Global Legal Summaries

Global Legal Summaries 5

The Global Legal Summaries provide information about regulatory and policy updates related to digital advertising from countries around the world. This helpful tool serves as a resource for companies interested in doing business in other markets, connecting companies with international IABs and vice versa.

To view legal summaries from a country, click on the icons on the map below.



In Australia, media, advertising technologies and platforms are regulated by their conduct and not as a separate business discipline. This means, the digital advertising industry is subject to the oversight of more than one government department and regulator, together with self-regulation. Digital advertising involves a complex delivery model that requires advertisers to create and deliver content, use the internet, broadcast the content, make representations, use personal information, collect a plethora of data, use cross-platform technologies and communicate the end product. As a result, each aspect of the digital life cycle is touched one or more arm of government and complimented where possible by self-regulation. Below is a summary of the regulatory landscape and the recent developments affecting online advertising.

Government oversight is provided through two arms of government, Ministerial and Administrative oversight. Ministerial oversight involves having a dedicated Minister within the Government that oversees one or more business sector/portfolio. Government agencies, also known as Regulators, provide the administrative implementation, guidance and enforcement of the underlying legislation. Sometimes, but not always, these two overlap.

Department of Communications
This Department is responsible for enhancing and developing the digital economy by finding ways to improve its productivity and infrastructure. It seeks to also promote more efficient communication markets. This means it reviews the provision of the following community services: broadband, online safety and security, mobile, television and radio. All of these are digital communication channels that directly affect the provision of digital media. The Australian Communications and Media Authority (ACMA) (see below) is one of the agencies that comes under the purview of the Department of Communications.

Attorney Generals Department
The Department develops policies and reforms with respect to the rights and protections of individuals, particularly for privacy and data protection laws. It oversees policy development for the areas of:

  • Privacy
  • Intellectual Property
  • Copyright
  • Cyber security
  • Identify security
  • Legislative reform for the Serious Invasion of Privacy in the Digital Era

As mentioned above, the Regulators provide administrative oversight and enforcement of relevant laws within their jurisdiction.

Australian Communications and Media Authority (ACMA)
The ACMA attends to the day to day regulation of some of the areas overseen by the Department of Communication. It provides guidance, compliance standards, receives and adjudicates complaints and enforcement for matters relating to regulation of all forms of electronic communication, including:

  • Internet content
  • Internet security – anti-malware initiative
  • Content and advertising – by setting license conditions, mandatory program standards, codes of practice, disclosure of sponsorship, setting standards for the delivery of Australian content
  • Telecommunications
  • Radio content and spectrums
  • Broadcasting
  • Anti-spam

Australian Competition and Consumer Commission
The ACCC promotes competition and fair trade in markets to benefit consumers, businesses, and the community. One of its primary responsibilities is to ensure that individuals and businesses comply with Australian competition, fair trading, and consumer protection laws under the Competition and Consumer Act 2010. Of particular note are the Australian Consumer Law provisions that address the disclosure, transparency and factual obligations of businesses when promoting goods and services to consumers, which includes online advertising through the use of any form of digital infrastructure The ACCC oversees:

  • False or misleading claims
  • Managing online reviews
  • Shopping online
  • Internet banking
  • Online auctions
  • Online group buying
  • Social media advertising
  • Pricing displays
  • Unfair practices

Detailed guidance is provided through ACCC publications. Several ACCC publications of importance to the digital advertising industry are below:

Office of the Australian Information Commissioner
The OAIC responsible for privacy functions and other laws that confer privacy obligations, for example compliance with Anti-Money Laundering and Telecommunications laws also triggers obligations by relevant entities with respect to disclosure of personal information. Generally, privacy laws only apply to organisations with an Australian link that have an annual turnover of $3 million dollars or more (thought they may elect to comply with a lower turnover). The Privacy Act 1988 is the primary law dealing with collection, holding, use and disclosure of personal information that belongs to an individual as it arises within the commercial business sector. Detailed guidance is provided through the privacy commissioners publications:

There is a body of industry associations that concern themselves with the commercial interests of relevant sectors of the economy and adopt self-regulatory initiatives by way of codes of practice, guidelines and standards that are adapted by business. This type of regulation serves to either provide detailed industry guidance or fend off further government intervention. IAB Australia serves this purpose by providing a number of guidelines. Details of the guidelines are available at www.iabaustralia.com.au.

Self-Regulatory Program for OBA
The Australian Digital Advertising Alliance (ADAA) has developed the Guideline for Third Party OBA. This Guideline was developed by the IAB and endorsed by a number of businesses and other associations. It helps industry participants deploy third party OBA in a way that promotes and maintains consumer confidence. All OBA guidance is available at www.youronlinechoices.com.au (YOC) which also provides consumer with the avenue to opt out of OBA and also acts as the conduit for complaints. IAB Australia is the Chair, convenor and operator of the ADAA and the YOC website. This program is based on the Digital Advertising Alliance’s program in the USA.


  • Privacy Act 1988 (Cth)
    • collection, holding, use and disclosure of personal information
  • Spam Act 2003 (Cth)
    • the use of electronic messages of a commercial nature by way of email, text, multimedia messaging and instant messaging
  • Competition and Consumer Act 2010 (Cth) – in particular the Australian Consumer law
    • The type of conduct demonstrated by organisations – misleading and deceptive, unconscionable, unfair business practices
  • Corporations Act 2001 (Cth)
    • Regulatory behaviour of corporates, directors duties, reporting
  • Broadcasting Services Act 1992 (Cth)
    • content and paid advertising across commercial television, commercial radio and pay TV, including media ownership
  • Copyright Act 1968 (Cth)
    • protection of the content, layout and images built within advertisements

Serious Invasion of Privacy in the Digital Era This issue is still in the policy phase. It raises the issue of an invasion of privacy given the plethora of online engagement within the ecosystem and the possibility of a breach of privacy within the multi-device, data-rich society. If introduced, Australia would have a civil action whereby an individual would be able to bring action against a corporate entity for breach of privacy (even if there was not evidence of actual damage). A High level summary of the offence is as follows:

  • The invasion of privacy must occur by intrusion into the plaintiff’s seclusion or private affairs (including by unlawful surveillance) or by misuse or disclosure of private information about the plaintiff.
  • The invasion of privacy must be either intentional or reckless. A person in the position of the plaintiff would have had a reasonable expectation of privacy in all of the circumstances. In determining this, the court may take into consideration:
    • the nature of the private information;
    • the means used to obtain the information;
    • the purpose of the misuse, disclosure or intrusion;
    • how the private information was held/communicated;
    • the relevant attributes of the plaintiff (eg age, occupation); and
    • whether they displayed a desire to have their privacy invaded.

Online Copyright Infringement
Draft legislation is currently being debated by the Australian Government that would enable the owner of a copyright to apply to the Federal Court of Australia for an order requiring a Carriage Service Provider to block access to an online location that has the primary purpose of infringing copyright or facilitating the infringement of copyright. Taxation of Online Advertising Revenue The Government is currently reviewing its taxation platform, including consideration of a 10% Goods and Services Tax on revenue earned from online advertising on search engines. This is a developing issue.


Regulatory Structure
The Brazilian regulation of digital advertising is carried out at the federal level, through laws (jurisdiction of the Legislative Branch) and decrees (jurisdiction of the Executive Branch, which only describe the laws) as well as through self-regulation. The main legal instruments are: a) The Consumer Code b) The E-Commerce Decree c) The Brazilian Internet Bill of Rights d) The Self-Regulatory Code of CONAR; and e) The Legislation on Sales Promotions (Law 5768/71, Decree 70.951/72).

The Brazilian Consumer Code (Law 8078/90) refers to advertising in Section III (Articles 36-38.) and is quite brief; for companies intending to create product sales sites, it is important to analyze the E-Commerce Decree (Decree 7962/13), which comprises the rules for e-commerce in Brazil, according to the principles set forth in the Consumer Code.

