Business Practices Working Group
The Partnership has released a draft of the business use cases developed by the Business Practices Working Group early for industry feedback. That draft can be found here.
Technology Standards Working Group
With the loss of third-party cookies across all browsers, and with imminent changes to mobile ad IDs, IAB Tech Lab, has been collaborating with the ad and media industry to develop privacy-preserving specifications and best practices to support the development of open-source and proprietary solutions.
In partnership with PRAM, Tech Lab has released initial specifications and best practices to support re-architecting digital media for addressability, accountability and privacy.
The following standards are now in public comment:
Communications and Education Working Group
The Communications and Education Working Group provides consultative materials for brands and their partners to understand our changing landscape and enable them to efficiently and effectively optimize the use of data before, during and after these changes take place with standards, principles, processes and solutions.
PRAM Quarterly Update: April 21, 2021
PRAM Quarterly Update: December 18, 2020
Privacy, Policy, and Legal Working Group
This team of cross-functional subject matter experts met regularly to discuss, debate, and align on the following Policy Framework for Addressable Media Identifiers (AMIs) which was then published on 2/24/22.
The digital marketplace relies on third-party cookies for vital marketing and operational purposes, including providing relevant content and advertising to consumers and advertising measurement to businesses. Third-party cookies have been a large part of the remarkable and unprecedented development and growth of the Internet revolution and corresponding benefits for consumers. Certain Internet browser owners want the digital media marketplace to transition away from third-party cookies. Their concern is due in part to the perception that there are limited controls on how third-party cookies may be used in the marketplace.
In efforts to preserve some of the beneficial functionalities of third-party cookies and add new privacy safeguards, participants in the digital media ecosystem are actively exploring a number of alternatives, including on-device processing (e.g., device-based Topics), panel-based feedback, and multi-party computation, and other solutions that aim to support ad-funded access to digital properties and help marketers connect with consumers and deliver relevant messages and content to them. Alternatives are in early stages, and it will take time to assess their effectiveness and role in the marketplace.
The policy framework (“Framework”) set forth below establishes a standardized governance for the provision and use of interoperable Addressable Media Identifiers (“AMIs”) for the digital media ecosystem. AMIs approved to operate under this Framework will be limited in use to very specific parameters of permitted uses. The Framework explicitly prohibits the use of certified AMIs for any other purpose not defined herein, and it will integrate accountability measures to help ensure AMIs are used for only authorized and responsible purposes. In addition, the Framework prohibits the use of AMI with certain types of data and requires additional opt-in consent for defined sensitive data. As a result, the Framework directly addresses privacy concerns to help ensure that AMIs are used in responsible and privacy protective ways.
The Framework also provides expanded choice options to meet the broad and varying requirements and needs of differing jurisdictions, legal and regulatory codes, and business imperatives. For example, in the U.S., state laws have been designed to support an opt-out approach to targeted, addressable media. In contrast, the EU applies a more opt-in centered consent regime. Recognizing those differing compliance requirements, as well as the different addressability preferences and needs of each business, the Framework enables each entity within the addressable media supply chain to select to apply either an opt-in or opt-out approach, as appropriate for that entity and jurisdiction within which it operates. This is a new and very meaningful means of protecting privacy by businesses. It is recognized that technology solutions supporting these types of choices are just beginning to be designed within the ecosystem. The principles and accountability included in this Framework would become effective with respect to these choices upon deployment and adoption of such solutions in compliance with the Framework.
The Framework for AMIs will be incorporated into the Digital Advertising Alliance’s Self-Regulatory Program and will be backed by the enforcement of its accountability programs. The Framework and the principles therein govern the provision and use of DAA-certified AMIs. This Framework governs only AMIs recognized by DAA, and it is intended to apply to any such AMIs that are used in any medium or channel including, but not limited to, mobile devices, web browsers, connected television, addressable audio, and other smart connected devices.
A goal of the creation of this Framework is for browsers, operating systems, and other technologies that are essential to functionality of addressable media to permit AMIs that comply with the requirements of the Framework. Similarly, this Framework can provide a structure that can be adopted in potential regulatory regimes to help a responsible addressable media marketplace.
