Online behavioural advertising: will new ASA rules stop the stalking?

Jill Pollock

Earlier this week, a new set of online behavioural advertising (OBA) rules came into effect, aiming to secure transparency and control for web users. The new rules will be enforced by the ASA. As OBA is typically administered by the use of cookies, these rules supplement existing opt in and transparency rules for cookies under the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (Regulations), which are enforced by the ICO.

As Datonomy readers are no doubt aware, OBA is a form of targeted advertising whereby third party advertising networks partner with websites from whom they collect data on users’ web viewing behaviour, in order to deliver them advertising that is more likely to be of interest. To illustrate by way of example, one of the Datonomy Home Team admits to being practically stalked by advertising for a particular brand of luxury handbag, as a result of her own online browsing.

What do the ASA rules require?

In terms of substance, there is some overlap between the ASA’s new guidance and the cookie consent opt in legal requirements under the Regulations, which have been enforceable in the UK since May 2012.

The new rules require:

  • Notifying consumers – third parties delivering ads to web users using OBA must give a “clear and comprehensive” notice to web users about the collection and use of web viewing behaviour data. This notice must be given on the third party’s own website and either in or around the advertisement delivered by OBA.
  • Consumer choice – the notice must also inform users of how to opt out of OBA and must include a link to a relevant mechanism that allows them to opt-out.
  • Explicit consent if all info captured – third parties that use technology to collect and use information about all or substantially all websites visited by web users on a particular computer must obtain explicit consent. This rule is aimed at “deep packet inspection” OBA, typically conducted at an ISP level.
  • No targeting the under 12s – third parties delivering OBA must also not create “interest segments” specifically designed for the purpose of targeting children aged 12 or under.

As mentioned, OBA is typically administered by way of a cookie, i.e. a small text file that is stored on the web user’s computer to determine which advertising they receive. It does therefore seem that there will be some potentially confusing overlap between this regime and that administered by the Information Commissioner’s Office. Whereas the ASA rules require an opt-out, the Regulations  require web users to have given prior consent to the use of ad-related cookies. In addition the Regulations will bite on both the third party OBA provider and the website publisher. Cookies used for behavioural targeting are at the more intrusive end of the scale and therefore the requirements under the Regulations for information and opt in consent are greater than for, say, analytic cookies.

Is this good news for web users?

Datonomy welcomes any change which allows web users to be better informed and exercise more choice over how their data is used. The ASA states that these new rules are integral to the European Self-Regulatory Framework. Datonomy notes that many third party ad networks already pay a licence fee to a pan-EU body, the European Interactive Digital Advertising Alliance (EDAA), to use a single icon in or around display advertisements in order to provide notice to users. This icon links to a website called, whereby users have the choice to opt out of a range of third parties’ OBA (for more info see this author’s note here). Nonetheless there are clear benefits to offering consumers and the industry recourse to an independent complaint handling body in the form of the ASA.

It is disappointing to us here at Datonomy that, the new rules do not cover the use of OBA on mobile devices. The ASA has stated that it envisages that the rules will be updated for mobile devices in the future. Given that over 10% of all web browsing now takes place via a mobile phone and that mobile is key to many retailers’ strategies, Datonomy is curious about the ASA’s justifications for leaving this browsing unprotected by the rules.

Enforcement risks for retailers?

The new rules are aimed at “third party” organisations. This means that the website owners or indeed the retailers of the goods advertised as a result of OBA (the luxury handbag brand, in our example above) are not directly on the hook. One potential problem with enforcing the new rules is that the ASA may not be able to identify the third party ad networks serving the advertising. To solve this issue, the rules provide that the advertiser on behalf of whom the advertising is delivered, must co-operate with the ASA in good faith to help determine the identity of the third party.  Retailers who outsource their OBA delivery will therefore wish to keep a close eye on any sub-contracting by their appointed third party ad network.

Given that the stricter rules on the use of tracking cookies have been fully in force since last year, will the addition of less onerous, soft law requirements make much difference?  The ICO has not published details of any enforcement action specifically in relation to behavioral advertising cookies, although it is taking steps against a number of non compliant websites, as it reported in its enforcement updates at the end of last year here and here.

Are Datonomy readers stalked by targeted ads?   Are opt outs being honoured in practice? Share your stories!

p.s. speaking of being followed online, we can’t help but nudge you to follow Datonomy on Twitter

Leave a Reply

Your email address will not be published. Required fields are marked *