Also, there is The Self-Regulatory Code of CONAR (Brazilian Advertising Self-regulating Council). CONAR is a non-governmental organization, composed of advertising and other professionals, which provides self-regulation for the advertising area. CONAR plays a very active role in Brazil and although its decisions are not mandatory (as opposed to judicial decisions), the fact that the council is composed of the main entities in Brazilian advertising and its members – advertisers, agencies and vehicles – contributes for compliance with its decisions. It is important to stress that the CONAR Code sets forth provisions on advertising for different segments of the area (food, alcoholic beverages, etc) in its annexes, and it is an indispensable reading. CONAR is well respected in the advertising environment and their decisions are generally embraced by the Brazilian Justice System.

Regarding the Brazilian Internet Bill of Rights (Law 12965/14), it is a recent legislation which, within the scope of digital advertising, affects remarketing or target marketing, subject to its provisions on collection, use, storage, treatment and protection of personal data.

In addition to the aforementioned laws, please note that unfair competition and copyright laws shall be equally applicable, and that some advertising segments have specific legislations (beverages, tobacco, children’s advertising). As to sales promotions, please note that the Brazilian law requires government authorization for all types of promotions involving advertising and competition.

Recent Developments
Recent policies include the issuance of the Brazilian Internet Bill of Rights (Law 12965/14) and Resolution 163 of CONANDA (the Brazilian Council of Children and Adolescents’ Rights).

The Brazilian Internet Bill of Rights refers to, among other things, the collection, use, storage, treatment and protection of personal data, as well as detection and holding of personal data, and will cause an impact in target marketing. There are differences in the legal community about its self-applicability or need for regulation, through decrees, for its effectiveness.

Regarding the Resolution 163 of CONANDA, there is a major impact on children’s advertising. There are doubts about whether CONANDA holds enough judicial power to decide on children’s advertising, but considering the power of the lobby against children’s advertising in Brazil, it is important to evaluate the possibility of reputational damage if companies choose not to comply with the provisions of Resolution 163.



Regulatory Structure
The delivery of digital advertising in Canada is primarily regulated by Canadian private sector privacy legislation and anti-spam legislation.

Canadian Privacy Legislation:

  • There are four private sector privacy statutes in Canada:  the Federal Personal Information Protection Electronic Documents Act, Alberta’s Personal Information Protection Act, British Columbia’s Personal Information Protection Act and Quebec’s Act respecting the protection of personal information in the private sector.  Each statute sets out a regime for protection of personal information, although they vary in scope, substantive requirements and remedy and enforcement provisions.
  • The Office of the Privacy Commissioner of Canada (OPC) has released guidance on online behavioural advertising (OBA) that sets out requirements for organizations relying on implied consent to conduct OBA.   The OPC recently announced that they would be conducting research into OBA practices in Canada to confirm compliance with the guidance. Self-Regulatory Program for OBA:
  • The Digital Advertising Alliance of Canada (DAAC) has launched a self-regulatory program for OBA to assist companies with their compliance obligations under Canadian privacy legislation.  The DAAC program is based on the Digital Advertising Alliance’s program in the US. Canada’s Anti-Spam Legislation:
  • Canada’s anti-spam legislation (commonly referred to as CASL) sets out, among other things, strict consent, notice and unsubscribe requirements for the sending of “commercial electronic messages”.
  • CASL also prohibits the installation of a computer program on any other person’s computer system without express consent.  CASL refers to cookies as computer programs and provides for deemed consent to install cookies where “the person’s conduct is such that it is reasonable to believe that they consent to the program’s installation”.
  • CASL permits the regulator to impose administrative monetary penalties of up to $1 million per violation for individuals and $10 million for businesses.  CASL also sets forth a private right of action permitting individuals to bring a civil action for alleged violations of the commercial electronic message provisions of CASL with damages of up to $200 per violation (i.e. per email sent), not exceeding $1,000,000 for each day on which a contravention occurred, or for alleged violations of the computer program provisions of CASL with damages of up to $1,000,000 for each day on which the contravention occurred.

In addition to the above, the content of advertising is governed by various statutes in Canada, such as the Federal Competition Act and provincial consumer protection statutes, that generally prohibit false and misleading representations made to the public. Advertising industry self-regulatory codes and industry-specific regulation (e.g. alcoholic beverages, automotive sales etc.) sometimes provide specific additional requirements. The Province of Quebec has province-specific language requirements and a general prohibition on advertising to children under 12.



Regulatory Structure
In Chile the two primary laws impacting the digital advertising industry are law 19.496 which establishes standards for the protection of consumer rights, and law 19.628 on protection of the rights of consumers.

Law 19.628 is a general law that regulates most situations of digital advertising and sets out principles that impact those who perform the processing of personal data[1]. In particular, this law requires that data controllers[2] implement the principles of legitimacy, access, information, data quality, purpose, proportionality, transparency, non-discrimination, use limitation, and safety with regard to the processing of personal data.

Thus, the management of data processing operations must be conducted in full compliance with law 19.628 regarding these principles.

In addition, consideration should be given to the provisions of Article 28 B of law 19.496, The Consumer Protection Rights Act. Chile normatively includes an “opt out” system, so that the recipients of marketing communications have the right to oppose personal data being processed for direct marketing[3]. When this right is exercised, the manager of the corresponding database should delete cardholder data or at least prevent the carrying out of data processing activities with the data.

Finally, it must be remembered that the article imposes requirements for promotional or advertising communications that are sent by email as follows:

a. Indicate the subject or matter to which it relates;

b. Enter the identity of the sender; and

c. Contain a valid address to which the recipient may request suspension of shipments, which will be banned since then. Communication sent by mail, fax, telephone calls or messaging service, shall indicate how recipients may request suspension.

Recent Developments
The current legislation on protection of personal data has flaws that have allowed for data protection abuses. In 2008 Chile joined the OECD, which committed the country to work on improving the level of protection that the regulation has on protection of privacy. Chile is not considered a suitable country by the European Union in these matters which has created serious barriers for Chilean companies seeking to do business with Europe.

As a result, the current government of President Bachelet is promoting a legislative initiative to create a data protection system supporting the right of people to control and protect their information, so as to avoid fundamental rights violations from data processing.

The drafting of the law will take into consideration existing international data protection laws and resolutions, including the “Madrid Resolution”[4], Directive 45/96 of the European Union on the protection of individuals personal data and the free movement of such data, the OECD guidelines on the protection of privacy and trans-border flows of personal data, the Organic Law 15/1999 of Spain of personal data protection, the Colombia constitutional act No. 1581 for which general provisions for the protection of personal data are held, Law No. 8968 of Costa Rica on the Protection of the individual against the processing of their personal data and Law 18.331 of Uruguay about protection of personal data. Additionally, the text of the Regulation of the European Union which is under review has been considered.

[1] The processing of personal data is defined by law in article 2 as any operation or set of operations or technical procedures, automated character or not, that allow to collect, store, record, organize, develop, select, extract, compare, interconnect, dissociate, communicate, assign, transfer, convey or cancel personal data or use them in anyway.

[2] Is the natural or legal private person, or the respective public body that is responsible for decisions regarding the treatment of personal data. What characterizes the charge is the ability to decide on the purpose, content and use of data processing. That is, it is one organ that is responsible for strategic decisions on the database.

[3] Any promotional or advertising communication sent by email must indicate the subject or matter to which it relates, the sender’s identity and contain a valid address to which the recipient may request suspension of shipments, which will be banned since then. Providers to direct promotional or marketing communications to consumers via mail, fax, telephone calls or messaging services shall indicate a prompt how recipients may request suspensión. Thereof. requested it, sending new communications shall be prohibited.

[4] Joint proposal of Spain, Switzerland, France, Ireland, Canada, Czech Republic, Germany, Italy, Netherlands, New Zealand, United Kingdom, Estonia, Lithuania, Argentina, Malta, Cyprus, Finland, Slovenia, Greece and the European Data Protection Supervisor.



