Yesterday, the Digital Advertising Alliance (DAA) announced the release of new “Self-Regulatory Principles for Multi-Site Data,” voluntary self-regulatory standards to govern the collection, use, and sharing of data concerning user activity across non-affiliated websites.  The DAA, an umbrella organization for advertising trade groups, already maintains self-regulatory principles for online behavioral advertising (OBA).  Notably, while the OBA Principles apply only to data collected for behavioral advertising purposes, the new Multi-Site Data Principles encompass all collections, use, and disclosure of multi-site data regardless of purpose.  The DAA expects its new principles will be implemented in 2012.

The new Multi-Site Data Principles, which are meant to supplement rather than supplant the existing OBA Principles, apply to “Multi-Site Data,” meaning data collected from a particular computer or device regarding web viewing over time and across non-affiliate web sites.  A summary of the Multi-Site Data Principles is below:

  • Transparency and Choice: A covered entity that collects or transfers Multi-Site Data for purposes other than OBA should provide consumers with transparency and choice, except where collected/used/shared for (a) operations and system management purposes, (b) market research or product development, or (c) where the data has or will within a reasonable time go through anonymization.  (Collections for OBA purposes are covered by the OBA Principles.)
  • Restrictions on Use:  Multi-Site Data should not be collected, used, or transferred to evaluate eligibility for employment, credit, health care treatment, or insurance, nor should it be collected, used, or transferred for insurance underwriting and pricing.
  • Sensitive Data:  Covered entities should not collect or use Multi-Site Data containing financial account numbers, Social Security numbers, pharmaceutical prescriptions, or medical records about a specific individual without opt-in consent, except for pharmaceutical prescriptions or medical records that are anonymized as set forth in HIPAA.  Collections from children under 13 must comply with COPPA where applicable.
  • Accountability: The Multi-Site Data Principles’ limitations are within the scope of the DAA self-enforcement accountability programs.

Please let us know if you have any questions regarding the new Multi-Site Data Principles or the OBA Principles.