With the recent release of Advertising Standards Canada (ASC)‘s first-ever accountability report measuring the industry’s compliance with the Digital Advertising Alliance of Canada (DAAC) AdChoices program, there’s never been a better time to break down exactly how Canadian companies can meet AdChoices regulations.
DAAC executive director Julie Ford says the first step companies can take is to review the organization’s six “Canadian Self-Regulatory Principles for Online Behavioural Advertising” (OBA), which themselves are based on guidelines from the Office of the Privacy Commissioner of Canada (OPC).
While some of the DAAC’s OBA principles – such as “Education,” which states that companies must play a role in teaching users how their browsing data may be collected, and how they can control their participation by opting out – apply equally to any entity involved with targeted online advertising, others such as “Transparency” mean different things to first parties, such as websites, than they do for third parties, such as ad networks.
“You can review them and decide where your company would fall under within the principles, and from there it lays out the groundwork for what a company would focus on to comply,” Ford says.
For third parties, the DAAC’s principle of transparency requires that users be provided with “enhanced notice” – a “clear, meaningful, and prominent link” that discloses whether data is being collected, and where, while first parties must include the notice directly on their websites.
The third principle, “consumer control,” states that first parties must provide consumers with a clear choice to opt out of data collection, presumably on their website, while third parties are given the choice of doing so either from the above-mentioned “clear, meaningful, and prominent link” or from the web page on which they’re advertising. In other words, when viewers opt out of targeted advertising directly on the website, they should be opting out of third-party advertising too. If not, the third party needs to make its own opting out option transparently clear – which, as the OPC has learned, doesn’t always happen.
The remaining principles – data security, sensitive data, and accountability – apply to both first and third parties equally.
Data security requires that safeguards be in place to protect the data being collected, that it only be retained for the length of time necessary “to fulfill a legitimate business need”, and that it be sufficiently altered or randomized to remove all personally identifying information. The most sensitive data – relating to children and “personal information” as defined by Canadian privacy legislation – is given its own section for emphasis.
Finally, companies must acknowledge that as the DAAC principles are self-regulatory, each party is individually responsible for implementing them, and for cooperating with ASC’s accountability program to make sure that whatever regulations are necessary remain in place. Any findings of noncompliance, of course, are publicly reported.
Ford says that companies must submit a report explaining how they will meet these standards when applying to the DAAC AdChoices program, after which they are monitored by ASC and authorized to use the AdChoices image for a nominal fee.