Join DMA

DMA OBA Guidelines

Online Behavioral Advertising (OBA)

Online behavioral advertising (OBA) refers to the collection of information about online activities and Web viewing behaviors, over time and across non-affiliate websites, to deliver tailored ads.  In a nutshell, OBA allows companies to match ads to a consumer’s interests, determined over time.

  • Relevant Ads Using Anonymous Data. OBA relies on anonymous, aggregated data to deliver an ad to a computer based on the computer browser’s activity, not the activities of a specific individual. Companies use cookies to make this happen.

  • Different from Contextual or “First Party” Advertising. OBA does not include “first party advertising,” in which no data is shared with third parties, or contextual advertising, where an ad is based on a single visit to a web page or a single search query.

  • It does not include ad reporting, the collection or use of information for statistical reporting, Web analytics/analysis and advertising metrics.

  • OBA Examples. Imagine that you are online and you visit five different sports websites and then a news website. You might see a sports ad on the news site, even though you’re reading about fashion.  You’re served that ad because your online behavior suggests you’re interested in sports. Or imagine that you are shopping for a birthday gift for your husband, a Star Trek fan. One month after his birthday, you might get ads about Star Trek served on your computer when you sign on.

DMA OBA Guidelines

Take the following steps to ensure appropriate collection and use of OBA information, thereby building consumer trust in the online space:

1. Publish a Privacy Policy and Abide by It.

Be transparent about your information collection and use practices for OBA purposes and allow consumer control over those practices. How?

  • Review your organization’s online privacy policy and ensure that it is easy to read and understand, and that it is consistent with your current information collection and use practices, especially in relation to any online behavioral advertising (OBA).

  • Make sure your website privacy policy is easily accessible and available prior to or at the time information used for online behavioral advertising purposes is collected.

  • If you operate a website and collect or use information for OBA purposes, include the following information in your online privacy policy:

    • What information you collect online for marketing purposes and how you use that information, including for online behavioral advertising purposes;

    • Whether you transfer information to third parties for use by them for their own marketing or online behavioral advertising purposes and the mechanism by which consumers can exercise choice not to have such information transferred;

    • Whether personally identifiable information is collected by, used by, or transferred to agents (entities working on your behalf) as part of the business activities related to the visitor’s actions on the site, including to fulfill orders or to provide information or requested services;

    • Whether you use cookies or other passive means of information collection, and whether such information collected is for internal purposes or transferred to third parties for marketing purposes, including online behavioral advertising purposes;

    • What procedures your organization has put in place for accountability and enforcement purposes; and

    • That your organization maintains appropriate physical, electronic, and administrative safeguards to protect information collected online.

  • In addition, refer to Article #32 (Personal Data) of DMA’s Guidelines to assure that marketing data are used only for marketing purposes. The DMA guidelines mandate that a consumer’s information is to be used only for marketing purposes.

  • For help with your privacy policy statement, use the DMA’s members-only privacy policy generators.

2. Provide An Enhanced Notice Link to Consumers and Honor Their Choices.

  • On any non-affiliate websites where you engage in OBA, provide a “notice and choice” button on the page where the data is collected, ideally via a link embedded in or around the advertisement itself.

  • Make sure this “notice and choice” button is easily accessible and links to (1) clear disclosures about your data collection and use practices for online behavioral advertising, and should offer (2) choice to consumers about whether or not their information is collected for online behavioral advertising purposes.

  • Note: If you are a “service provider,” a term that refers to Internet access service providers and providers of desktop applications software such as Web browser “tool bars,” you need to take extra precaution and obtain consumer consent before engaging in online behavioral advertising, as well as take steps to de-identify the data used for such purposes.  Refer to DMA’s OBA guidelines for full details on the requirements for service providers.

3. Ensure Reasonable Security and Limited Data Retention.

If your company collects, stores and/or uses consumer information for behavioral advertising, provide reasonable security to protect that information, and retain the information only as long as it is needed for a legitimate business or law enforcement purpose.  Consistent with DMA Guidelines:

  • Maintain appropriate physical, technical and administrative safeguards and use appropriate security technologies and methods to protect information collected or used online, and to guard against unauthorized access, alteration, or dissemination of personally identifiable information during transfer and storage.

  • Ensure that the level of security you provide is based on: the sensitivity of the information, the nature of your business operations, the types of risks your company faces, and the reasonable protections available to your company.

  • Require that employees and online behavioral advertisers, and your agents who have access to covered consumer data, use and disclose that information only in a lawful and authorized manner.

  • Establish information security policies and practices to assure the uninterrupted security of information systems.

