Digital Advertising Regulation 101

Note: The information contained in this document is for informational purposes only and should not be considered legal advice. This document may or may not reflect the most current legal developments and is not promised or guaranteed to be correct or complete. The purpose of this guide is to help digital advertisers and marketers become aware of the basic regulations that govern the industry.  It is not intended to be comprehensive in its explanation of these requirements, but rather to exemplify some of their important aspects.

How is digital advertising regulated?

What are the basic legal requirements businesses need to follow?

What state privacy laws should I be aware of?

What is the DAA Self-Regulatory Program?

What happens if an organization does not comply with federal and state law?

What happens if an organization does not comply with the DAA Principles?

What sector-specific rules are relevant to digital advertising?


How is digital advertising regulated?

In the United States, digital advertising is regulated by federal, state, and municipal laws, as well as self-regulation. At the federal level, The Federal Trade Commission (FTC) regulates the content of digital advertising and disclosures made in privacy policies through Section 5 of the FTC Act, which prohibits “unfair and deceptive acts or practices.” At the state level, a wide variety of laws address the requirement of a privacy policy, the content of privacy policies, mandatory data security safeguards, and notice requirements in the event of data breaches. Self-regulation, such as the Digital Advertising Alliance (DAA) Principles, supplements federal and state regulation and requires additional commitments from participating companies.

What are the basic legal requirements businesses need to follow?

The most prominent requirement to be aware of as an advertiser or marketer is Section 5 of the FTC Act, which states “unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful.” Advertisements or claims that misrepresent or omit information that would be material to consumers could be considered “deceptive.” Ads that cause economic injury could be considered “unfair.” Advertisers must be able to substantiate advertising claims, express and implied, with “competent and reliable” evidence, including scientific data in some circumstances. The FTC has issued guidance to help advertisers comply with the Section 5 requirements.  Additionally, the FTC recently updated its Dot Com Disclosures.  These were first released in 2000 to provide guidance on how FTC statues, rules, and guides apply to online advertising and sales. In 2013 the guidance was updated to account for technological changes from the preceding 13 years and further establish the FTC’s criteria in evaluating online advertising and sales.

Publishers and app developers should be aware that claims made on a website or app also are subject to FTC enforcement authority. The FTC has applied its “unfair and deceptive” standards to disclosures and omissions in website and app privacy policies.  To comply with FTC law, commercial websites and apps must not misrepresent, omit, or mislead consumers through their privacy policies. The FTC provides case highlights from previous consumer privacy consent orders to help companies better understand acceptable online practices.

In regards to mobile app policy, the FTC has published a guide to help mobile app developers adhere to basic privacy principles.  Outlined in the guide are basic principles that should be considered when developing an app.  They include, but are not limited to, the following: tell the truth about what the app can do, disclose key information clearly and conspicuously, build privacy considerations into the app from the start, offer choices that are easy to find and easy to use, honor your privacy promises, protect kids’ privacy, collect sensitive information only with consent, and keep user data secure.  For a comprehensive list of these guidelines and a detailed explanation of each, please refer to the FTC’s guide “Marketing Your Mobile App, Get It Right from the Start”.

While there is no overarching federal law requiring website operators and app developers to have a privacy policy, there are some sectoral laws that require it. For instance, the Children’s Online Privacy Protection Act (COPPA) requires that entities collecting personal information from children under 13 must post a privacy policy that contains specified disclosures. Financial institutions that collect financial information are required by federal law to post website privacy policies. There are also specific requirements regarding the collection of personal health information. However, even if these federal requirements don’t apply, both as a best practice and to be in compliance with various state laws and industry standards (discussed below), most website operators and app developers now post privacy policies.

Several states have passed laws requiring websites that collect or sell personal information of state residents to have publicly available privacy policies on their site. The most prominent example of this is the California Online Privacy Protection Act of 2003 (CalOPPA) which requires website operators and app developers to conspicuously post a privacy policy that, among other things, identifies the categories of personally identifiable information collected about the site visitors and the categories of third parties with whom the website operator or app developer may share the information. Other prominent state laws are highlighted below.

What state privacy laws should I be aware of?

Forty-six states have laws on breach notification (as of July 1, 2013, all but Alabama, Kentucky, New Mexico, and South Dakota). Sixteen states have laws addressing spyware. Over 15 states have sectoral laws addressing the processing of financial, health, and insurance information. The following list highlights several prominent state laws that include requirements beyond breach notification. This list is not comprehensive.

