CAP is currently consulting on changes to its rules on the collection and use of data for marketing. These changes are intended to ensure that its rules cover data protection issues most relevant to marketing, and that they are aligned with the standards introduced by the General Data Protection Regulation (679, the GDPR). The consultation will close at 5pm on 19 June 2018.
From 25 May 2018, when the GDPR is enforceable, until CAP introduces new rules, the ASA will not administer the existing rules in section 10 and Appendix 3 of the CAP Code. If the ASA receives complaints during this time, it will make advertisers aware of the complaint and issues raised, and ensure that they are aware that they must be complying with the GDPR. CAP encourages members of the public and businesses to find more information about their legal rights and obligations at www.ico.gov.uk .
Marketers and third parties (defined below) must have regard to privacy and data protection laws. Specifically, they must take note of the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 and the Data Protection Act 1998. Guidance on how to comply with privacy and data protection legislation is frequently issued and updated by the Information Commissioner's Office (ICO). The rules set out below are not designed to provide compliance with the law and companies should seek their own legal advice when working to comply with privacy and data protection legislation.
The rules in this section aim to secure transparency and control for consumers in the use by any third party of Online Behavioural Advertising (OBA) (defined below). The rules require a third party to provide notice to web users in or around an online display advertisement if they are undertaking OBA. The notice should link to a relevant mechanism whereby a web user can opt out of the collection and use of web viewing behaviour data for OBA purposes by that third party or that third party and other parties. These rules are integral to a pan-European initiative - the European Advertising Standards Alliance (EASA) Best Practice Recommendation and an EU industry Framework. Further information can be found here:
"OBA" means: the collection by a third party over a period of time of web viewing behaviour data from a particular computer which takes place across multiple web domains not under common control, and which is used by the third party to deliver advertising to that particular computer based on the preferences or interests inferred from the data by the third party's technology. (These preferences or interests are often categorised into "interest segments" which are then used to target multiple web users with a specific preference or interest.)
The definition above encompasses behavioural re-targeting whereby display advertisements may be served to consumers who have shown a previous interest in a product but may not have made a purchase.
A "third party" is an organisation that engages in OBA (i.e. collects and uses web viewing behaviour data for the purposes of OBA) via websites other than those that it or an entity with which it is under common control owns or operates.
The rules in this section do not apply to: contextual advertising; web analytics; ad reporting or ad delivery; the collection and use of information for behavioural advertising by web site operators on their own website(s) or the use of OBA in rich media, in-stream videos online or on mobile devices.
To ensure that consumers are made aware of, and can exercise choice over, the collection and use of information for the purposes of OBA, third parties must:
give a clear and comprehensive notice about the collection and use of web viewing behaviour data for the purposes of OBA on their own website, including how a web user can opt out from having web viewing behaviour data collected and used for this purpose. The notice should also link to a relevant mechanism that allows the consumer to opt out of the collection and use of web viewing behaviour data for OBA purposes by that third party or that third party and other third parties
give a clear and comprehensive notice that they are collecting and using web viewing behaviour data for the purposes of OBA, either in or around the display advertisement delivered using OBA. The notice should link to a relevant mechanism whereby a web user can opt out of the collection and use of web viewing behaviour data for OBA purposes by that third party or that third party and other third parties
not create interest segments specifically designed for the purpose of targeting OBA to children aged 12 or under.
Third parties that use technology to collect and use information about all or substantially all websites that are visited by web users on a particular computer in order to deliver OBA to that computer must obtain explicit consent from web users before doing so.