In Colombia, ICT sector (including Digital advertising) is regulated by five main public entities: the Ministry of Information, Technology and Communications (MINTIC), the Communications and Regulatory Commission (CRC), the National Agency of the Electromagnetic Spectrum (ANE), the Superintendence of Industry and Trade (SIC) and the National Institute of Food and Drug Monitoring (INVIMA). There are also different primary laws that impact digital advertising, such as:

  • Electronic Commerce Law (Law 527 / 1999): regulates the access and use of data messages, electronic commerce and digital signatures.
  • Consumer Protection Law (Law 1480 / 2011): seeks the protection and guarantee of consumers’ rights, such as dignity, privacy and security.
  • National Narcotics Statute (Law 30 / 1986): regulates the prevention campaigns against the consumption of alcohol and cigarettes and also controls the advertising of it.
  • Statute Law for Protection of Personal Data (Statute Law 1581 / 2012): develops the constitutional right of all people to know, update and rectify information collected about them in databases or files.
  • Resolution of Rights Protection for users of Communications Services (Resolution 3066 / 2011): protects the rights of users and consumers in the communication services, rights of information, equality and communication.
  • Autoregulation Publicity Code: establishes the rules that regulate the content of advertising messages.

The main entities that regulate digital advertising focus on different and related aspects of technology and communications. For example, the Ministry of Information Technologies and Communications designs and promotes politics, organizes programs about information and technology, and researches on innovations that could contribute in the advance of the nation. Also, the Communications Regulatory Commission promotes free and loyal competence in the technology sector and aims to improve social welfare, along with protecting rights of Colombians users.

The National Agency of the electromagnetic spectrum is responsible of monitoring and controlling the electromagnetic Spectrum, along with providing technical advice for the users. Also, the Superintendence of Industry and Trade protects the rights of consumers and free and fair competition. This includes defending the fundamental rights related to the proper administration of personal data.

Finally, the National Institute of Food and Drug Monitoring protects and promotes the health of the population, along with authorizing digital advertising related to health products (drugs or medical devises).

Currently, the Ministry of ICT is developing a policy called “VIVE DIGITAL.” This policy seeks to advance the massification of Internet services, information, technology and communications. The policy implements the digital rights and creates a “Digital Citizen Folder” that contains the identification, email and new services for users.

In 2012, Colombia joined the Information Technology Agreement, which committed the country to work on improving the technology industry and information. It also helped the country eliminate tariffs on a product group of information technology.



Regulatory Structure
In Denmark, digital advertising is primarily regulated by the Danish Business Authority. In addition, there are several self-regulation schemes, such as minecookies.org, which deals with the cookie regulation and consent.  For more information visit the Danish Business Authority’s website at http://danishbusinessauthority.dk/home/0/2.

Recent Developments
Denmark is currently negotiating the general data protection regulation in the Council. Negotiations could play a role in securing the Internet ecosystem and companies’ abilities to transfer data cross borders, a fundamental requirement of a global digital supply chain.

For more information visit http://europa.eu/rapid/press-release_MEMO-14-186_da.htm.

Contact Information
For more information, please contact Allan Sorensen at [email protected].



Regulatory Structure
The Organic Law of Communication (published on June 25, 2013) and its General Regulations (published of January 27, 2014), established a new normative framework towards digital advertising. Therefore, misleading advertising or advertising in violation of basic human rights is prohibited. Also, 100% of publicity production disseminated in the country must be Ecuadorian (produced by any Ecuadorian natural or legal person).

Media platforms operating on the Internet and “alternative channels” (media or channels that do not conform to the definition of “social media” of the Organic Law of Communication but are used to disseminate publicity) have to apply the same standards of publicity in print and broadcast media. Content formulated by (natural or juridical) persons on their blogs, social networks and personal, corporate or institutional websites is excluded from the scope of this regulation.

Since the publication of the Organic Law of Communication, two new federal regulatory entities were created: The Superintendency of Information and Communication and the Council for the Regulation and Development of Information and Communication.



Regulatory Structure

In the European Union, digital advertising is regulated by a combination of ‘hard’ law, much of which emanates from Brussels in the form of directives and regulations, and self-regulatory initiatives at both EU and national level.

Over 100 pieces of European legislation relate to digital advertising, with the most important for the sector being the Data Protection Directive 95/46/EC and the E-Privacy Directive 2002/58/EC, as amended.

EU laws governing digital marketing are mainly adopted via a complex and often lengthy legislative procedure called “ordinary legislative procedure” (previously called “co-decision”). The European Commission, which has the sole right of initiative in the EU set-up, puts forward legislative proposals that are then sent to the ‘co-legislators’, the European Parliament and the Council of Ministers (Member States), for adoption. Average time to reach the agreement on a final text varies from one to four years.

The European Commission is composed of a College of Commissioners who are each assigned responsibility for specific policy areas. The latter are supported in their work by departments known as Directorates-General (DGs).

The European Parliament is composed of 751 Members, themselves divided into 20 specialised committees. A proposed directive or regulation may be reviewed by several Committees, with one acting as lead Committee, integrating contributions from the others in its final report.  Committee reports are adopted by the entire Parliament in Plenary Sessions held in either Brussels or Strasbourg.

On the Council side, working groups of national experts from the Member State capitals elaborate a common position and then hand off to Brussels-based Permanent Representations prior to adoption by the relevant configuration of the Council of Ministers.

If the EP and Council take differing positions on a proposal, a conciliation procedure is invoked to reconcile them.

Once adopted, directives need to be implemented in national law in the EU Member States. Differences in implementing laws from one Member State to the next can create effective barriers to the free circulation of goods and services.  Regulations, by contrast, are “directly effective” and need no national-level implementing measures.

Recent Developments

On 14 April 2016, after 4 years of intense negotiations, the EU’s General Data Protection Regulation GDPR was finally adopted. The GDPR will apply to all Member States of the European Union directly, and does not require implementation into Member State law. Meanwhile, in May 2015, the European Commission published its Digital Single Market (DSM) Strategy for Europe. The plan lays down a series of targeted actions that the Commission intends to roll-out by the end of 2016 to remove national barriers to transactions that take place online and boost Europe’s digital economy. At the same time, the European Commission’s Better Regulation agenda continues to be geared towards the adoption of principle-based legislation to be complemented by self- and co- regulation, allowing new regulatory opportunities for industry, including in the context of the GDPR.

In this context, IAB Europe, in collaboration with its broad membership of both corporate members and national IABs, continues to play its role as the voice of digital business and the leading European-level industry association for the online advertising ecosystem.

The Revision of the European Data Protection Legislation

In January 2012, the European Commission presented a proposal for a Data Protection Regulation that would replace the Data Protection Directive 95/46 EC. 4 year later, in April 2016, Regulation (EU) 2016/679, the GDPR, was finally adopted. It entered into force on 25 May 2016, but will only become applicable after a 2 year implementation period in 25 May 2018. The rationale behind this period is to give Member States, data protection authorities, and businesses time to adapt to the new legislation and requirements.

On a number of issues, the GDPR has created a higher level of protection of citizens’ personal data. For one, the definition of personal data has been expanded to mean any information which relates to an identified or identifiable natural person. Identifiable means either directly or indirectly identifiably, including online identifiers and location data. The concept of identifiable information doesn’t mean that the controller or processor needs to be able to identify the person, as it includes the wording ‘by any other person’ – this means that even if a processor cannot identify the person themselves using the data, but another entity can, the data is still considered identifiable information and thus falls under the definition of personal data.

Other changes include a higher standard of consent required for the processing of sensitive personal data (race, religion, political affiliation etc) and strict requirements for the profiling of data subjects. Pursuing the legitimate interests of a controller is still considered a valid legal basis for data processing under the GDPR, but require a balancing test of interests of the controller against the rights and interests of the data subject.