California:

Online Privacy Protection Act (CalOPPA)

  • Requires commercial websites that collect personally identifiable information of California residents to conspicuously post a privacy policy that, among other things, identifies the categories of personally identifiable information collected about the site visitors and the categories of third parties with whom the website operator may share the information.  Regarding mobile applications, the privacy policy must also be available within the app itself.  An amendment to CalOPPA adopted in September 2013 (AB 370) added a requirement that websites disclose how they respond to “do not track” signals or other mechanisms that provide consumers a choice regarding the collection of personally identifiable information. Guidance on complying with this legislation is available here

California Shine the Light Law

  • Requires for-profit businesses with 20 or more employees to notify customers, upon request, of the disclosure of their personal information to third parties for direct marketing purposes.  Upon such request businesses must provide the names and addresses of these third parties and indicate the nature of their businesses.  However, if a company provides a customer with a notice or privacy policy containing opt-out options or is a federal financial institution, it is not required to give a detailed account of its information sharing activity.  An overview of this law, and the definitions therein, can be found here.

Connecticut:

An Act Concerning the Confidentiality of Social Security Numbers

  • Requires any person who collects Social Security numbers in the course of business to adopt a privacy protection policy. The policy must be posted on a web page and must be designed to protect the confidentiality of Social Security numbers, prohibit unlawful disclosure of Social Security numbers, and limit access to Social Security numbers. 

Massachusetts:

Standards for the Protection of Personal Information of Residents of the Commonwealth

  • Requires every person who owns or licenses personal information about a resident of the Massachusetts to “develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards…”

Nevada:

Nevada Personal Information Data Privacy Notification and Encryption Laws

  • Requires data collectors that accept payment cards and are doing business in Nevada to comply with the Payment Card Industry Data Security Standard. The law also prohibits businesses from electronically transmitting a customer’s personal information “outside of the secure system of the business,” or moving any data storage device containing a customer’s personal information “beyond the logical or physical controls” of the business unless the transmission or data storage device is encrypted.

Utah:

Notice of Intent to Sell Nonpublic Personal Information Act

  • Requires businesses to notify consumers when they intend to sell nonpublic personal information to a third party.

What is the DAA Self-Regulatory Program?

The Digital Advertising Alliance (DAA) Self-Regulatory Program is designed to help protect consumers’ ability to exercise notice and choice in ad-supported online media (i.e., the right to be notified of data collection and the choice of whether or not to consent to the collection). The DAA consists of the American Advertising Federation (AAF), American Association of Advertising Agencies (4A’s), the Association of National Advertisers (ANA), the Direct Marketing Association (DMA), the Network Advertising Initiative (NAI) and the Interactive Advertising Bureau (IAB) in conjunction with the Council of Better Business Bureaus (CBBB).

Currently, the DAA Self-Regulatory Program has issued Principles covering three areas: online behavioral advertising, the collection and use of multi-site data, and the collection and use of data in the mobile environment.

To find out how to participate in this program, visit the DAA’s website.

There are other self-regulatory programs and standards that exist to improve notice and choice for consumers.  The IAB also provides a number of best practices standards with which all of its members can adhere to. For example, the IAB Native Advertising Playbook sets industry disclosure principles around native advertising. The Network Advertising Initiative (NAI) Code of Conduct requires members to provide notice and choice to consumers, and limits the types of data members can use for advertising purposes.

What happens if an organization does not comply with federal and state law?

The FTC investigates companies in violation of federal privacy statutes and FTC regulations, requiring respondents to come into compliance and to enter into long-term consent decrees. If a respondent fails to comply, the FTC may sue and seek civil penalties. An overview of the FTC’s investigative and law enforcement authority is available on the FTC’s website.

State laws are enforced by the respective state’s Attorney General and penalties will vary. State Attorney Generals often will have concurrent enforcement authority with the FTC to enforce certain federal statutes.

Some laws provide for a private right of action, which means that individual consumers have the right to sue a company for violations.  When these rights exist a violation risks class action litigation, where a law suit is brought on behalf of all consumers allegedly affected.

What happens if an organization does not comply with the DAA Principles?

The industry self-regulatory rules are administered and enforced by the Digital Advertising Alliance (DAA).  The Council of Better Business Bureaus (CBBB) and The Direct Marketing Association (DMA) work cooperatively to ensure accountability and enforcement of the DAA Self-Regulatory Program Principles.  When there is a possible violation by a member company that has announced its adherence to the Principles, companies will work with the DAA to come into compliance with the self-regulatory Principles.  If a company fails to cooperate, it faces possible suspension or expulsion from membership.  If you would like to learn more about Program enforcement, or to report a complaint, see the enforcement section of the DAA’s website.

