The principles detailed below relate to Online Behavioural Advertising (OBA) – see Definitions below. The principles strive to ensure transparency and user control on the way third parties collect and use information online aiming to deliver advertisements based on the behaviors and the interests of the internet users.
In summary, should Third Parties wish to use OBA, they are required to leave a notice to the web users in the advertising itself or close to it. This notice should link to an appropriate mechanism for the web user to be able to refuse the collection of information about his/her preferences and interests in internet and the usage of such information by the Third Party or Third Parties for the purposes of delivering OBA.
In case of a breach of OBA principles, the users can submit complaints and signals to the National Council for Self-regulation (NCSR), which provides an efficient platform for complaint handling and transparent and independent implementation of the rules.
The present Rules are part of the initiative of the European Advertising Standrds Alliance (EASA) and its Best Practice Recommendations for Online Behavioural Advertising.
The Rules do not release in any way the advertisers and the Third Parties from their obligation to take all required by law actions to protect personal data.
(a) Online Behavioural Advertising means the collection of data from a particular computer or device regarding web viewing behaviours over time and across multiple web domains not under Common Control for the purpose of using such data to predict web user preferences or interests to deliver online advertising to that particular computer or device based on the preferences or interests inferred from such web viewing behaviours.
Such user preferences are often categorized in “behavioural segments”, which later are used for targeting a specific group of web users who demostrate the said preferences and interests.
(b) Online Behavioural Advertising does not include the activities of Web Site Operators (First Party), Ad Delivery or Ad Reporting, or contextual advertising (e.g. advertising based on the content of the web page being visited, a consumer’s current visit to a web page, or a search query).
OBA describes a technique to serve online advertisements that are targeted to the users’ potential interests. In order to be able to target ads, OBA companies try to predict a user’s interests and preferences based on the user’s past websites viewing record, for example in the form of data about page views or user clicks. This information about web viewing behaviour is collected over time and across multiple web domains, rather than from a single website. By definition, the OBA company, which is often a so-called ad network, collects information on viewing behaviour from websites that it does not own or operate.
(c) The definition includes also the so called behavioural re-targeting, where ads are delivered to users who have already expressed interest in a certain product, but have not yet generate a purchase.
An entity is a Third Party to the extent that it engages in Online Behavioural Advertising on a web site or web sites other than a web site or web sites it or an entity under Common Control owns or operates.
This definition refers to any company that delivers ads on a website / several websites that it does not own or operate. Typically major multinational ad networks such as Google Affiliate Network, Yahoo! Network Plus, or Microsoft Media Network, as well as local players, would be covered here.
Entities or web sites under Common Control include ones which Control, for example parent companies, are Controlled by, such as subsidiaries, or are under Common Control, such as group companies. They also include entities that are under a written agreement to process data for the controlling entity or entities, and do such processing only for and on behalf of that entity or entities and not for their own purposes or on their own behalf.
The first part of the definition refers to entities or websites which are under the control of one company such as parent companies, subsidiaries or group companies. These are not considered to be a Third Party. The second part of the definition refers to a company that processes data on behalf of and upon instruction by another company. This “data processor” is considered to be acting under “Common Control” because it does not operate for its own purposes.
A Web Site Operator is the owner, controller or operator of the website with which the web user interacts.
This definition refers to companies that own, control or operate a website, such as travel companies, real estate agencies, newspaper or magazine publishers or brand owners. It also refers to companies that operate a website on behalf of the owner.
Ad Reporting is the logging of page views on a web site or the collection or use of other information about a browser, operating system, domain name, date and time of the viewing of the web page or advertisement, and related information for purposes including, but not limited to:
• Statistical reporting in connection with the activity on a web site(s);
• Web analytics and analysis; and
• Logging the number and type of ads served on a particular web site(s).
Ad Reporting describes the logging of information that is used to measure statistical details about online advertisements, such as ad impressions, clicks, and user interaction on a website. Such information typically includes information about the browser and operating system a website visitor is using, or the time and date when a particular ad was viewed. Ad Reporting data forms an important part of all online advertising activities (not just OBA), because it allows advertisers to properly display ads (e.g. according to the technical specifications of a website visitor’s equipment/device) and to measure the performance of an ad campaign. For example, advertisers may choose to identify the most effective location for an advertisement on their website using Ad Reporting data.
Ad Delivery is the delivery of online advertisements or advertising-related services using Ad Reporting data.
Ad Delivery does not include the collection and use of Ad Reporting data when such data is used to deliver advertisements to a computer or device based on user preferences or interests inferred from information collected over time and across sites not under Common Control.