A new concept of the GDPR is the use of codes of conduct and certifications, which create quasi self-regulatory frameworks which can be approved by the European Commission. During the two year implementation period IAB Europe will be looking into whether a code of conduct can be a useful tool for the online advertising industry.

The Digital Single Market Strategy for Europe

IAB Europe has identified the following actions of the DSM Strategy as key for the digital advertising ecosystem.

1.    ePrivacy Directive

The ePrivacy Directive is sometimes better known as the ‘Cookie Directive’ as it currently only impacts the online advertising sector through Article 5 (3), which requires that users express their consent for storing or accessing of information. Commonly, this occurs when cookies are placed on a user’s device, but can also mean other types of storing or access. The European Commission, as part of its DSM strategy, announced that it would undertake a review of the Directive upon the adoption of the GDPR. This review is currently underway, and a legal proposal is expected in December of 2016.

IAB Europe is hard at work raising awareness of the problems presented by a one-size-fits-all consent policy for storing or accessing information and will be advocating that the GDPR now sufficiently protects users privacy, with the implication that specific rules in the ePrivacy Directive are no longer necessary, or at the very least should be aligned to reflect the same rules as the GDPR, thus removing the one-size-fits-all policy.

2.    The “follow the money” approach

The European Commission has made tackling commercial-scale Intellectual Property Rights (IPR) infringement one of its priorities, focusing on cutting revenue flows emanating from intermediaries in the broader sense, including digital advertising intermediaries, banking services and shippers. To do so, the European Commission has been gathering IAB Europe and other key stakeholder together to work on the conclusion of three Memorandums of Understanding, including one to minimize the misplacement of ads on IPR infringing sites.

3.    New contract rules for the sale of digital content

In December, the Commission published two proposals for new European contract rules for the sale of digital content and tangible goods. The proposal on digital content is important, most notably because it introduces, for the first time, contractual obligations for suppliers of online content provided against a counter-performance other than money – in this instance, data. Such obligations include, in certain cases of termination, data retrieval and restrictions on data use.

4.    A review of the Audiovisual Media Services Directive

The European Commission has announced a review of the Audiovisual Media Services Directive (AVMSD), which currently regulates the audiovisual sector. The review could notably result in the AVMSD rules on advertising, sponsorship and product placement becoming applicable to digital advertising players, particularly video advertising players.

5.    Analysis of the role of online platfoms

The European Commission has conducted an analysis of the role of online platforms and intermediaries. The latter reveals that online advertising platforms such as ad networks and ad servers are amongst the 8 categories of online platforms identified by the Commission. It also reveals a need to tackle certain platform issues in a sectorial manner through existing and new regulation.

6. The “Free flow of data” initiative

A legislative proposal on the free flow of data (e.g. between cloud providers) is also expected in the autumn.

Contact Information
In tandem with the national IABs working at national level, the IAB Europe team interacts directly with top EU policymakers to minimize legislative and regulatory disruption and to promote regulatory and self-regulatory solutions that encourage continued innovation and growth in the digital sector, with all the attendant consumer benefits arising from advertising-funded or advertising-supported online services. For more information on IAB Europe’s Policy Committee and on the DSM, please contact Townsend Feehan at [email protected]; for information on Privacy and Data Protection, please contact Matthias Matthiesen at [email protected].



Regulatory Structure
France is a centralized State where the legislative power is held by the French Parliament. Therefore rules governing advertising will generally be established in a law that can then be completed by a decree. Some highlights on the legislative landscape of the online advertising sector:

  • The French code of consumption forbids misleading advertising, and imposes restrictions on comparative advertising
  • Intellectual property legislation is also an issue with ongoing government reflections for a code of conduct to enhance online advertisers’ collaboration to fight against online counterfeiting and infringements to copyright.
  • IAB France in collaboration with IAB Europe, is also taking an active part on the ongoing discussions at European level on the ECJ ruling on the Right to be Forgotten, the General Data Protection Regulation regarding the inclusion of pseudonymous data, profiling and one-stop-shop; IAB France is also working at European level to try to find a common position on adblockers, net neutrality, cybersecurity and taxation

The French Digital Council (Conseil National du Numérique) composed by digital entrepreneurs, sectorial associations, and key decision makers issues non-binding policy recommendations and opinions to the French Government. Furthermore, self-regulation, such as the Union Française du Marketing Direct (French equivalent of the US Digital Advertising Alliance) guidelines on cookies, helps online advertisers to comply with national legislation. France is also a Member State of the European Union, which means that some national laws and regulations are derived from the European Law. The most prominent legislation that an online advertisers should be aware of is the law n°93-112 of the 29th of January of 1993, also known as the Sapin Act, a public order law (mandatory law that parties cannot modify by agreement) and  which contains the regulatory framework regarding the purchase of online advertising services.

Recent Developments
The French government is currently preparing a new digital law, which would update the current legislative framework that dates back to 1978, though amended through the years. This new law is expected to cover a wide range of subjects such as data protection, internet neutrality and the revision of the Data protection authority sanction powers. The French Digital Council, will organize a broad consultation, (which should start in September); all interested parties will be able to participate. The law should then be presented to the French Parliament during the first or second semester of 2015. Developments at European level should also be followed closely as they might influence the outcome of this new law. To be noted that the provisions of French legislation must be in line with EU law.

On the 5th of December 2013, the CNIL issued a recommendation that specified the best practices that should be put in place by market operators in order to comply with the current legislation. The CNIL will also undertake in October 2014 a cookie control where it will examine market operators’ compliance with its recommendations. An overview of the French regulatory framework and other information can be found on the following links:



Contact Information
For more information on these issues please contact by priority:

Mrs Valérie Chavanne, Vice-President in charge of public policies
Email: [email protected]
Phone: + +33170912054

Mr Stéphane Hauser, General Delegate
Email: [email protected]
Phone: +33148781432


Global Legal Summaries 3


Regulatory Structure

Digital Advertising touches various aspects of German law. Advertising agencies, technology providers, platforms and publishers have to observe a variety of rules regarding advertising. In Germany, advertising is primarily regulated through federal statutory rules regarding unfair competition. Where digital advertising is based on or requires the collection, storage and use of personal data, additional laws and regulations concerning data protection apply.


The following federal laws and regulations are the most relevant concerning digital advertising:

–    Unfair Competition Act (Gesetz gegen den unlauteren Wettbewerb  – UWG)

–    Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG)

–    Telecommunications Act (Telekommunikationsgesetz – TKG)

Certain sectoral laws such as the Teleservices Act or the Social Security Code contain provisions, which regulate e.g. the processing of telecommunications, health, and other personal data in connection with the provision of telecommunication, medical and social security services. Those special federal laws take precedence over general legislation. Besides federal legislation, each German state has its own data protection law.

–      Market Competition

Unfair Competition Act

Commercial advertising is comprehensively regulated by federal legislation. In addition to that, the advertising industry has established various self-regulatory codes of conduct.

The Unfair Competition Act (UWG) widely codifies existing case law and covers inter alia advertising law, unwanted advertising (anti- spam, fax advertising), cases of misleading advertising, misrepresentation to clients, and legal warnings as well as terms of use and conditions on a website. It aims to protect competitors, users and the general public (integral model).

Most of the actual provisions set out in the UWG find their legal basis in recent European regulation, namely EU-Directive 2006/114/EC concerning misleading and comparative advertising (2004) and EU-Directive 2005/29/EC – “Unfair Commercial Practices Directive” (2008).

The revised general clause in § 3 (1) UWG prohibits unfair commercial practices, if they are likely to significantly affect the interests of competitors, consumers or other market participants. A number of provisions defining different categories and examples of unfair competition accompanies the general clause. In 2008, the UWG was amended by a “black list” of examples of unfair commercial practices.

Germany does not fight unfair commercial practices through state bodies with the help of administrative law. Infringements may only be enforced by way of private statutory actions and only by entities authorized by law, namely competitors, certain trade associations, chambers of commerce and consumer associations (§ 8). This self-regulatory scheme entitles to initiate proceedings in front of the Voluntary Board of Conciliation and to file claims against the infringer.