  • Implement staff policies and training to protect consumer data handled in the everyday performance of duties.

  • Routinely reassess protective physical safeguards and technological measures.

  • Require business partners and service providers to maintain a level of security consistent with your own.

  • Inform those consumers who may be affected by a security breach where there is a reasonable likelihood of material harm.

4. Offer Notice and Choice for Material Changes to Your Policies.

DMA Guidelines require that a company keep its privacy promises, even if it decides to change its policies at a later date.  For example, if consumers have signed up for a service with the knowledge that data about their online behavior is going to be used in a specific way, then a company should ensure that data is used only in the manner to which the consumers agreed — or offer notice and choice if the company’s policy changes materially.

  • If your organization’s policy changes materially with respect to the collection and/or use of consumer information for OBA purposes, you should update your policy statement and give consumers clear and conspicuous notice, including an opportunity for consumers to select their preferences.

  • Ensure that your notice about the material changes is easy for consumers to find, read, understand and act upon. It is not enough to simply change the language in your online privacy policy.  For the notice to be truly conspicuous, you must take steps to bring consumers’ attention to the change.

  • As appropriate, employ technologies such as hyperlinks, frames and pop ups to provide conspicuous notice and bring attention to the material change.

  • Make sure that you have appropriate mechanisms available on your website to honor your website visitors’ choices regarding collection and use of covered consumer information for OBA purposes in accordance with your stated policy.

  • If you have promised to honor visitor choices for a specific time period, and if that time period subsequently expires, then provide that visitor with a new notice and choice.  Ensure that there is an online mechanism for visitors to exercise their choices.

5. Obtain Express Consent for Sensitive Information Collection.

Information collected from children and used for online behavioral advertising warrants heightened protection, as does certain health and financial data when attributable to a specific individual. Children’s, health and financial account information are regulated extensively under the Children’s Online Privacy Protection Act, the Health Insurance Portability and Accountability Act and the Gramm-Leach-Bliley Act, respectively.  All marketers are encouraged to review these legal requirements to ensure compliance.  And all companies that collect sensitive data about consumers should obtain express consent from individuals to collect this data.

  • In a nutshell, in no instance should sensitive data be used for behavioral advertising unless the consumer has given consent.

  • If your organization has a site directed to children under the age of 13 or collects personally identifiable information from visitors known to be under 13 years of age, make sure you:

    • Review and comply with the Children’s Online Privacy Protection Act (COPPA) and the “Marketing to Children articles of the DMA’s Guidelines.  DMA has created a COPPA Compliance Guide to assist members with compliance.
    • Obtain prior, verifiable parental consent for any behavioral advertising to consumers known to be under 13 on child-directed websites.
    • Even with the consent of parents, offers suitable for adults should not be made to children.  In determining the suitability of an online communication for children, online behavioral marketers should carefully address the age range, knowledge, sophistication and maturity of their intended audience.
  • For sensitive health or financial information that is attributable to a specific individual, be sure to:

  • DMA has extensive resources to help you do the right thing in all your marketing endeavors, as well as meet the above requirements.  For more information review DMA’s Guidelines for Ethical Business Practices.

6. Hold Your Company and Other Organizations Accountable.

The DMA has in place a strong self-regulatory program to ensure responsible practices and accountability in all marketing channels.  As part of this program, DMA’s Corporate & Social Responsibility (CSR) department and Board-level “Ethics Operating Committee” investigate and resolve complaints about potential violations of the DMA Guidelines.  DMA hears cases against both member and nonmember companies.

  • Learn more about DMA’s self-regulatory and compliance programs by visiting the Issues section of our site.

  • To report a company for potential non-compliance with the DMA’s OBA guidelines, please complete the DMA Ethics Complaint Form

7. Help Educate Consumers, Your Service Providers and Other Businesses.

Education of both consumers and businesses is critical to alleviating potential privacy concerns caused by behavioral advertising and ensuring DMA members stay ahead of the regulatory curve.

Make sure you know what you need to do if you are a first party publisher, a third party, or a service provider by going to, the Advertising Option Icon and approved wording can be accessed at

Generate an OBA Privacy Policy

Support DMA, its members, and other industry partners in educating consumers, policymakers and regulators about the value of online behavioral advertising (OBA) and the mechanisms in place to provide consumers with notice and choice about OBA. Feel free to contact us directly.


Direct Marketing Association
Corporate & Social Responsibility (CSR) Department and Government Affairs

1615 L St. NW
Suite 1100
Washington, DC 20036-5624


Additional Resources

Digital Advertising Alliance’s (DAA) Self-Regulatory Program for Online Behavioral Advertising: