified. As such, nce the criteria fr self- certificatin f cmpliance are fulfilled, cmpanies will ntify EDAA via an n- line frm, available n EDAA s website. Cmpanies that sign the IAB Eurpe OBA Framewrk r btain the OBA Icn licence after 1 January 2012 must becme cmpliant and self- certify within 6 mnths f the signing date. Cntact inf@edaa.eu Eurpean Interactive Digital Advertising Alliance 10-10a rue de la Pépinière, 1000 Brussels Belgium 10

11 4. Frequently Asked Questins 1. What is the deadline t becme self- certified? Cmpanies that have signed the IAB Eurpe OBA Framewrk after 1 st f January 2012 must cmply within 6 mnths f adpting the Framewrk. Cmpanies that participate in the Self- Regulatry Prgramme withut being a signatry f the IAB Eurpe OBA Framewrk must self- certify within 6 mnths f signing the Licence Agreements with the EDAA. 2. I am nt a Third Party. D I still need t submit t an independent auditr? N. The IAB Eurpe OBA Framewrk clearly states, Cmpanies that are subject t Principle II shall submit t independent audits f their self- certificatin. Principle II f the IAB Eurpe OBA Framewrk applies t: (a) Third Parties and (b) Cmpanies that cllect and use data via specific technlgies r practices that are intended t harvest data frm all r substantially all URLs traversed by a particular cmputer r device acrss multiple web dmains and use such data fr OBA. 3. I am nt a Third Party. What d I need t d in rder t be self- certified? In rder t be self- certified yu have t implement the prvisins f the applicable (accrding t yur rle in the digital advertising ec- system) sub- sectin f the Best- practice recmmendatins fr self- certificatin f cmpliance sectin. 4. As a Third Party, what d I need t d in rder t be self- certified? In rder t be self- certified yu have t implement business prcesses and, if the case, technlgies, t fulfil the prvisins f the Criteria fr self- certificatin f cmpliance sectin f this dcument. 5. I am a Third Party as defined in the IAB Eurpe OBA Framewrk. What des self- certificatin mean fr me? Self- certificatin is a first step in rder t be granted with the Trust Seal certifying that yu are cmpliant with the industry self- regulatry Prgramme n OBA as per the IAB Eurpe OBA Framewrk. 6. Wh grants the Trust Seal? The Trust Seal is granted by ne f the apprved Certificatin Prviders selected by the EDAA. Details f the apprved certificatin prviders will be available n the EDAA website at befre the end f