The law provides for quick and efficient proceedings mainly through private, fee-based cease and desist warnings or preliminary injunctions issued by the courts. In addition, a general claim for civil damages can be filed. It is obligatory to issue a warning to the offender before taking legal action. Civil sanctions range from removal/cessation of the infringement and publication of the court ruling to damages and skimming of profits.

–      Data Protection

Where digital advertising technologies make use of personal data, a variety of laws concerning different aspects of data protection must be observed. These laws and regulations find their basis in both federal as well as in state legislation. EU- Directives 95/46 and 2002/58 are transposed through a variety of laws creating a complex and differentiated regulatory scheme. Additionally the German Online Advertising Industry has developed a code for self-regulation in cooperation with other European countries and IAB Europe.

Federal Data Protection Act

In Germany the online advertising industry is mainly regulated by the German Federal Data Protection Act (BDSG), the main data protection law in Germany. The BDSG covers private enterprises as well as public authorities and other public bodies. The law sets out the basic principles in connection with any on- or offline processing of personal data protecting the right of informational self-determination of the data consumer. The law is only applicable where personal data is collected and processed in an automated process. Personal data is defined as any information concerning the personal or material circumstances of an identified or identifiable individual (§ 3). The processing of anonymous or anonymized data is however not covered by data protection legislation.

The BDSG provides that companies and public authorities are allowed to process personal data only if

·        processing of the data is permitted under a specific legal provision, or

·        the individual whose data are to be processed (data subject) has given his or her consent.

Where such a legal permission does not exist, only the informed consent of the data subject can override the legal prohibition to collect and use personal data for purposes not protected by the law, namely for the purposes of advertising and market-research. Consent must be declared in writing, meaning the data subject must sign the declaration. The consent has to be given beforehand and must include all information about the purpose and the identity of the controller or any other recipient where data is subsequently to be transferred. Where consent is to be declared together with other declarations or in general terms and conditions, it must be easily distinguishable in its appearance (e.g. highlighted or bold text).

Where these requirements are not met, the processing of personal data is prohibited. The data controller must also obey the additional legal principles e.g. of data reduction and data economy, of direct collection of data accuracy, or of limitation, when the purpose for processing personal data has become obsolete.

German data protection law applies to:

·        German data controllers and processors (private and public bodies).

·        Data controllers not located in the European Economic Area (EEA), which collect, process and use personal data in Germany.

·        A German branch of a data controller located within the EEA, which collects, processes or uses personal data in Germany.

The BDSG also sets out the requirements of IT-security in connection with the processing of personal data. The law requires extensive technical organizational measures to ensure the overall integrity of IT systems that are being used for the processing of personal data such as:

·        Preserve the security of the data.

·        Prevent the alteration or damage of data.

·        Prevent access by non-authorised third parties.

In case of data breaches, controllers are obliged to notify the data subject if data were unlawfully transmitted or otherwise became known to third parties. The data subject has the inalienable right to information and to correction, erasure or blocking of his or her data.

Telemedia Act

Special privacy provisions apply for electronic information and communication services (telemedia). As sector specific legislation, the German Telemedia Act regulates all telemedia regardless of whether the services are gratuitous or fee-based. The permits the consent-free use of certain data only for specified purposes. The provisions define two types of special purpose data: contract data (Bestandsdaten) and utilization data (Nutzungsdaten). Consent is however necessary for the processing of other types of personal data, particularly content data.

According to the overriding provisions of the Telemedia Act, consent may also be given electronically, provided the data controller ensures that the data subject declares his consent knowingly and unambiguously, the consent is being recorded, the user may view his consent declaration at any time, and the user may revoke consent at any time with effect for the future (§ 13(2)).

For the purposes of advertising or market-research utilisation data from e.g. cookies may be used in pseudonymised user-profiles (§ 15 (3)). The data subject may however exercise their legal right to opt-out at any time. This provision on consent-free profiling is a legislative speciality and of vital importance for the digital advertising industry. The requirement of strict pseudonymisation provides for and establishes the necessary balance of the rights of all involved parties. The EU-Commission has approved the German regulations on cookies and profiling to be in accordance with the requirements set out in the EU-directive 95/46/EG (e-privacy directive).

Data Protection Authorities (DPA)

There are federal and regional supervisory authorities responsible for monitoring the implementation of data protection. On the federal level, the Federal Data Protection Commissioner is responsible for monitoring and controlling obedience to data protection laws and regulations by federal authorities and other public bodies under federal government control. Additionally there are a number of different authorities on state level, which are responsible for ensuring compliance with data protection laws and regulations. The supervision of compliance with data protection provisions is a state government responsibility, which is transferred to and exercised by the state data protection commissioners.

The federal and state DPA´s are by law entitled to enforcement actions. Sanctions may include administrative fines up to 300.000 EUR, administrative orders to remedy data breaches, banning of certain business activities in case of serious breaches.

Self Regulation

The German Data Protection Counsel Online Behavioural Advertising (DDOW) is the self-regulatory body of the digital advertising industry for OBA in Germany. Following the “IAB Europe Framework on OBA” and in line with relevant initiatives in other European countries, the German online advertising industry has developed a self-regulatory framework, which provides consumers with information about the legal framework, with transparency and an easily manageable decision-making mechanism for a potential opt-out.

The following elements play a key role in the self-regulation scheme:

·        the labelling of advertising media with an icon standardized within the EU

·        the placement of relevant and transparent information about the data-processing mechanisms regarding OBA by clicking on the icon

·        the establishment of a European central and easy-to-use online-preference-tool for consumers to exercise the legal right to opt-out of personal data processing.

The industry has also established self-regulation mechanisms in order to promote responsible practices in commercial advertising and to identify and resolve grievances in this field. As the representative of 44 organizations of advertisers, the media, advertising agencies, the advertising professions and research establishments, the German Advertising Standards Council (Deutscher Werberat) has defined certain self-regulatory standards, procedures and codes of conduct. The codes mainly cover questions of taste and decency. There are different rules for all sectors of industry and all media. They inter alia address advertisement with or for children, alcohol-, tobacco-, gambling- or celebrity-advertising.
If an advertiser fails to modify or discontinue an advertisement, Deutscher Werberat issues a reprimand and makes the case public. Cross-border issues concerning questionable advertising are addressed by the European Advertising Standards Alliance (EASA) based in Brussels.

Recent Developments

Currently, the EU-Commission , the Parliament and the Council are at the stage of final compromise talks (trialogue) on an EU-wide General Data Protection Regulation. The implementation of pseudonymous data processing (privacy-by-design) and the integration of the successfully established advertising self-regulation (OBA) will play a key role for the establishment of a true level playing field for all companies of the digital economy in the European market.

The German Government is considering draft-regulation, which will amend the national Act on Injunctions (UKlaG) and is aiming on entitling mainly consumer associations to enforce data protection infringements. The draft has been highly criticised by the digital economy. The implementation of a genuine permission for private class action in the field of data protection is not in line with the currently planned EU-regulations, which only allows such actions upon transfer of rights by the individual data subject. Moreover, the creation of private oversight for data protection issues will introduce a new and unsystematic opportunity for private legal actions which will be competing with the existing national data protection supervisory.

For more information on digital advertising in Germany please visit us as www.bvdw.org or www.meinecookies.org or contact us:

RA Michael Neuber
Head of Legal Department BVDW e.V.
T:+49 30 437 484 61
F:+49 30 437 468 94
[email protected]

Dr. Joachim Jobi
Head of Public Affairs BVDW e.V.
T:+49 30 437 484 62
F:+49 30 437 468 94
[email protected]



Regulatory Structure

In Ireland Digital advertising is regulated in four ways: indigenous legislation, EU regulations and directives, self-regulation, and the EU Data Protection Commission.

1) Indigenous legislation – Indigenous legislation includes laws created by a relevant government department in Ireland (Communications or Law).

