Digital Advertising & Consumer Privacy: Roads Converge in 2024

Jan 22, 2024 by The Digital Advertising Accountability Program (DAAP) Team

Deprecation of traditional third-party cookie tracking and the adoption of new tracking alternatives (pixels, server-side tracking, etc.) has animated a new wave of regulatory issues that complicate business compliance with consumer privacy in digital advertising. In 2023, BBB National Programs’ Digital Advertising Accountability Program (DAAP), the industry watchdog for advertising privacy, saw cases reflecting this complex new landscape, and now we have identified best practices that can empower companies to take voluntary and responsible actions in 2024 to stay out of regulatory crosshairs.

Since 2011, DAAP has served as an independent accountability agent for the Digital Advertising Alliance (DAA), responsible for holding digital advertisers accountable when they fall short of their obligations to comply with the DAA’s Self-Regulatory Principles for online behavioral advertising and interest-based advertising (IBA).

 

2023 Case Highlights

Ticketmaster: Real-Time Enhanced Notice

DAAP’s Ticketmaster case (June 2023) involved implementing the DAA requirement that, whenever a website publisher allows third-party advertisers to collect user data for IBA, the publisher must notify consumers through “enhanced notice,” meaning a recognizable link on each webpage that is:

  • Separate and distinct from the website’s privacy policy link, and 
  • Clear, meaningful, and prominent.

 

Like many modern websites, ticketmaster.com uses a wide variety of divergent UI designs, requiring the company to be creative when providing real-time enhanced notice across all web pages. Ticketmaster decided to provide enhanced notice in multiple places with consistent “Ad Choices” language across the website to ensure users would have frictionless access to IBA disclosures from any page. In doing so, Ticketmaster demonstrated how companies can meet DAA obligations in a flexible manner by leveraging existing UI designs. 

With new state laws requiring specific disclosure link language, companies should avoid confusing consumers by adopting consistent and distinct language for DAA obligations such as “Ad Choices,” “Interest-based Advertising Choices,” or “My Privacy and Advertising Choices.”

Temu: Friction in IBA Disclosure Pathways

In DAAP’s case with Temu (August 2023), an online marketplace for third-party sellers, DAAP identified design practices that obstructed logged-out users from accessing privacy disclosures in violation of the DAA Principles’ enhanced notice requirement. If a user had not created an account or had not logged in, an opaque “sign in” popup would prevent access to the legal and IBA disclosures linked at the bottom of Temu webpages. 

The DAA Transparency Principle requires that real-time enhanced notice links provide consumers with a clear, meaningful, and prominent pathway to IBA disclosures; design elements that create friction in this pathway or that require user authentication before access fundamentally violate this requirement. Temu voluntarily resolved this matter by moving the design element and ensuring all consumers could access privacy-relevant disclosures regardless of sign-in status.

Etsy: Compliance Check-Ins

Like many companies, Etsy (October 2023), an online marketplace for third-party sellers, made changes to its privacy disclosures in anticipation of new state privacy law requirements. However, this resulted in its previous DAA-related disclosures being disaggregated across multiple webpages rather than in a concatenated manner or a dedicated space, as required to be clear to consumers under the DAA Principles. 

DAAP monitors companies it has previously reviewed for compliance, particularly where significant changes are made to a product, new privacy laws are passed, or a new product is introduced to the market. In this case, DAAP opened a new inquiry focused on Etsy years after a previous case to bring it back into compliance. 

Sonobi: Advertiser Opt-Out Obligations

A consumer submitted a complaint to DAAP about Sonobi (December 2023), a third-party digital advertiser active across multiple media channels, alleging that Sonobi’s advertising servers did not respond to opt-out cookies. Even though Sonobi participates in the DAA and NAI third-party opt-out tool, changes to the underlying logic in Sonobi’s AdTech stack prevented Sonobi’s server from reading opt-out cookies set by consumers, overwriting the opt-out cookie with a new personal identifier. Because Sonobi engages in cookie sharing among other third parties, this user identifier and certain browsing information were also passed to other advertisers as a result. Sonobi reengineered its servers to ensure that opt-out preferences were saved correctly. 

One of the key features of the DAA Principles is the requirement that third-party advertisers provide some method of consumer choice to opt out of future collection, historically cookies being the predominant approach. However, with the deprecation of third-party cookies on Google Chrome in 2024, DAAP anticipates a significant shift in how tracking technologies will be deployed. 

