DAA Data Collection Principles

Background

The Digital Advertising Alliance (DAA) is comprised of some of the largest marketing associations in the US. In response to FTC recommendations released in 2009, the DAA has created two sets of guidance: the Self-Regulatory Principles for Online Behavioral Advertising and the Self-Regulatory Principles for Multi-Site Data. The latter set of principles defines acceptable uses of collected data for purposes outside of online behavioral advertising.

Principles

Excerpt from the Self-Regulatory Principles for Multi-Site Data:

  1. Limitations on the collection of Multi-Site Data (Inflection Principle 3) The collection of data for Online Behavioral Advertising is covered by the OBA Principles. A Third Party or Service Provider that collects Multi-Site Data, or transfers such data to a non-Affiliate, for purposes other than Online Behavioral Advertising covered by those Principles should provide consumers with transparency and consumer control except as follows:
    1. For Operations and System Management Purposes, Including:
      1. intellectual property protection;
      2. compliance, public purpose and consumer safety;
      3. authentication, verification, fraud prevention and security;
      4. billing or product or service fulfillment; or
      5. Reporting or Delivery;

    2. For Market Research or Product Development, or
    3. Where the Multi-Site Data Has or Will Within a Reasonable Period of Time from Collection Go Through a De-Identification Process.

  2. Restrictions on the use of Multi-Site Data for eligibility for employment, credit, healthcare, or insurance
    Notwithstanding any other provision, a Third Party or Service Provider should not collect, use or transfer Multi-Site data for the following purposes:

    1. Employment Eligibility Determining adverse terms and conditions of or ineligibility for employment, promotion, reassignment, sanction, or retention as an employee.
    2. Credit Eligibility Determining adverse terms and conditions of or ineligibility of an individual for credit.
    3. Health Care Treatment Eligibility Determining adverse terms and conditions for or ineligibility of an individual to receive health care treatment.
    4. Insurance Eligibility and Underwriting and Pricing Determining adverse terms and conditions of or ineligibility of an individual for insurance, including, but not limited to, health insurance.

  3. Sensitive Data
    1. Children Third Parties or Service Providers should collect and use “personal information,” as defined by the Children’s Online Privacy Protection Act (“COPPA”) from children under the age of 13 as compliant with COPPA, unless such collection or use is otherwise exempted by COPPA.
    2. Health and Financial Data Except for operational or systems management purposes (including those enumerated in 1. A. 1-4), a Third Party or Service Provider should not collect and use Multi-Site Data containing financial account numbers, Social Security numbers, pharmaceutical prescriptions or medical records about an individual without opt-in consent. Pharmaceutical prescriptions or medical records that are de-identified as set forth in HIPAA Privacy Rule, 45 C.F.R. 164.514, are not limited by this subsection.

Further Reading

Link: DAA Self-Regulatory Program for Online Behavioral Advertising