2) EU regulations, directives or decisions – EU regulations (e.g. the forthcoming Data Protection Regulation) have binding force on each member state at a specified start date. EU Directives (e.g. Privacy Directive) lay down certain results to be achieved but allow the member states freedom to transpose the directives into national law. Decisions are EU laws relating to specific cases and directed to individual or several member states, companies, or private individuals and they are binding upon those to whom they are directed.

3) Self-Regulation – The Advertising Standards Authority of Ireland is the SRO that creates the advertising code for our market, this code is currently being updated and I represent digital on the Code Review Working Group, our members who signed up to the IAB/EASA OBA SRO Program and bound by it.

4) Data Protection Commission – The Data Protection Commission is responsible for enforcing national and EU legislation which places obligations on data controllers. The office of the Data Protection Commissioner is established under the 1988 Data Protection Act.  The Data Protection Amendment Act, 2003, updated the legislation, implementing the provisions of EU Directive 95/46. The Acts set out the general principle that individuals should be in a position to control how data relating to them is used.

The Data Protection Commissioner is responsible for upholding the rights of individuals as set out in the Acts, and enforcing the obligations upon data controllers. The Commissioner is appointed by Government and is independent in the exercise of his or her functions.  Individuals who feel their rights are being infringed can complain to the Commissioner, who will investigate the matter, and take whatever steps may be necessary to resolve it.

Recent Developments

IAB Ireland is playing an active role as a member of the working group conducting a complete review of the ASAI Advertising Code. The new ASAI code is due to be launched in September 2015. Further, IAB Ireland has contributed to the review of the Department of Communication’s review of the advertising market, which has not yet been published. IAB Ireland is participating in IAB Europe’s Digital Innovation Showcase Europe (DISE) program, which will feature outreach by innovative SME members to educate policy makers on digital advertising, effective regulation of this rapidly changing industry, and the dangers of elements of the draft Data Protection Regulation. Given that there is a newly appointed Minister for Communications and a new DPC will soon be appointed, IAB Ireland will continue to help policy makers stay up-to-date on our growing industry.




Regulatory Structure
In Italy digital advertising is regulated by three main Bodies: the Communications Regulatory Authority (Agcom), the Data Protection Authority (DPA) and the Antitrust Authority (AGCM).

Agcom is the guarantor of the market competition rules in the communication sector and monitors the creation of dominant positions. In more detail, the Authority periodically conducts a specific analysis in order to estimate the resources included in the so called SIC (Integrated communications system) which is defined in the Legislative Decree n. 177/2005[1] as the economic sector determined by the process of convergence between traditional broadcasting, newspapers and magazines, publishing (also via Internet), radio and audiovisual media services, and cinema and advertising both above and below the line. Agcom also monitors that Companies registered as communications operators not amass, either directly or indirectly, more than 20% of the total revenue of the SIC. The Legislative Decree n. 177/2005 also provides that the advertising dealers companies have to register themselves to the Register of Communications Operators (ROC) which ensure transparency and public knowledge of the ownership structures, while also permitting application of the rules limiting editorial concentration and pluralism of information.

DPA, in particular, monitors the privacy issue in relation to the rules for the so called cookies and Internet profiling: recently the Authority (as provided by the Legislative Decree No. 69 of 28 May 2012 which implemented the ePrivacy Directive in Italy) adopted a measure[2] providing for simplified modalities to use in order to transmit to users the online information notice on the use of cookies, in addition to giving indications to obtain the consent when required by law.

AGCM protects Companies from the unfair methods of competition in or affecting commerce and from the misleading advertising establishing the rules for the comparative advertising[3]. Apart from the legislation, the European Interactive Digital Advertising Alliance (EDAA), which is the organization responsible for enacting key aspects of the self-regulatory initiative for Online Behavioural Advertising across Europe, supplements the regulation and requires additional commitments from participating companies[4].

Recent Developments
Since last year Italy has been dealing with the so called Web Tax. In more detail, the 2014 Stability Law (Article 1, paragraphs 33) provided that, starting as of 1 July 2014, advertising services and sponsored links purchased on-line, as well as on-line advertising spaces and sponsored links appearing in the results pages of search engines (search advertising services) viewable in the Italian territory, had to be purchased exclusively from entities holding an Italian VAT registration. The provision appeared immediately questionable from a European Law and, also because its lack of clarity, it was repealed by the Government thanks to the Law Decree no. 16 of 6 March 2014.

Contact Information
For more information about IAB Italy and the local regulatory environment, please contact Simona Zanette at [email protected].

Global Legal Summaries 2

Regulatory Structure

Digital advertising in Japan is regulated primarily by personal information protection and anti-spam laws.


Email advertising practices in Japan are governed by the following two laws:

the Act on Regulation of the Transmission of Specified Electronic Mail; and,
the Act on Specified Commercial Transactions (Section 3. Mail Order Sales, Article 12-3. Prohibition, etc. on Sending Email Advertising to a Person Who Has Not Given His/Her Consent).
The Act on Regulation of the Transmission of Specified Electronic Mail was enacted in 2002. The act was amended in 2008 to replace opt-out regulations with opt-in regulation. Hence, no advertising email may be sent without recipients’ explicit consent. Furthermore, senders are required to keep records of recipients’ consent and to label the records.

Self-Regulatory Initiatives: JIAA Email Advertising Guidelines

The Japan Interactive Advertising Association (JIAA) issued its email advertising guidelines for mobile devices in 2001 and those for PC in 2002. The JIAA acted ahead of legislation to include an opt-in policy in its first guidelines stipulating that no advertising email may be sent to consumers without their explicit consent.

The JIAA guidelines also require advertising email senders to provide their names and contact information as well as instructions on how to unsubscribe. Additionally the guidelines stipulate that consumers must be able to unsubscribe easily and that the senders must stop sending advertising email immediately upon receiving unsubscription request.

Privacy Legislation in Japan

There’s no specialized law governing online privacy practices in Japan. Rather, businesses and organizations holding personal information are regulated by the Act on the Protection of Personal Information. Personal Information is defined as information that could identify a specific individual.

The Act on the Protection of Personal Information was enacted in 2003 and fully enforced in 2005. The Ministry of Economy, Trade, and Industry (METI) also provides guidelines on how personal information should be handled by advertising companies.

In June 2014, the Strategic Headquarters for the Promotion of an Advanced Information and Telecommunications Network Society (IT Strategic Headquarters) within the Cabinet Office published its Policy Outline of the Institutional Revision for Utilization of Personal Data. Based on the policy outline, a bill to revise the Act on the Protection of Personal Information was submitted to the ordinary Diet in 2015, aiming to establish a legal framework for the use of personal data with the reduced identifiability of individuals.

Self-Regulatory Initiatives: JIAA Guidelines for Creating a Privacy Policy

In accordance with the Act on the Protection of Personal Information, the JIAA formulated the Guidelines for Creating a Privacy Policy in 2004. The guidelines were revised in 2014 to address the collection and use of data facilitated by the development of network and growing use of mobile devices.

Efforts to Address Privacy Concerns

The Study Group on Consumer Issues with ICT Services established by the Ministry of Internal Affairs and Communications (MIC) released a report, An Examination of Lifelog-Monitoring Services, in 2010. In this report, a set of consumer-centric principles were proposed to address privacy concerns in association with behavioral advertising and location-based personalized assistance services.

The MIC also released in 2012 Smartphone Privacy Initiative to propose the Guidelines for Handling Smartphone User Information. A set of fundamental principles were provided in the guidelines to ensure transparency to consumers, opportunities for user participation, etc.

Industry groups and trade organizations are encouraged to draft their own industry-specific, self-regulatory guidelines in reference to the proposed fundamental principles.

Self-Regulatory Initiatives: JIAA Behavioral Advertising Guidelines

The JIAA first issued its Behavioral Advertising Guidelines in 2009 in reference to the Self-Regulatory Principles for Online Behavioral Advertising in the United States.

