The Australian Best Practice Guideline for Online Behavioural Advertising has been developed by the industry to help participants deploy Third Party OBA in a way that promotes and maintains consumer confidence.
The Guideline lays down seven self-regulatory principles for the industry when engaged in Third Party OBA.
Principle I. Personal Information And Third Party IBA
Third parties shall not combine IBA data with Personal Information unless they treat the IBA data as Personal Information in accordance with the Privacy Act 1988.
Principle II. Providing Clear Information To Web Users
A. Third Party Notice
1. IBA Policy Notice
Third Parties should give clear and comprehensible notice on their Websites describing their practices in relation to the collection and use of IBA Data for Third Party IBA. Such notice should include clear descriptions of the following:
(a) Their identity and contact details;
(b) The types of data collected and used for the purpose of providing Third
(c) The purpose or purposes for which Third-Party IBA Data is processed and the recipients or categories of recipients to whom such data might be disclosed; and
(d) An easy to use mechanism for exercising choice with regard to the collection and use of IBA Data for Third-Party IBA purposes and to the transfer of such data to Third Parties for Third-Party IBA.
(e) The fact that the Third Party adheres to these principles.
2. Enhanced Notice To Web Users
In addition to providing notice as described in A1, Third Parties who have not obtained Express Consent from Web Users in relation to the collection and use of Third Party IBA should provide enhanced notice as set out below in a) or b):
(a) In-Ad Notice
Third Parties should provide notice of the collection of data for Third-Party IBA purposes through a web link to a disclosure described in A.1.:
- (i) In or around all advertisements deployed using Third-Party IBA; or
- (ii) On the Web page where Third Party IBA advertisements are present, if there is an arrangement with the Website Operator for the provision of such notice; or
(b) Notice on industry-developed Website(s)
Third Parties should be individually listed on an industry-developed Website(s) linked from the disclosure described in II B.
B. Website Operator Notice
In addition to complying with applicable existing legal obligations, when a Website Operator permits data to be collected from that Website and used for Third-Party IBA purposes by Third Parties, the Website Operator should provide disclosure of this Arrangement.
Principle III. Web User Choice About IBA
A. Each Third Party should make available a mechanism for Web Users to exercise their choice with respect to the collection and use of data for Third-Party IBA purposes. Such a mechanism should be accessible via the notice described in Principle II.
B. Service Providers should obtain Express Consent prior to engaging in Third Party IBA.
C. Service Providers should provide an easy to use mechanism for Web Users to withdraw their Express Consent to the collection and use of IBA Data for Third Party IBA.
Principle IV. Keeping Data Secure
Entities should maintain appropriate physical, electronic, and administrative safeguards to protect IBA Data.
B. Data Storage
Entities should retain IBA Data only for as long as necessary to fulfill a legitimate business need, or as required by law.
Principle V. Careful Handling Of Sensitive Segmentation
IBA categories uniquely designed to target children under 13 will not be created. This principle does not restrict the collection of IBA Data for the purpose of marketing children’s products to parents and other adults.
B. Other Sensitive Segments
Any Entity seeking to deploy Third Party IBA which relies on the use of Sensitive Market Segments should obtain a Web User’s Express Consent, in accordance with applicable law, prior to engaging in Third Party IBA using that information.
Principle VI. Educating Users
Entities that engage in IBA should provide information to inform individuals and businesses about IBA including easily accessible information about how data for IBA purposes are obtained, how it is used and how Web User choice may be exercised.
This may include information in easy-to-understand language and user-friendly format (such as online video). Entities and Associations are encouraged to use a consistent or common resource for such educational information.
Principle VII. Being Accountable
A. Applicability and Eligibility
This Guideline is self-regulatory in nature and creates obligations for any signatory.
Signatories to this Guideline are responsible for self-certifying that they comply with this Guideline. Self-certification of compliance shall be limited to those requirements of this Guideline that are applicable to each signatory’s business model.
In the event that a single signatory may be subject to multiple obligations, self-certification must cover all such applicable provisions.
Entities engaging in Third Party IBA in Australia should undertake:
(a) a review of their Websites and Websites of Third Party IBA business partners for the purpose of validating compliance with obligations under this Guideline;
(b) to resolve any identified areas of non-compliance in a transparent manner and within a reasonable period of time.
D. Handling Consumer Complaints
Complaints procedures under this Guideline should comply with the following principles:
(a) complaints should be made directly to the Entities;
(b) Transparent, easily recognizable, and accessible mechanisms for handling complaints through independent, alternative dispute resolution mechanisms such as bodies that have been nominated to handle complaints; and
(c) Reporting on complaints made under this Guideline.