Digital Advertising & Consumer Privacy: Self-Regulation to Shine in 2025
Nina-Belle Mbayu, Counsel, Privacy Technology, Privacy Initiatives, BBB National Programs
BBB National Programs’ Digital Advertising Accountability Program (DAAP) is the independent watchdog for the Digital Advertising Alliance (DAA), responsible for holding digital advertisers accountable when they fall short of their obligations to comply with the DAA’s Self-Regulatory Principles for online behavioral advertising and interest-based advertising (IBA).
Each year, DAAP’s cases reflect common challenges faced by advertisers across industries and, in the past year – more than ever – the program reinforced its commitment to responsible data protection practices in advertising, tackling key issues in transparency, consumer choice, and responsible data use.
Over the course of 2024 and continuing into 2025, DAAP examined how companies handle targeted ads, ensured platforms provide clear opt-out options, and strengthened notice to consumers, helping to foster a more consumer-conscious and trustworthy digital advertising landscape. The following cases are illustrious examples of the impact of DAAP’s work.
LexisNexis: Streamlining Enhanced Notice
DAAP’s LexisNexis case identified gaps regarding enhanced notice across LexisNexis’ multiple websites and platforms. Enhanced notice requires website publishers that allow third-party advertisers to collect data for IBA to provide consumers with a clear, meaningful, and prominent link focused on ad choices, a link that is separate and distinct from the website’s privacy policy link.
LexisNexis worked with DAAP to streamline its enhanced notice mechanisms across websites by adding an “Ad Choices” footer link that directs users to the IBA disclosures. This allows consumers to receive enhanced notice regardless of the LexisNexis platform or website they choose to visit.
Indeed & Glassdoor: Shared Privacy Center, Sharing Enhanced Notice
Sharing HR tech is not just about convenience – it is about committing to similar transparency standards. In our Indeed and Glassdoor case, DAAP’s inquiry revealed that the companies (both subsidiaries of Recruit Holdings) shared a HR Tech Privacy Center that lacked consistent and prominent enhanced notice. This could lead to user confusion and noncompliance with industry standards, which are especially needed for data-heavy job recruitment platforms.
Both companies cooperated with DAAP to ensure enhanced notice for IBA through their Privacy Center’s Ad Choices page. This case underscored the need for companies sharing a privacy tech center portal to implement clear enhanced notice across all shared digital properties. By doing so, companies can provide users with transparent information about data collection practices, offer straightforward options to opt out of IBA, and promote consumer trust.
Azerion: Co-Regulation at Play for Children’s Games
The Azerion case highlighted the intersection between federal law and industry self-regulation, as well as joint activities between DAAP and BBB National Programs’ Children’s Advertising Review Unit (CARU). Specifically, the case illustrated how a company’s data collection and advertising practices can lead to noncompliance with the Protection Act Principle.
Azerion’s gaming site, www.agame.com, hosted IBA on a site that included child-directed content, without a separate log-in or age-gating procedure for children to access the content. It also hosted in-game chat features that children could use to divulge personal information. In addition, the site had scattered, unclear notice of IBA-relevant information.
In response to DAAP’s inquiry, Azerion created a subdomain with an age gate to screen users under 13 years old (the definition of a “child” under COPPA). This child-focused subdomain does not have any advertising, nor does it have in-game chat features, addressing both COPPA concerns and DAA’s Sensitive Data Principle. In addition, Azerion added an enhanced notice footer to the adult subdomain, furthering compliance with the DAA Principles. Companies with products or services that may be legally defined as “directed to children” should consider similarly broad measures as best practice.
SHEIN: Flexibility in [Web] Design
Involving one of the most popular retailers in the world, DAAP’s SHEIN case ensured millions of consumers receive appropriate, timely “enhanced notice” that their data is being collected for third-party IBA. To illustrate, SHEIN’s website had scattered references of the required IBA information, and its mobile properties had similar issues. DAAP worked with SHEIN to ensure the required IBA information is presented clearly and concisely in one section.
SHEIN added an “Ad Choices” footer to its desktop website (removing an infinite scroll feature that was making it nearly impossible for a consumer to scroll to the footer) and modified its mobile website to include an “Ad Choices” link in its “hamburger” menu. Additionally, SHEIN changed the “Privacy Policy” link in the app stores to include prominent IBA notice and give consumers direct access to IBA information.
Any company involved in digital advertising should proactively assess whether its methods for transparency, consumer choice, and consent align with existing DAA guidance as part of an annual privacy compliance checklist.
BBB National Programs’ Digital Advertising Accountability Program (DAAP) is the independent watchdog for the Digital Advertising Alliance (DAA), responsible for holding digital advertisers accountable when they fall short of their obligations to comply with the DAA’s Self-Regulatory Principles for online behavioral advertising and interest-based advertising (IBA).
Each year, DAAP’s cases reflect common challenges faced by advertisers across industries and, in the past year – more than ever – the program reinforced its commitment to responsible data protection practices in advertising, tackling key issues in transparency, consumer choice, and responsible data use.
Over the course of 2024 and continuing into 2025, DAAP examined how companies handle targeted ads, ensured platforms provide clear opt-out options, and strengthened notice to consumers, helping to foster a more consumer-conscious and trustworthy digital advertising landscape. The following cases are illustrious examples of the impact of DAAP’s work.
LexisNexis: Streamlining Enhanced Notice
DAAP’s LexisNexis case identified gaps regarding enhanced notice across LexisNexis’ multiple websites and platforms. Enhanced notice requires website publishers that allow third-party advertisers to collect data for IBA to provide consumers with a clear, meaningful, and prominent link focused on ad choices, a link that is separate and distinct from the website’s privacy policy link.