This definition clarifies that companies, which optimise the delivery of their online advertising on a website using Ad Reporting data, are not generally considered to be engaging in OBA. Where the delivery of online ads is optimised using Ad Reporting data only, this is not covered under this BPR. Such Ad Delivery is exempt because the collection of Ad Reporting data does not occur over time and does not occur across multiple websites that are not under Common Control.
The use of Ad Reporting data is not covered by this exception when it is used in a way that matches the definition of OBA. In other words, where a company collects Ad Reporting data across multiple web domains it does not own or operate and uses such data to create interest segments and to deliver ads which are targeted according to these interest segments, it does serve OBA as defined by the BPR and is therefore expected to comply with the obligations accordingly.
Explicit Consent means an individual’s freely given specific and informed explicit action in response to a clear and comprehensible notice regarding the collection and use of data for Online Behavioural Advertising purposes.
These rules do not apply to: contextual advertising; web analysis, delivery of ads or ads delivery reports; collection and use of information for behavioural advertising by operators of websites from their own websites or use of OBA in rich media, in-stream video online or on mobile devices.
OBA rules set different requirements for "third party", "first hand" and other service providers. If NCSR is not able to identify a third party, the advertiser on whose behalf an OBA advertisement is delivered to web users should assist in good faith NCSR to identify the third party.
To make sure that all users are aware and able to exercise control over the collection and use of information for the purposes of OBA, all third parties should abide by the following principles:
A.1. Third Party Privacy notice
All Third Parties engaged in OBA should provide clear and comprehensible information on their websites about data collection and its use for OBA purposes, as well as the practices used, including how an user can deny such data collection. The notice should provide a link to an appropriate mechanism for the user to refuse collection of information about his behavior in internet and the use of such information for the purposes of OBA from the given Third Party or other third parties.
A.2. Third Party Enhanced Notice to Consumers
In addition to the privacy notice on their own websites, Third Parties are required to provide an “enhanced notice” to consumers whenever they are collecting or using data for OBA purposes on a website that is not operated by them. The purpose of the enhanced notice is to provide the web user with information about the identity of the company that is delivering the ad and about the fact that the ad is targeted based on previous web viewing behaviour.
The enhanced notice can be delivered in two ways: either in the form of a notice controlled and branded by the Third Party directly with the information required above, or through the OBA User Choice Site. Furthermore, in the first case, the enhanced notice should inform the web user about the possibility to exercise a choice with regard to receiving OBA, and should contain a link to the User Choice Site – http://www.youronlinechoices.com
Principle I - A.2. requires an enhanced notice on the website where OBA is delivered by the Third Party or where data are collected for OBA purposes by the Third Party. Such an enhanced notice should be provided in or around OBA advertisements through the icon. The icon is a visible web based object that contains a hyperlink to the OBA User Choice Site and additionally may also contain a hyperlink to the Third Party Notice described in I.A.1.
The commitment is to serve an icon in or around all OBA ads.
B. Website Operator Notice
In instances where the Third Party does not provide the enhanced notice in or around the ad or on the website, Principle I.B. requires a notice by the Website Operator that the Website Operator permits data collection and its use for OBA purposes on its website by Third Parties. This notice should either link to the industry developed website or list individually the
Third Parties engaged in OBA on its website.
The particular Third Party engaged in OBA on a Website Operator’s website has the primary responsibility to ensure oversight and control. For this reason a Third Party and not the Website Operator would be in non-compliance with the principles if the Third Party fails to comply with the enhanced notice obligations.
A. Each Third Party that participates in the delivery of OBA should make available an user- friendly mechanism, in the form of an icon linking to the OBA User Choice Site, for web users to exercise their choice with respect to the collection and use of data for OBA purposes. This mechanism should be linked to the enhanced notice detailed in Principle I. Where a web user exercises his/her choice and objects to OBA data collection, OBA processes should no longer be used by that entity to facilitate the delivery of targeted online advertising to that user’s browser.
This principle provides that all web users who receive OBA, either via a computer, or other device, should enjoy choice over OBA activity through the OBA User Choice Site – http://www.youronlinechoices.com
B. Explicit Consent should be obtained on a prior basis by companies that use specific technologies or practices, such as browser toolbars, to collect data about all or substantially all websites that are visited on a particular computer or device and that use such data for delivering OBA. Where Explicit Consent has been obtained by a Third Party, it should provide an easy-to-use mechanism for web users to withdraw their Explicit Consent to the collection and use of such data for OBA.