What sector-specific rules are relevant to digital advertising?

Health Information

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) applies to healthcare providers, insurers, and third-party business associates who handle and process health and medical information.  Some of the provisions of the HIPAA Privacy Rule are listed below:

  • Providing a detailed privacy notice at the date of first service delivery
  • Obtaining authorizations for use and disclosure for certain purposes outside the score of treatment, payment, and operations
  • Making reasonable efforts to limit the use and disclosure of private health information to the minimum necessary to accomplish the entity’s intended purpose
  • Allowing individuals to access and copy their own private health information
  • Creating administrative, physical, and technical safeguards to prevent unauthorized use or disclosure of private health information.

In addition to the HIPAA Privacy Rule, the HIPAA Security Rule establishes minimum security standards for covered entities that handle electronic private health information.  These standards are enumerated below:

  1. Ensure the confidentiality, integrity, and availability of all electronic private health information the covered entity creates, receives, maintains, or transmits
  2. Protect against any reasonably foreseen threats or hazards to the security or integrity of the electronic private health information
  3. Protect against any reasonably anticipated uses or disclosures of such information that are not permitted ore required under the Privacy Rule
  4. Ensure the entity’s workforce complies with the Security Rule.

When creating a reasonable level of security (as stated in the Security Rule), it is imperative that the covered entity accounts for the following factors:

  • The size, complexity, and capabilities of the covered entity
  • The covered entity’s technical infrastructure, hardware, and software security capabilities
  • The cost of security measures
  • The probability and criticality of potential risks to electronic protected health information.

Children’s Information

The Children’s Online Privacy Protection Act of 1998 (COPPA) regulates the online collection and use of children’s personal information by commercial website operators.  This applies both to the operators of commercial websites and online services directed to children under the age of 13 (including mobile application developers) and the general-audience websites and online services that have actual knowledge they are collecting personal information from children under the age of 13. The FTC considers many aspects of a website or app to determine whether it is directed to children and must comply with COPPA regulations, including the following factors: the subject matter; visual or audio content; the age of models on the site or app; language; whether advertising on the website or app is directed to children; information regarding the age of the actual or intended audience; and whether a site or app uses animated characters or other child-oriented features.

If an online service (website or app) is directed to children (as defined under COPPA), it is required to do the following, among other things:  

  • Post a clear and prominent link to a privacy notice on the homepage of the website and link to the privacy notice on every page where personal information is collected from children under 13.  For apps, link to a privacy notice that is clearly and conspicuously available within the app and where the app is downloaded or purchased.  COPPA requires specific disclosures in these privacy notices.
  • Notify parents of the site or app’s information collection practices
  • Obtain verifiable parental consent prior to collecting children’s "personal information" as defined by the FTC's COPPA regulations.
  • Allow parents to choose whether their children’s personal information will be disclosed to third parties
  • Provide parents access to and the opportunity to delete their children’s personal information, and opt out of future collection or use of the information
  • Refrain from conditioning a child’s participation in a game, contest, or other activity on the child’s disclosing more personal information than is reasonably necessary to participate in the activity
  • Maintain the confidentiality, security, and integrity of personal information collected from the children.

In addition to COPPA, certain states have adopted additional laws regarding children’s privacy.  Most notably, California’s  “Eraser Button” law (SB 568) further restricts the types of content that can be advertised to minors (persons under the age of 18) residing in California, and requires that they be able to remove content they posted on the website.  This law goes into effect on January 1st, 2015.

To encourage self-regulation of COPPA rules, the FTC created a “safe harbor” provision allowing industry groups to create self-regulatory guidelines for participating companies. The FTC has approved five safe harbor programs that implement COPPA protections, beginning with the Children’s Advertising Review Unit (CARU) of the Better Business Bureau.  The approved self-regulatory safe harbor programs are listed here.

Financial Information

There are several pieces of legislation that focus on the privacy of financial information:

  • The Fair Credit Reporting Act (FCRA) regulates the consumer reporting industry and establishes privacy rights in consumer reports.  This covers any agency that evaluates a consumer based on credit worthiness, reputation, and character to determine eligibility for credit, insurance, employment, or other purposes outlined in the statute. 
  • The Gramm-Leach-Bliley Act (GLBA) sets rules that facilitate data sharing between financial institutions, including personally identifiable financial information.  Financial institutions are allowed to share this information with affiliates as long as customers are notified via general privacy policy; there is no requirement that a customer have the ability to opt-out.  Additionally, financial institutions are allowed to share the information with non-affiliated companies as long as individuals are first provided with the ability to opt-out.  These regulations do not apply to credit reporting agencies.