LexisNexis worked with DAAP to streamline its enhanced notice mechanisms across websites by adding an “Ad Choices” footer link that directs users to the IBA disclosures. This allows consumers to receive enhanced notice regardless of the LexisNexis platform or website they choose to visit.
Indeed & Glassdoor: Shared Privacy Center, Sharing Enhanced Notice
Sharing HR tech is not just about convenience – it is about committing to similar transparency standards. In our Indeed and Glassdoor case, DAAP’s inquiry revealed that the companies (both subsidiaries of Recruit Holdings) shared a HR Tech Privacy Center that lacked consistent and prominent enhanced notice. This could lead to user confusion and noncompliance with industry standards, which are especially needed for data-heavy job recruitment platforms.
Both companies cooperated with DAAP to ensure enhanced notice for IBA through their Privacy Center’s Ad Choices page. This case underscored the need for companies sharing a privacy tech center portal to implement clear enhanced notice across all shared digital properties. By doing so, companies can provide users with transparent information about data collection practices, offer straightforward options to opt out of IBA, and promote consumer trust.
Azerion: Co-Regulation at Play for Children’s Games
The Azerion case highlighted the intersection between federal law and industry self-regulation, as well as joint activities between DAAP and BBB National Programs’ Children’s Advertising Review Unit (CARU). Specifically, the case illustrated how a company’s data collection and advertising practices can lead to noncompliance with the Protection Act Principle.
Azerion’s gaming site, www.agame.com, hosted IBA on a site that included child-directed content, without a separate log-in or age-gating procedure for children to access the content. It also hosted in-game chat features that children could use to divulge personal information. In addition, the site had scattered, unclear notice of IBA-relevant information.
In response to DAAP’s inquiry, Azerion created a subdomain with an age gate to screen users under 13 years old (the definition of a “child” under COPPA). This child-focused subdomain does not have any advertising, nor does it have in-game chat features, addressing both COPPA concerns and DAA’s Sensitive Data Principle. In addition, Azerion added an enhanced notice footer to the adult subdomain, furthering compliance with the DAA Principles. Companies with products or services that may be legally defined as “directed to children” should consider similarly broad measures as best practice.
SHEIN: Flexibility in [Web] Design
Involving one of the most popular retailers in the world, DAAP’s SHEIN case ensured millions of consumers receive appropriate, timely “enhanced notice” that their data is being collected for third-party IBA. To illustrate, SHEIN’s website had scattered references of the required IBA information, and its mobile properties had similar issues. DAAP worked with SHEIN to ensure the required IBA information is presented clearly and concisely in one section.
SHEIN added an “Ad Choices” footer to its desktop website (removing an infinite scroll feature that was making it nearly impossible for a consumer to scroll to the footer) and modified its mobile website to include an “Ad Choices” link in its “hamburger” menu. Additionally, SHEIN changed the “Privacy Policy” link in the app stores to include prominent IBA notice and give consumers direct access to IBA information.
Trends to Stay Ahead of in 2025
- Enhanced Notice and Opt-in Consent for Precise Geolocation Data: As mentioned in DAAP’s 2023 Case Highlights blog, the DAA Principles stress the importance of providing opt-in consent for special categories of data, including sensitive data. Sensitive data includes precise geolocation data, which requires initial notice and consent from the consumer as well as repeated consent prior to its collection and sharing with third parties for interest-based advertising. In fact, DAAP recently closed a case following an extensive review of the National Football League’s (NFL) websites and mobile applications. Specifically, in addition to enhanced notice issues, some NFL teams’ mobile apps did not include clear language for opt-in consent to track precise location for IBA. DAAP worked with the NFL to update the teams’ location-based splash screens that appear before users are prompted to opt-in for location data collection. The new splash screens now include an enhanced notice link directing users to information about IBA, and how location data can be shared with third-party advertisers. Watch the webinar on geolocation in digital advertising best practices.
- Oversight of Third-Party Vendors: Companies can’t take a “hands-off” approach when it comes to third-party vendors handling consent management (as discussed in our Ticketmaster case), data collection, and privacy compliance. Even if a third-party vendor manages consent mechanisms for IBA, companies remain accountable for gaps in compliance. Additionally, FTC cases such as Marriott and Starwood (2024) and Ascension Data & Analytics (2022) show that regulators can pursue companies for their lack of oversight over their acquired business portfolios and third-party vendors. Businesses should implement robust oversight measures, contractual safeguards, and audits to reduce legal risks and reputational harm.
- Data Brokers and Authorized Agents: Like third-party vendors, data brokers that sell consumer information and authorized agents that manage privacy requests for consumers play a huge role in compliance management. Data brokers often collect and sell consumers’ personally identifiable information (PII) without consumer consent or control, raising concerns about transparency, data misuse, and difficulty opting out of such data collection. Authorized agents act on behalf consumers, which can lead to unauthorized activity, and some states’ lack of privacy laws may render agents’ requests useless. Such companies should also implement strong oversight through verification and consent procedures, opt-out tools, security measures, and routine audits.
- Digital Political Advertising and Political Advertiser Enhanced Notice: On the heels of the last election and looking ahead to midterms, political advertisers should be aware of the unique political advertisement notice that the DAA requires for paid political ads placed on desktop and mobile websites. For example, DAAP’s new Compliance Guidance for Political Advertising includes our tips and guidelines for responsible political advertising, helping voters make informed decisions.
Stay Ahead of the Curve
Since its inception, DAAP has developed an interdisciplinary approach to monitoring the digital advertising market, ensuring that actors—both big and small—are aware of potential non-compliance, and will continue to hold advertisers, publishers, and service providers accountable to the DAA Principles.Any company involved in digital advertising should proactively assess whether its methods for transparency, consumer choice, and consent align with existing DAA guidance as part of an annual privacy compliance checklist.