A. Addressable Media Identifiers - A mechanism to directly identify and recognize an individual or an individual user’s browser, application, or device.
1. Consumer Control - Use of Addressable Media Identifiers for Online Behavioral Advertising and/or Retargeting is subject to a consumer’s Opt-In Consent or Opt-Out Consent.
2. Business Control - An Entity may select an audience for Online Behavioral Advertising and/or Retargeting that are comprised of consumers that provided Opt-In Consent and/or consumers who are subject to Opt-Out Consent and entities should honor those consent-preferences.
3. Opt-In Consent - Opt-In Consent means an individual’s agreement in response to a clear, meaningful, and prominent notice regarding the use of the Addressable Media Identifier in accordance with the Section II.B. Entities that receive Opt-In Consent should provide a means to withdraw such Consent. An entity that receives Addressable Media Identifiers from another entity shall obtain reasonable assurances from the other entity that Opt-In Consent has been acquired from the consumer for the collection, use, and transfer of data to other entities. Opt-In Consent may be combined with other Opt-In Consents obtained in accordance with the Framework provided Opt-In Consent is presented in a clear, meaningful, and prominent manner.
4. Opt-Out Consent - Opt-Out Consent means the ability to exercise choice regarding the use of the Addressable Media Identifier in accordance with Section II.B. Such choice should be described in the enhanced notice described in Section V.B. and the notice described in Section V.A.
5. Control Preference
i. Data obtained from different sources may be used for Permitted Uses provided consumer Control is honored.
ii. An Addressable Media Identifier provided in accordance with the Framework may be used in combinations with other Addressable Media Identifiers provided each Addressable Media Identifier is provided in accordance with the Framework.
D. Online Behavioral Advertising - Online Behavioral Advertising means the collection of data about a browser’s or device’s activity over time and across non-Affiliate digital properties for the purpose of using such data to predict user preferences or interests to deliver advertising based on the preferences or interests inferred from such browser’s or device’s activity.
E. Online Health Service - Online Health Service means an online service or portion of an online service principally designed to provide information to individuals about physical or mental health, or to collect, use, maintain, or transfer personal information about the physical or mental health of individuals.
F. Retargeting - The collection of data about a browser’s or device’s activity in one unaffiliated web domain or application, or the use of such data, for the purpose of customizing an advertisement in a different, unaffiliated web domain or application, or on a separate covered device.
G. Sensitive Data
1. Information obtained through a microphone, camera, or sensor of the device, except and only as reasonably necessary for fulfillment.
2. Information, including inferences, about sensitive health or medical conditions or treatments, including but not limited to, all types of cancer, conditions predominantly affecting or associated with children, and conditions not treated with over-the-counter medication, mental health-related conditions, and sexually transmitted diseases (the conditions or treatment is sensitive regardless of the source).
3. Precise Location Data. Precise Location Data means information obtained from a device about the physical location of that device that is sufficiently precise to locate a specific individual or device with reasonable specificity.
II. Permitted Uses of Addressable Media Identifier
A. Permitted Uses. Certain uses of Addressable Media Identifiers are essential to a healthy Internet ecosystem. The use of such identifiers should be permitted but limited only to such Permitted Uses.
B. Permitted Uses are:
1. Security & Safety:
a. To provide security for a product or service;
b. To prevent and detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or take action against those responsible; and
c. To facilitate or provide emergency messages
2. Fulfillment. To deliver or provision a product, content, or service requested by an individual
3. Reporting. To log data or the collect or use other information about a browser, device, operating system, domain name, date and time of interaction with or viewing of a Web page, app usage, content, or advertisement, impression information for:
a. Statistical reporting in connection with user interactions;
c. Optimization of placement and terms of ad and/or media;
d. Reach and frequency metrics (e.g., frequency capping); and
e. Logging the number and type of advertisements.
4. Marketing Research. To investigate the market for or marketing of products, services, or ideas, where the information is not: (1) integrated into any product or service; (2) otherwise used to subsequently contact any particular individual or device; (3) used to advertise or market to any particular individual or device; or (4) used to make inferences about any particular individual or a user of a browser or device.
