Purpose


The IAB, in furtherance of its mission to promote Interactive Advertising and Commerce, seeks to establish guidelines for member organisations that set minimum acceptable standards for protecting the privacy of online users. These standards will serve as guidelines by which IAB member organisations can establish individual privacy policies while ensuring the privacy of users is uniformly protected.

Members of the IAB will be required to establish, post and conform to an online privacy policy. These policies will be designed to protect information that can be associated with an individual (personal identifiable information) in an online or electronic commerce environment.

The specific member policies can be customised and enhanced as appropriate for each site’s particular needs. However, with respect to the elements listed above, all policies will meet the minimum standards established by the IAB. These minimum standards are described below.

Adoption and Implementation of a Privacy Policy


An organisation engaged in online activities or electronic commerce has a responsibility to adopt and implement a policy for protecting the privacy of personal identifiable information (PII). Organisations should also take steps to foster the adoption and implementation of effective online privacy policies by the organisations with which they interact, which includes sharing best practices with business partners and/or advertising customers. IAB members are required to undertake the following:
  • Post privacy policies prior to the collection of PII, as well as ensuring policies are provided to users at the time of collection of such information. Organisations that do not currently have a privacy policy in place must develop a policy that is in compliance with these guidelines.
  • Develop and incorporate awareness programs to educate business partners and site visitors on privacy and the IAB Privacy Guidelines. For example, including a summary explanation of the IAB and its Privacy Guidelines within the privacy policy, in addition to providing a link to the IAB Web site and/or providing additional Frequently Asked Questions (FAQ’s) to further educate business partner and site visitors.
  • Take steps to ensure corporate privacy policy is consistent with online privacy statement.

Notice and Disclosure


An organisation must provide a clear and conspicuous link to the privacy policy from the Web site home page and any page that collects PII. In addition, a link to the Privacy Statement should be clearly identifiable from the home page i.e. first or second frame, and subsequently referenced to as a link in the Web site footer throughout the Web site. On pages collecting PII, it is recommended that prior to information collection a brief notice of the purpose of collection is disclosed including a link to the most relevant disclosure section of the privacy statement (e.g., Notice and Disclosure).

An organisation must provide notification of when their privacy policy was last amended by posting an "as of" date at the top of the policy to reflect the last time it was changed.

The policy must state clearly:
  • What information is being collected and the purpose for this information collection
  • All of the methods of how this information is collected. For example, via a registration process, sweepstakes and/or a feedback form
  • The use of that information and how the organisation will use the PII collected for future marketing to the individual
  • Possible third-party distribution of that information. In the event information is being disclosed to third parties, the policy should make reference to what information is disclosed, why this disclosure takes place, and the relationship of the organisation to the third party
  • The choices available to an individual regarding collection, use and distribution of the collected information and how to exercise these choices
  • The consequences, if any, of an individual's refusal to provide information
  • What steps the organisation takes to ensure data quality and access
  • A statement of the organisation's commitment to data security
  • Whether the organisation supplements the PII collected with their own data or information sourced from third parties, including the use of aggregated data. For example, the use of third party acquired demographic or marketing based data
  • What accountability mechanisms the organisation uses. For example, measures such as internal or external reviews, or privacy audits that the organisations takes to assure compliance with their privacy policy
  • How and whom to contact within the organisation with privacy related questions or concerns
  • All sites using a third party ad server provide information regarding the privacy policy and practices of that third party ad server. This should be done via a link to that company's privacy policy that should adhere to the forthcoming Online Privacy Alliance (OPA) and Network Advertising Initiative (NAI) guidelines
Cookies and Log Files
The IAB member organisation’s privacy policy should make reference to the use of technologies such as cookies and log files, and explicitly state what this technology is, what information it collects and how this information is used by the organisation. The policy should also provide site users with guidance on how they can opt-out of the use of this technology.

If information such as click stream data is collected and it is to be associated with an individual’s PII, this should be disclosed in the privacy policy. The organisation should also take steps to educate site visitors about how this will occur and how they can opt-out.