The JIAA amended its guidelines in 2010 in response to the MIC-proposed consumer-centric principles, adding articles for assurance of transparency and opportunities for user participation. The amendment was also influenced by the FTC-proposed principles as well as self-regulatory guidelines issued by relevant industry associations in the United States.

When the MIC’s Smartphone Privacy Initiative was released, the JIAA further reviewed its guidelines and launched the JIAA Information Icon Program in 2014.

The Behavioral Advertising Guidelines were revised most recently in 2015. Reviews and discussions are being continued on an ongoing basis.

Advertising practices in general including but not limited to digital advertising are also governed by different laws and regulations including the Act against Unjustifiable Premiums and Misleading Representations. False or deceptive advertising claims that are likely to mislead consumers are legally prohibited.

[1] In 2012 the Legislative Decree n. 177/2005 was modified by the Decree Law 63 of May 18, 2012: through the measure the revenues raised from online advertising, including the revenues from search engines and social networks, was included in the SIC. [2] http://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/3167654 [3] Legislative Decree n. 145/2007 and Legislative Decree n. 206/2005. [4] http://www.edaa.eu/


Regulatory Structure
In Mexico, several prominent federal laws governing the digital advertising industry include the Commerce Code (Código de Comercio), which addresses competition law and intellectual property; the Consumer Protection Federal Law (Ley federal de Protección al Consumidor), which addresses deceptive and unfair advertising and is enforced by the Federal Institute for Access to Public Information and Data Protection (IFAI) ; and the Penal Code (Código Penal).

Notable regulatory bodies include the Federal Consumer Office (PROFECO) which regulates all advertising and the Interior Ministry (SEGOB) which regulates raffles drawings. Regarding self-regulation, the Council of Self-Regulation and Advertising Ethics (CONAR) regulates controversies based on the Advertising Ethics Code.

In 2010 Mexico passed the Personal Data Protection Law (LFPDPPP). This comprehensive privacy legislation draws from the OECD Privacy Guidelines, the EU Data Protection Directive, and most significantly from the APEC Privacy Framework. This law applies to both government agencies and private institutions.

Recent Developments
As part of the industry development, IAB Mexico and other associations including the Media Research Committee (CIM), the Marketing and Communications Industry Confederation (CICOM), and the Mexican Direct Marketing Association (Directa) are working closely to impact the Digital Advertising Regulations with Government Institutions, including a Digital Glossary registered at the Ministry of Economy. As part of the new Presidential period, the federal government is launching a Digital Strategy which aims to promote the adoption and development of information and communication technologies (Health, Education, Economy). One of the main goals of this Digital Strategy is the development of electronic commerce and digital advertising, which has greatly assisted the Digital Advertising industry. IAB Mexico currently talking with key stakeholders to incorporate projects into action items that help standardize and align the new metrics and best practices that formalize the industry in Mexico.

Contact Information
General Director – Gabriel Richaud – [email protected]
Research Manager – Daniela Orozco  – [email protected]



Regulatory Structure
In the Netherlands, digital advertising is regulated in three distinct ways: At the European level, there are several directives about digital advertising like the EU data protection directive, E-Commerce directive and directive on misleading and comparative advertising.

The European supervisors that regulate the digital advertising and disclosures made in privacy policies are the European Commission (EC) and the article 29 working party. European law is directly effective in national law, which gives people and companies actual rights. Most of the times, European law requires implementation to national law depending on the law proposal. Those proposals set out the frame of the Dutch law. The Dutch law has to be compliant with the European law.

The European Interactive Digital Advertising Alliance (EDAA) is the organization for self-regulation in the European Union. They license the OBA icon to companies involved in Online Behavioral Advertising across Europe.

At the state level, there are a wide variety of laws that address the requirement of a privacy policy, the content of privacy policies, mandatory data security safeguards and notice requirements in the event of data breaches. There is no independent law about digital advertising. It has its roots in the current laws like the Wet Bescherming Persoonsgegevens (WBP), Telecommunicatiewet (TW), Nederlandse Reclame Code (NRC) and the Mediawet.

Also the Netherlands has some authorities that regulate the content of digital advertising and disclosures made in privacy policies. They got the Autoriteit Consument & Markt (ACM), Commissariaat voor de Media and College Bescherming Persoonsgegevens (CBP).

Furthermore, companies in the Netherlands participating with self-regulation such as Your Online Choices (YOC) and Stichting Reclame Code Commissie (RCC).

Rulemaking authority belongs to the Chambers. Most of the times, ministers propose a law proposal. The proposal goes to the Second Chamber. They can approve, modify or reject the proposal. If they modify, the minister has to change it and send it again to the Second Chamber. When the Second Chamber approves it, the proposal goes to the First Chamber. The First Chamber can only approve or reject the proposal. If they approve then the proposal becomes a law.

The most prominent requirement to be aware of as an advertiser or marketer is the Telecommunicatiewet (TW) and the Wet Bescherming Persoonsgegevens (WBP). These laws determine how (personal) data should be processed and when permission is required. Specially article 11.5a TW, article 1 and 8 WBP.

In general, websites must inform visitors if they want to place cookies and the visitor must give permission. This applies only to cookies that track browsing habits. Websites do not need permission for cookies that are necessary to operate a service or shop. These include files that keep track of what is in a shopping cart. Cookies that only collect information on the quality and/or effectiveness of a website can be installed without the prior permission and consent, provided that the use of this type of cookie no or bad has low impact on the privacy of the user. When placing so-called “tracking cookies”, a website should always inform the visitor and ask permission. Tracking cookies are used to track individual surfing behaviour and are aimed to make profiles. This has a greater impact on the protection of privacy. Besides the Telecommunications Act, also the Data Protection Act applies to these cookies.

Recent Developments
The Netherlands is currently negotiating three law proposals that could impact the digital advertising industry. The first one is about data breach and called Meldplicht Datalekken. The second one is about cookies, called “Wijziging van artikel 11.5a van de Telecommunicatiewet” and the third one is the European Data Protection Regulation. The first two proposals are national law and the last one is European law. The first one, Meldplicht Datalekken, is about data breach. The proposal contains a mechanism for reporting violations discovered on security measures for personal information.  It contains the level of hailing for data breaches and indicates when data breaches need to be reported. The second, “Wijziging artikel 11.5a van de Telecommunicatiewet” is about cookies. “Wijziging artikel 11.5a van de Telecommunicatiewet” is about the consent requirement. Most times consent is needed when cookies are used. This proposed change ensures that for certain cookies, like analytic cookies, explicit permission is not necessary anymore. The third, European Data Protection Regulation, is about e-privacy on EU level. So the Dutch law has to be compliant with the changes they set out in this law. It addresses a broad range of issues, including the right to have information deleted, the need for explicit consent to use data and companies using analysis of this data for predicting behavior. All those negotiations could play a role in securing the Internet ecosystem and company’s abilities to transfer data cross borders, a fundamental requirement of a global digital supply chain.

Contact Information
For more information, please contact IAB Netherlands at [email protected]


New Zealand

Regulatory Structure
In New Zealand digital advertising standards are self-regulated based on codes published by the Advertising Standards Authority (ASA) www.asa.co.nz. The Advertising Codes of Practice provide the rules by which all advertisements in all media should comply. At the legislative level several laws address the requirement for advertisers to comply with privacy matters including the collection of, use of, disclosure of, storage and access granted to ‘personal information’. Advertisers should also consider the Consumer Guarantees Act which provides for the interests of consumers to be protected and promotes an environment for businesses to compete effectively and the Fair Trading Act which protects consumers by prohibiting misleading or deceptive conduct in trade.

The most prominent requirement for advertisers and marketers to be aware of is The Fair Trading Act – Part 1 Unfair conduct Section 9- Misleading and deceptive conduct generally:  No person shall, in trade, engage in conduct that is misleading or deceptive or is likely to mislead or deceive.

