Digital Advertising & Consumer Privacy: Roads Converge in 2024

Jan 22, 2024 by The Digital Advertising Accountability Program (DAAP) Team

Deprecation of traditional third-party cookie tracking and the adoption of new tracking alternatives (pixels, server-side tracking, etc.) has animated a new wave of regulatory issues that complicate business compliance with consumer privacy in digital advertising. In 2023, BBB National Programs’ Digital Advertising Accountability Program (DAAP), the industry watchdog for advertising privacy, saw cases reflecting this complex new landscape, and now we have identified best practices that can empower companies to take voluntary and responsible actions in 2024 to stay out of regulatory crosshairs.

Since 2011, DAAP has served as an independent accountability agent for the Digital Advertising Alliance (DAA), responsible for holding digital advertisers accountable when they fall short of their obligations to comply with the DAA’s Self-Regulatory Principles for online behavioral advertising and interest-based advertising (IBA).

 

2023 Case Highlights

Ticketmaster: Real-Time Enhanced Notice

DAAP’s Ticketmaster case (June 2023) involved implementing the DAA requirement that, whenever a website publisher allows third-party advertisers to collect user data for IBA, the publisher must notify consumers through “enhanced notice,” meaning a recognizable link on each webpage that is:

  • Separate and distinct from the website’s privacy policy link, and 
  • Clear, meaningful, and prominent.

 

Like many modern websites, ticketmaster.com uses a wide variety of divergent UI designs, requiring the company to be creative when providing real-time enhanced notice across all web pages. Ticketmaster decided to provide enhanced notice in multiple places with consistent “Ad Choices” language across the website to ensure users would have frictionless access to IBA disclosures from any page. In doing so, Ticketmaster demonstrated how companies can meet DAA obligations in a flexible manner by leveraging existing UI designs. 

With new state laws requiring specific disclosure link language, companies should avoid confusing consumers by adopting consistent and distinct language for DAA obligations such as “Ad Choices,” “Interest-based Advertising Choices,” or “My Privacy and Advertising Choices.”

Temu: Friction in IBA Disclosure Pathways

In DAAP’s case with Temu (August 2023), an online marketplace for third-party sellers, DAAP identified design practices that obstructed logged-out users from accessing privacy disclosures in violation of the DAA Principles’ enhanced notice requirement. If a user had not created an account or had not logged in, an opaque “sign in” popup would prevent access to the legal and IBA disclosures linked at the bottom of Temu webpages. 

The DAA Transparency Principle requires that real-time enhanced notice links provide consumers with a clear, meaningful, and prominent pathway to IBA disclosures; design elements that create friction in this pathway or that require user authentication before access fundamentally violate this requirement. Temu voluntarily resolved this matter by moving the design element and ensuring all consumers could access privacy-relevant disclosures regardless of sign-in status.

Etsy: Compliance Check-Ins

Like many companies, Etsy (October 2023), an online marketplace for third-party sellers, made changes to its privacy disclosures in anticipation of new state privacy law requirements. However, this resulted in its previous DAA-related disclosures being disaggregated across multiple webpages rather than in a concatenated manner or a dedicated space, as required to be clear to consumers under the DAA Principles. 

DAAP monitors companies it has previously reviewed for compliance, particularly where significant changes are made to a product, new privacy laws are passed, or a new product is introduced to the market. In this case, DAAP opened a new inquiry focused on Etsy years after a previous case to bring it back into compliance. 

Sonobi: Advertiser Opt-Out Obligations

A consumer submitted a complaint to DAAP about Sonobi (December 2023), a third-party digital advertiser active across multiple media channels, alleging that Sonobi’s advertising servers did not respond to opt-out cookies. Even though Sonobi participates in the DAA and NAI third-party opt-out tool, changes to the underlying logic in Sonobi’s AdTech stack prevented Sonobi’s server from reading opt-out cookies set by consumers, overwriting the opt-out cookie with a new personal identifier. Because Sonobi engages in cookie sharing among other third parties, this user identifier and certain browsing information were also passed to other advertisers as a result. Sonobi reengineered its servers to ensure that opt-out preferences were saved correctly. 

One of the key features of the DAA Principles is the requirement that third-party advertisers provide some method of consumer choice to opt out of future collection, historically cookies being the predominant approach. However, with the deprecation of third-party cookies on Google Chrome in 2024, DAAP anticipates a significant shift in how tracking technologies will be deployed. 