Choice and Consent


Individuals must be given the opportunity to exercise choice regarding how PII collected from them online may be used. IAB members should provide users with the ability to opt-out of the following circumstances:
  • Where information is to be used for a purpose unrelated to that which the information was originally collected for
  • The collection of information, such as click stream data, that could be associated with their PII
  • The use of an individual’s PII for future marketing initiatives
  • The sharing of an individual’s PII with third parties
To ensure users the greatest flexibility, each site, and or IAB member organisation that is gathering online information, should offer the user the ability to disable a site’s cookie or other information gathering system.

The IAB recognises that certain information is especially sensitive and would encourage websites and online organisations with access to such sensitive information to get explicit approval from a user prior to the redistribution or use of this information. Sensitive information would include but not be limited to financial and medical information. Organisations must provide an "opt-in" to users in order to collect and/or redistribute sensitive information.

In an effort to ensure appropriate use of e-mail for marketing purposes, the IAB would establish as a minimum standard an opt-in policy for the redistribution or use of e-mail addresses.

Recognising the need to protect minors, IAB members must comply with the requirements set forth by the Children’s Online Privacy Protection Act (COPPA). Organisations should adopt a minimum standard requiring parental consent before a website or organisation knowingly collects, uses, or redistributes information gathered on or from a minor, that is, an individual under the age of 13. An organisation’s privacy policies should make a statement about the organisation's compliance with COPPA requirements.

Data Quality and Access


Organisations creating, maintaining, using or disseminating individually identifiable information should take reasonable steps to assure that the data are accurate, complete, relevant and timely for the purposes for which they are to be used.

Organisations should take reasonable steps to provide users with the appropriate processes or mechanisms to access PII they have provided to the website in order to correct inaccuracies in material information, such as account or contact information. In addition, these processes and mechanisms should be simple and easy to use, and provide assurance that inaccuracies have been corrected. These processes should be documented in the privacy policy.

Organisations should take other reasonable steps to assure the quality of the data collected. This includes obtaining it from reliable and reputable sources, providing reasonable and appropriate consumer access and correction mechanisms, and developing protections against accidental or unauthorised alteration.

Organisations should disclose within the policy the length of time which PII will be stored. This timeframe should be long enough for individuals to access the information and make any necessary changes, while not too excessive so that the information may no longer be valid or current. Information should not be retained when it is no longer being used.

Limited Use


Organisation’s privacy policies must make reference to why PII is being collected, and how it will be used. The use of PII should be limited to the original purpose specified for its collection.

If information is to be used for a purpose not originally specified at the time of collection, or the use of the information changes over the course of time, individuals should be clearly notified of this. Individuals should also be provided with a clear and easy way to opt-out of this additional information use.

The organisation’s privacy policy should also make a statement in relation to the use and disclosure of information if it is required by law through a subpoena, search warrant or other legal process. In this instance, this disclosure may take place without the individual’s consent.

Data Security


Organisations creating, maintaining, using or disseminating individually identifiable information should take appropriate measures to assure its reliability and should take reasonable precautions to protect it from loss, misuse or alteration. The organisation should make use of industry standard security procedures, such as the use of secure socket layers for the transmission of sensitive information. A disclosure to this effect should be made in their privacy policy.

Organisations should take reasonable steps to assure that third parties to which they transfer such information are aware of these security practices, and that the third parties also take reasonable precautions to protect any transferred information.

Trans-border Data Flows


Any organisations involved in the flow of PII with European- based countries should ensure they are in compliance with the Department of Commerce International Safe Harbor Principles. The IAB Privacy Guidelines have been developed in compliance with the principles, however, there are additional steps that the organisation must take to ensure they are in compliance. Any organisation that provides PII to third parties must verify that the third party is either governed by the European Directive, or is in compliance with the International Safe Harbor Principles and provides the same level of privacy protection as required by the principles.

These guidelines are not intended to apply to proprietary, publicly available or public record information, nor to supersede obligations imposed by statute, regulation or legal process.
Search
IAB Australia Newsletter

Register to receive a IAB Australia's regular email update on the world of interactive. Enter your email address below.

Events

If you are holding an event relevant to the interactive industry, submit the details and we'll add it to the IAB event calendar.

Resources

Our resources section contains a wealth of useful information for interactive marketers and publishers. If you would like to contribute content please contact us.

RSS Feeds

RSS (or Really Simple Syndication) provides a convenient way for you to receive content of the latest news, upcoming events and press releases from the Interactive Advertising Bureau.