DMA: Data and Marketing Association
Consumer Help

DMA Interest-Based Advertising (IBA) Compliance Alert & Guidelines for Interest-Based Advertising

Interest-Based Advertising (IBA) refers to the collection of information about online activities and Web viewing behaviors, over time and across non-affiliate websites, to deliver tailored ads. In a nutshell, IBA allows companies to match ads to a consumer’s interests, determined over time.

  • Relevant Ads Using Anonymous Data. IBA relies on anonymous, aggregated data to deliver an ad to a computer based on the computer browser’s activity, not the activities of a specific individual. Companies use cookies to make this happen.
  • Different from Contextual or “First Party” Advertising. IBA does not include “first party advertising,” in which no data is shared with third parties, or contextual advertising, where an ad is based on a single visit to a web page or a single search query.
  • It does not include ad reporting, the collection or use of information for statistical reporting, Web analytics/analysis and advertising metrics.
  • IBA Examples. Imagine that you are online and you visit five different sports websites and then a news website. You might see a sports ad on the news site, even though you’re reading about fashion. You’re served that ad because your online behavior suggests you’re interested in sports. Or imagine that you are shopping for a birthday gift for your husband, a Star Trek fan. One month after his birthday, you might get ads about Star Trek served on your computer when you sign on.

DMA IBA Guidelines

Take the following steps to ensure appropriate collection and use of IBA information, thereby building consumer trust in the online space:

1. Publish a Privacy Policy and Abide by It.

Be transparent about your information collection and use practices for IBA purposes and allow consumer control over those practices. How?

  • Review your organization’s online privacy policy and ensure that it is easy to read and understand, and that it is consistent with your current information collection and use practices, especially in relation to any Interest-Based Advertising (IBA).
  • Make sure your website privacy policy is easily accessible and available prior to or at the time information used for Interest-Based Advertising purposes is collected.
  • If you operate a website and collect or use information for IBA purposes, include the following information in your online privacy policy:
    • What information you collect online for marketing purposes and how you use that information, including for Interest-Based Advertising purposes;
    • Whether you transfer information to third parties for use by them for their own marketing or Interest-Based Advertising purposes and the mechanism by which consumers can exercise choice not to have such information transferred;
    • Whether personally identifiable information is collected by, used by, or transferred to agents (entities working on your behalf) as part of the business activities related to the visitor’s actions on the site, including to fulfill orders or to provide information or requested services;
    • Whether you use cookies or other passive means of information collection, and whether such information collected is for internal purposes or transferred to third parties for marketing purposes, including Interest-Based Advertising purposes;
    • What procedures your organization has put in place for accountability and enforcement purposes; and
    • That your organization maintains appropriate physical, electronic, and administrative safeguards to protect information collected online.
  • In addition, refer to DMA’s Guidelines to assure that marketing data are used only for marketing purposes. The DMA guidelines mandate that a consumer’s information is to be used only for marketing purposes.

2. Provide An Enhanced Notice Link to Consumers and Honor Their Choices.

  • On any non-affiliate websites where you engage in IBA, provide a “notice and choice” button on the page where the data is collected, ideally via a link embedded in or around the advertisement itself.
  • Make sure this “notice and choice” button is easily accessible and links to (1) clear disclosures about your data collection and use practices for Interest-Based Advertising, and should offer (2) choice to consumers about whether or not their information is collected for Interest-Based Advertising purposes.
  • Note: If you are a “service provider,” a term that refers to Internet access service providers and providers of desktop applications software such as Web browser “tool bars,” you need to take extra precaution and obtain consumer consent before engaging in Interest-Based Advertising, as well as take steps to de-identify the data used for such purposes. Refer to DMA’s IBA guidelines for full details on the requirements for service providers.

3. Ensure Reasonable Security and Limited Data Retention.

If your company collects, stores and/or uses consumer information for behavioral advertising, provide reasonable security to protect that information, and retain the information only as long as it is needed for a legitimate business or law enforcement purpose. Consistent with DMA Guidelines:

  • Maintain appropriate physical, technical and administrative safeguards and use appropriate security technologies and methods to protect information collected or used online, and to guard against unauthorized access, alteration, or dissemination of personally identifiable information during transfer and storage.
  • Ensure that the level of security you provide is based on: the sensitivity of the information, the nature of your business operations, the types of risks your company faces, and the reasonable protections available to your company.
  • Require that employees and online behavioral advertisers, and your agents who have access to covered consumer data, use and disclose that information only in a lawful and authorized manner.
  • Establish information security policies and practices to assure the uninterrupted security of information systems.
  • Implement staff policies and training to protect consumer data handled in the everyday performance of duties.
  • Routinely reassess protective physical safeguards and technological measures.
  • Require business partners and service providers to maintain a level of security consistent with your own.
  • Inform those consumers who may be affected by a security breach where there is a reasonable likelihood of material harm.

4. Offer Notice and Choice for Material Changes to Your Policies.

DMA Guidelines require that a company keep its privacy promises, even if it decides to change its policies at a later date. For example, if consumers have signed up for a service with the knowledge that data about their online behavior is going to be used in a specific way, then a company should ensure that data is used only in the manner to which the consumers agreed — or offer notice and choice if the company’s policy changes materially.

  • If your organization’s policy changes materially with respect to the collection and/or use of consumer information for IBA purposes, you should update your policy statement and give consumers clear and conspicuous notice, including an opportunity for consumers to select their preferences.
  • Ensure that your notice about the material changes is easy for consumers to find, read, understand and act upon. It is not enough to simply change the language in your online privacy policy. For the notice to be truly conspicuous, you must take steps to bring consumers’ attention to the change.
  • As appropriate, employ technologies such as hyperlinks, frames and pop ups to provide conspicuous notice and bring attention to the material change.
  • Make sure that you have appropriate mechanisms available on your website to honor your website visitors’ choices regarding collection and use of covered consumer information for IBA purposes in accordance with your stated policy.
  • If you have promised to honor visitor choices for a specific time period, and if that time period subsequently expires, then provide that visitor with a new notice and choice. Ensure that there is an online mechanism for visitors to exercise their choices.

5. Obtain Express Consent for Sensitive Information Collection.

Information collected from children and used for Interest-Based Advertising warrants heightened protection, as does certain health and financial data when attributable to a specific individual. Children’s, health and financial account information are regulated extensively under the Children’s Online Privacy Protection Act, the Health Insurance Portability and Accountability Act and the Gramm-Leach-Bliley Act, respectively. All marketers are encouraged to review these legal requirements to ensure compliance. And all companies that collect sensitive data about consumers should obtain express consent from individuals to collect this data.

  • In a nutshell, in no instance should sensitive data be used for behavioral advertising unless the consumer has given consent.
  • If your organization has a site directed to children under the age of 13 or collects personally identifiable information from visitors known to be under 13 years of age, make sure you:
  • For sensitive health or financial information that is attributable to a specific individual, be sure to:
    • Obtain consent for behavioral advertising. This means that you should not collect or use, for example, financial account numbers, Social Security numbers, pharmaceutical prescriptions, or medical records about a specific individual for Interest-Based Advertising purposes without prior express consent.
    • Comply with DMA’s Guidelines.
    • Review and comply with applicable federal and state laws, such as the Health Insurance Portability & Accountability Act (HIPPA) and Gramm-Leach-Bliley Act (GLBA). DMA has created Compliance Guides for HIPPA and GLBA, respectively, to assist members.
  • DMA has extensive resources to help you do the right thing in all your marketing endeavors, as well as meet the above requirements. For more information review DMA’s Guidelines for Ethical Business Practices.