If a third-party advertiser only provides a limited opt-out or if its opt-out method continues to leak data due to a technical issue, this may violate the consumer control principle. Because the DAA Principles are technology neutral, consumer choice opt-outs will still be required even when cookieless tracking becomes a more common approach. 

Companies should consider the DAA’s recent 2024 guidance on this topic and think through how they will provide effective opt-out methods as part of their plans to shift to the next generation of tracking technologies. 

 

Trends to Stay Ahead of in 2024

Obtain Appropriate Opt-in Consent When Sharing Sensitive Data and Precise Geolocation Data with Advertisers

When collecting PII or browsing behavior from users for IBA purposes, the DAA Self-Regulatory Principles generally call for an opt-out privacy regime, where users can opt out of future collection by advertisers though an opt-out cookie or another appropriate opt-out mechanism. However, opt-in consent is required before collection in a handful of specific circumstances, as described next.

In 2022, DAAP released a compliance warning that reiterated and emphasized the conditions under which the DAA requires consent for data collection. Under the DAA Principles, opt-in consent is required before advertisers may collect or use:

  • Categories defined as sensitive data under the DAA Principles (such as financial account data, medical or prescription records, or data from a user under 13), 
  • Precise geolocation data collected from mobile devices and shared with third parties, and
  • Data that was previously collected before a material change to digital advertising practices.

 

In the compliance warning, DAAP stresses the importance of the DAA definition of consent, which requires user action in response to a clear and prominent notice about data collection practices and cannot be inferred from mere continued use of the product or service after notice. 

Stay Vigilant of DAA Enhanced Notice and Disclosure Requirements Separate from Consumer Privacy Laws

As companies have updated their privacy disclosures to align with the growing state privacy patchwork, they sometimes have left DAA disclosure obligations on the cutting room floor. Many cases this year dealt with the DAA enhanced notice requirements, which call on publishers and advertisers to provide real-time notice through a distinct link (separate from the “privacy policy” link) accessible on each webpage where third-party advertisers collect user data. This link must redirect users to a disclosure concerning IBA practices and advertiser opt-out mechanisms made available to the consumer (such as the DAA-developed third-party opt-out tool). 

Advertisers: Ensure Consumers Have Opt-Out Preference Control

Reports of the third-party cookie’s death have been grossly exaggerated over the years but may finally be becoming more accurate. Migration to the next generation of third-party tracking has already started in earnest, with many third-party advertisers offering new tracking solutions such as pixels, web beacons, or server-side tracking. These new tracking solutions should still offer consumers control and choice over their data. 

However, it is the responsibility of the third-party advertiser to provide some accessible means of preventing future collection to effectuate the consumer control principle. If there is no means of opting out for IBA collection, regardless of the tracking technology employed, the third party is in violation of this principle.

 

Stay Ahead of the Curve

Since its inception, DAAP has developed an interdisciplinary approach to monitoring the digital advertising market, ensuring that actors—both big and small—are aware of potential non-compliance, and will continue to hold advertisers, publishers, and service providers accountable to the DAA Principles. 

Any company involved in digital advertising should proactively assess whether its methods for transparency, consumer choice, and consent align with existing DAA guidance as part of an annual privacy compliance checklist.

Suggested Articles

Blog

Old MacDonald Had an Engagement Farm: Lessons Learned from FTC v. NGL

Capturing user engagement is the foundation of internet commerce. And while the incentives to prompt greater engagement are certainly understandable, the recent NGL Labs case from the FTC raises important questions about the ethical and legal ramifications when companies try to artificially generate engagement among their userbase.
Read more
Blog

Independence Day Edition: CBPR Framework Offers “Checks & Balances”

Going, Going, Gone Global, a webinar on the CBPR Global Forum, delved into how privacy impacts businesses’ brand reputation and builds trust with key stakeholders, discussed the purpose of the Global CBPR, and its value to Global Forum members.
Read more
Blog

Industry Self-Regulation: Part of the Solution for Governing Generative AI

The spotlight on generative AI remains bright. The benefits and risks continue to be ever-present in the minds of business and political leaders. No matter the timing or the setting, the creation of transparency, accountability, and collaboration among stakeholders is key to successful industry self-regulation as is the importance of setting standards and best practices.
Read more
Blog

The Demise of “Chevron Deference”: Who Will Fill the Regulatory Gaps?

The Supreme Court's 1984 ruling in Chevron v. NRDC held that courts should defer to federal agencies’ interpretations of ambiguous federal laws so long as those interpretations are reasonable. So given the court’s decision to overturn it, where does that leave companies that want a level playing field and perhaps even to raise the bar, instead of racing to the bottom?
Read more