5. Product Development. To analyze: (1) the characteristics of a market or group of consumers; or (2) the performance of a product, service, or feature, in order to improve existing products or services or to develop new products or services. Data used for Product Development should not be re-identified to market directly back to, or otherwise re-contact a particular individual, computer or device.
6. Addressable Media Identifier Advertising
a. Advertising. The use of Addressable Media Identifiers for advertising.
b. Online Behavioral Advertising & Retargeting. Entities that use AMI for Online Behavioral Advertising and Retargeting should do so in accordance with the Control under Section I.C. and the DAA Principles. To the extent a given Addressable Media Identifier is used/persists across multiple browsers, applications, or devices, Control should be applied to Online Behavioral Advertising and/or Retargeting across such browsers and/or devices.
7. Compliance with Law & Obligations:
a. To respond to valid legal process or as required or specifically authorized by law;
b. To authenticate and verify the account of an individual exercising one or more of the choices required by law; or
c. To effectuate one or more preference set pursuant Section II.B.6.b.
III. Prohibited Uses of Addressable Media Identifier
Use of Addressable Media Identifiers is prohibited with:
1. Information relating to the physical or mental health of an individual, except and only as reasonably necessary for fulfillment, where the information: (i) was collected, created, or inferred by an Online Health Service; (ii) relates to the provision of “health care” (as such term is defined in 45 C.F.R. § 160.103) to an individual; or (iii) was solicited from an individual or a member of the individual’s family.
2. A financial account number, debit card number, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account; or a government issued identifier such as Social Security number, passport number, or driver’s license number, except and only as reasonably necessary for fulfillment. Provided that publicly posting such information is prohibited, regardless of consent.
3. A biometric identifier generated by automatic measurements of an individual’s biological characteristics, such as a fingerprint, a set of measurable characteristics of a human voice that uniquely identifies an individual, eye retinas, irises, face geometry, or other unique biological patterns or characteristics used to identify a specific individual, except and only as reasonably necessary for fulfillment. Provided that a biometric identifier does not include a physical or digital photograph, or a video or audio recording, or data generated from a physical or digital photograph, or a video or audio recording, so long as such information cannot be used to identify an individual.
4. The contents of an individual’s private communications, unless the covered organization is the intended recipient of the communication.
5. Call detail records, except and only as reasonably necessary for fulfillment.
6. Calendar information, address book information, phone or text logs, or personal photos, videos, or audio files maintained on the device, except and only as reasonably necessary for fulfillment.
7. An intimate image of an identifiable individual, or of an identifiable individual engaging in sexually explicit conduct.
IV. Sensitive Data
Sensitive Data used with Addressable Media Identifiers should be used for Permitted Uses only and with Opt-In Consent as set forth in Section I.C.3.
V. Transparency for Permitted Uses
An entity that uses Addressable Media Identifiers should provide a clear, meaningful, and prominent notice on their own Web sites that:
1. Enumerates the Permitted Uses for which the entity uses Addressable Media Identifiers;
2. States its adherence to the Framework;
3. If the entity uses the Addressable Media Identifiers to transfer data to other entities, states this fact; and
4. Describes an easy-to-use mechanism for exercising choices with respect to the use of Addressable Media Identifiers for Online Behavioral Advertising and/or Retargeting.
B. Enhanced Notice
In addition to providing notice as described in Section V.A, an entity that uses Addressable Media Identifiers for Online Behavioral Advertising and/or Retargeting should provide enhanced notice of this use. Such enhanced notice should be provided by in or around the advertisement or otherwise accessible from the browser or application.
If data is collected from a Web site or application where no advertisement is present, the entity that owns or operates the Web site or application will provide such notice.
VI. Availability of Addressable Media Identifiers
A. Addressable Media Identifiers shall be certified by an entity that operates independently from any particular organization that uses the Addressable Media Identifiers.
B. All entities may access Addressable Media Identifiers on equal terms including that the provider of the Addressable Media Identifiers must provide access to the Addressable Media Identifiers on terms and conditions that are just, reasonable, and nondiscriminatory.
VII. Preference Manager
Control may be satisfied via industry-developed mechanisms that allows participating entities to register, honor, and maintain consumer preference selections.
VIII. Oversight & Accountability
Industry-wide oversight and accountability framework will apply to ensure participant adherence to the Framework.