Where such data are to be used to deliver OBA, the BPR requires the Third Party which collects the data to obtain the user’s Explicit Consent. These technologies/practices should also provide access to the OBA User Choice Site – http://www.youronlinechoices.com
C. Companies should not engage in techniques that bypass users’ expressed choices with regard to the collection and use of data for OBA purposes. Companies should take measures to address these practices when they learn of their use, including referrals to the appropriate authorities.
NCSR realises that there are business practices which are designed to go against the choice expressed by the user. Principle II.C clarifies that the advertising and marketing industry is opposed to these illegal practices and condemns their use. It is clear from this principle that the BPR in no way tries to enable or facilitate the use of such practices.
A. Children’s segmentation
Third Parties should not create segments that are specifically designed to target children using Online Behavioural Advertising. This does not restrict the collection of OBA data for the purpose of marketing children’s products to parents and other adults.
B. Segments using sensitive personal data
Any company seeking to create or use OBA segments relying on the use of sensitive personal data must obtain a web user’s prior explicit consent, in accordance with applicable law.
The National Council for Self-regulation (NCSR) ensures the implementation of effective mechanisms to guarantee compliance and complaint handling.
The Rules incorporate the requirements which have been established under IAB Europe’s OBA Framework; these are binding for all signatories of that Framework, complemented by a comprehensive industry-wide compliance and enforcement programme comprising of two elements.
Firstly, a new procedure is being introduced to measure compliance with the commitments of signatory companies and establishes a system of enforcement and dispute resolution. Compliant companies will receive a periodically renewable B2B ‘seal’. Should a company fall behind and not remedy a significant breach of its obligations within a limited timeframe, the seal would be removed. As a consequence, this failure will be communicated to the market and the public.
Secondly, in the event that breaches are not resolved via the compliance programme of the signatory company, or that consumers’ complaints relate to OBA activity by non-signatory companies of the OBA Framework, these may be handled through EASA’s Best Practice Recommendation in order to provide cover for the entire advertising ecosystem. This ‘double-enforcement’ mechanism (‘EASA PLUS’) ensures that complaints of consumers are addressed in an adequate manner and that non-compliant companies are brought into compliance by proven sanction mechanisms.
The present Rules are applied by the National Council for Self-regulation (NCSR) through monitoring, complaint handling and compliance enforcement under the principles of transparency and accountability.
NCSR monitors the application of the OBA Rules in the Bulgarian online ecosystem.
NSS encourages all its partners to include in their contracts and other agreements pertaining to advertising and marketing communication, a statement by which the parties undertake to adhere to the existing self-regulatory rules and to respect decisions and rulings made by the appropriate self-regulatory body, as also stated in Art. 26 of the Consolidated rules for advertising and marketing communications of the International Chamber of Commerce (ICC).
NCSR provides a single portal for consumers - www.nss-bg.org and an easily accessible mechanism for the submission of electronic complaints in Bulgarian language associated with OBA.
The mechanism provides a preliminary classification of the complaints, in order to ensure appropriate referral to appropriate selfregulatory structures. This refers to the distribution of the complaints and feedback from customers and forwarding these to appropriate processes and structures. For example, complaints concerning the content of the ads are directed to the Ethics Committee, while complaints about non-compliance with the principles for online behavioural advertising are routed first to be solved by the relevant technical specialists.
In the case of cross-border complaints, NCSR uses the existing system for cross-border complaints of the EASA, which facilitates the exchange of complaints between the authority for self-regulation in the country where the ad appears and the competent authority in the country of origin of the advertiser.
NCSR shall notify the companies in case of complaints for possible non-complience with the OBA Rules and will cooperate to the clarification of the nature of the breaches. In the case of established violations, the selfregulatory body recommends for its removal.
A classic sanction in the self-regulation of the advertising sector is the principle of public disclosure through publication of decisions of the self-regulatory bodies. NCSR will take appropriate action regarding repeated offenders and rogue traders, including the highest penalty, namely notification of relevant legal authorities - the “legal safeguard” mechanism.
All decisions of NCSR are public on its website. Periodic reports and statistics regarding compliance are also publicly available.
In the case of cross-border complaints, EASA tracks the movement and handling of complaints and publish on its website regular reports on the results of cross-border cases, in addition to national reports.
These rules are subject to regular review in accordance with the best practice recommendation of EASA and changes in IAB Europe OBA Framework and other related codes, as well as the development of the OBA and business practices.
In force as of May 1, 2015