If a third-party advertiser only provides a limited opt-out or if its opt-out method continues to leak data due to a technical issue, this may violate the consumer control principle. Because the DAA Principles are technology neutral, consumer choice opt-outs will still be required even when cookieless tracking becomes a more common approach. 

Companies should consider the DAA’s recent 2024 guidance on this topic and think through how they will provide effective opt-out methods as part of their plans to shift to the next generation of tracking technologies. 

 

Trends to Stay Ahead of in 2024

Obtain Appropriate Opt-in Consent When Sharing Sensitive Data and Precise Geolocation Data with Advertisers

When collecting PII or browsing behavior from users for IBA purposes, the DAA Self-Regulatory Principles generally call for an opt-out privacy regime, where users can opt out of future collection by advertisers though an opt-out cookie or another appropriate opt-out mechanism. However, opt-in consent is required before collection in a handful of specific circumstances, as described next.

In 2022, DAAP released a compliance warning that reiterated and emphasized the conditions under which the DAA requires consent for data collection. Under the DAA Principles, opt-in consent is required before advertisers may collect or use:

  • Categories defined as sensitive data under the DAA Principles (such as financial account data, medical or prescription records, or data from a user under 13), 
  • Precise geolocation data collected from mobile devices and shared with third parties, and
  • Data that was previously collected before a material change to digital advertising practices.

 

In the compliance warning, DAAP stresses the importance of the DAA definition of consent, which requires user action in response to a clear and prominent notice about data collection practices and cannot be inferred from mere continued use of the product or service after notice. 

Stay Vigilant of DAA Enhanced Notice and Disclosure Requirements Separate from Consumer Privacy Laws

As companies have updated their privacy disclosures to align with the growing state privacy patchwork, they sometimes have left DAA disclosure obligations on the cutting room floor. Many cases this year dealt with the DAA enhanced notice requirements, which call on publishers and advertisers to provide real-time notice through a distinct link (separate from the “privacy policy” link) accessible on each webpage where third-party advertisers collect user data. This link must redirect users to a disclosure concerning IBA practices and advertiser opt-out mechanisms made available to the consumer (such as the DAA-developed third-party opt-out tool). 

Advertisers: Ensure Consumers Have Opt-Out Preference Control

Reports of the third-party cookie’s death have been grossly exaggerated over the years but may finally be becoming more accurate. Migration to the next generation of third-party tracking has already started in earnest, with many third-party advertisers offering new tracking solutions such as pixels, web beacons, or server-side tracking. These new tracking solutions should still offer consumers control and choice over their data. 

However, it is the responsibility of the third-party advertiser to provide some accessible means of preventing future collection to effectuate the consumer control principle. If there is no means of opting out for IBA collection, regardless of the tracking technology employed, the third party is in violation of this principle.

 

Stay Ahead of the Curve

Since its inception, DAAP has developed an interdisciplinary approach to monitoring the digital advertising market, ensuring that actors—both big and small—are aware of potential non-compliance, and will continue to hold advertisers, publishers, and service providers accountable to the DAA Principles. 

Any company involved in digital advertising should proactively assess whether its methods for transparency, consumer choice, and consent align with existing DAA guidance as part of an annual privacy compliance checklist.

Suggested Articles

Blog

KOSA (and Children’s Privacy) on the Move

The Kids Online Safety Act (KOSA) is gaining traction in the U.S. Senate after the most recent round of revisions released this month by Senators Richard Blumenthal and Marsha Blackburn, following on the heels of proposed changes to the COPPA Rule. Here are CARU's high-level takeaways from the KOSA revisions with some insight into each revision.
Read more
Blog

Location Not Found: Mitigating Precise Geolocation Consent Flow Risk

Privacy-minded Federal Trade Commission (FTC) watchers have seen two bombshell enforcement actions related to alleged mishandling of consumer geolocation data. The Privacy Initiative team delves into those cases, the breadth of the penalties the FTC has included in the proposed orders, and best practices to avoid the crosshairs.
Read more
Blog

The ABCs of DPF and GDPR

Easing data flows across the Atlantic, the EU-U.S. DPF satisfies requirements outlined under the General Data Protection Regulation (GDPR), helping companies avoid steep fines.
Read more
Blog

The FTC Joins the Global CBPR Party

This month the Federal Trade Commission (FTC) announced participation in the Global Cooperation Arrangement for Privacy Enforcement (Global CAPE), signaling the agency’s interest in keeping pace with the increasingly global nature of commerce and marks an important step forward for the global expansion of CBPRs.
Read more