Recent Developments
New Zealand has played a central role in development of the Trans-Pacific Partnership program being one of the original P4 (Pacific 4) Countries. The Trans-Pacific Partnership (TPP) is a proposed agreement between 12 countries in the Asia Pacific Region. Whilst still in negotiations the agreement could play a significant role in how e-commerce, Intellectual Property, legal issues and communications among other topics could affect the Internet ecosystem.

Contact Information
For more information please contact Chris Ogles at [email protected]



Regulatory Structure
In Norway digital advertising is regulated by law and followed up by different government agencies. IAB Norway has several industry standards that are generally stricter than the national laws.

The law of marketing (markedsføringsloven) is governed by the government consumer agency and a consumer council.

The law of privacy policy (personopplysningsloven) is governed by the data security council. The electronic communication law (ekomloven), which includes legislation related to cookies, is governed by the post and telecommunication council.

Recent Developments
Norway is not a member of the European Union and t is not legally required to adopt EU legislation. However, because of the importance of the relationship between the EU and Norway, legal developments in the EU often guide the development of laws in Norway, though Norwegian laws on different issues relating to digital advertising tend to be more liberal and open than the EU. The Norwegian marketing law is up for revision in 2015.

Contact Information
For more information please contact [email protected]



Regulatory Structure
In Peru, digital advertising is regulated by Legislative Decree No. 1044 “Suppression of Unfair Competition Act” in its General Clause (Article 6) states that “unfair acts of competition are prohibited and will be sanctioned, whatever form they take and whatever the means used capable to performing them, including advertising activity, regardless of the sector of economic activity in which it is deployed” Furthermore, in Act No. 28493 Digital Advertising has a specific regulation regarding to the use of unsolicited advertising or promotional communication by email (SPAM).

Additionally, there are acts that regulate the content of advertising in certain specific assumptions as Act No. 28681 that regulates marketing, consumption and advertising of alcoholic beverages; Act No. 28705 that regulates advertising for prevention and control of risks of Tobacco consumption; Supreme Decree No. 009-2006-SA that regulates advertising of industrial nourishment for infant; Act No. 29459 that regulates advertising of pharmaceuticals and natural health resources sold by prescription. Finally, there is in Peru a National Council of Self-Regulation (CONAR) which is a system of self-regulation advertising where participating companies are regulated by the Peruvian Advertising Code of Ethics (PPRC), without prejudice to the application of the provisions in force on commercial advertising and consumer protection.

Recent Policy Issues
On May 2013 Act No. 30021 was enacted to promote healthy eating in children and adolescents, it is colloquially called “Junk Food Act”. Its objectives, among others, are to promote and protect the right to public health as well as regulate and supervise advertising content in order to reduce and eliminate diseases linked to overweight, obesity, and generally known as chronic non-communicable diseases. In this regard, opinions have been expressed against this Act because it is questionable whether is reasonable and necessary to achieve the objective pursued or if there are alternative mechanisms that present lower costs and more benefits to the population.

Furthermore, Peru is currently negotiating four free-trade agreements: The Trans-Pacific Partnership (TPP) between Peru and 11 countries in the Asia Pacific Region; the Agreement between Peru and Honduras; the Agreement between Peru and El Salvador and the Agreement between Peru and Turkey, those Agreements contain provisions on unfair competition and transfer of goods cross borders that could impact the digital advertising industry.

Contact information
For more information please contact to [email protected]



Regulatory Structure
In Russia, the Federal law “On advertising” (Federal law No. 38-FZ of March 13, 2006) covers all areas of the advertising market and establishes business rules for its participants. Other laws and regulations are considered by the courts only in addition to this Federal law. Digital advertising is regulated by the same laws as other forms of advertising.

When the provisioning of advertising services involves processes relating to media, Internet and information technology, additional laws should be considered, such as: “On mass media”, “On protection of consumers ‘ rights”, “On personal data”, “On communication”, “On information, information technologies and information protection.”

State supervision over observance of legislation of the Russian Federation on advertising is managed by the Federal Antimonopoly Service (FAS) and its regional offices. Where violations of the advertising law occur, the FAS interacts with other federal agencies of executive authority, executive authority of subjects of the Russian Federation, local governments, public associations and other organizations.

Cases are heard in accordance with the provisions of the Administrative regulation of the Federal Antimonopoly service of the Russian Federation.


South Africa

Regulatory Structure
In South Africa, a number of laws implemented since 2000 aimed at protecting consumer rights and privacy (including the Electronic Communications and Transactions Act 2002, the National Credit Act of 2005, the Consumer Protection Act of 2008 and the Protection of Personal Information Act of 2013) have seen South Africa bring itself in line with similar regimes and developments in North America and Europe. Whilst these laws are not themselves directed specifically at digital advertising, agencies and brands need to be aware of their provisions – and the principles underlying them – as they apply across all forms of advertising and marketing communications.

International businesses familiar with US and European consumer rights and privacy laws will, for the most part, find the South African regime to be very similar in many respects. Companies and industry bodies who have signed up to the Advertising Standards of Association of South Africa’s Advertising Code will be subject to the jurisdiction of the ASA and will be required to comply with the Code, many of the principles of which apply to all forms of marketing communications.

On the media owner side there are two bodies – the Press Council and the Broadcasting Complaints Commission – that adjudicate complaints in print and broadcast respectively. Neither has direct jurisdiction over digital at this stage and as such digital publishing without an official regulator at this stage.

Recent Developments
The Department of Health has been aggressive in recent years in its attempts to regulate the advertising of alcohol and unhealthy food and beverages. Draft regulations relating to the advertising and labelling of foods have been tabled, with the closing date for submissions being 29 August 2014. If the regulations are passed into law in their current form, the advertising of unhealthy food to children, in any form or manner whatsoever, will be banned with immediate effect.

The recent Film and Publication Regulations of 2014 require distributors of films and games to register with the Film and Publication Board and pay a fee. Furthermore, films, games and publications meeting certain criteria must be submitted for classification by the Board. Although the potential implications and consequences of this remain to be seen, there is concern about the adverse effects that this could have for, e.g., video-on-demand services and distributors of user-generated content.

Contact Information
For more information, please contact Andrew Allison, Head of Regulation at [email protected]



Digital advertising in Spain is regulated by a combination of standards ranging from more general to the more specific:

  • General Advertising Law (34/1988): It applies to all kinds of advertising, regardless of the channel used, and tries to avoid that advertising violates the dignity of the person, the values and rights recognized in the Spanish Constitution, exploit the inexperience or credulity of children to encourage them to purchase a good or service or present in dangerous situations, and presents the different types of relationships and contracts in the field: advertising creation, dissemination, advertising contract …
  • Unfair Competition Law(3/1991): This Law was adopted to avoid dishonest or abusive behavior by companies, to the extent that alter the functioning of the market, adversely affect consumers or harm the interests of other economic operators. Among the different rules include, limitations on the contents and formats of advertising campaigns, trying to avoid deceit, parasitic behaviors …
  • Different regulations are published for the protection of consumers and users, which basically sets the contractual value of advertising to consumers and the trader’s obligation to respect their own offerings.
  • The Law of Services of the Information Society (34/2002), especially relevant with respect to the precise to campaign from a website and by email obligations, and regarding electronic communications and cookies.
  • There are other rules as the Copyright Act, that, since January 2015 affects both aspects of business such as content aggregation and the use of music and images of third party campaigns, or other rules governing the specific image personnel participating in the same or related retailing.
  • Special mention the Advertising Code of Conduct of the Spanish Self regulation Body, Autocontrol, and several of self-regulatory codes on particular areas also set specific rules for advertising

Regarding recent policy developments, European Directive 2009/136/EC was transposed in Spain into the the Law of Services of the Information Society, changing the rules for the installation of cookies on the user terminals, being necessary to obtain previous informed consent. In Spain, we were negotiating, together with the association of e-commerce and self-regulatory body with the Spanish Data Protection Agency to give a compliance guidelines regarding cookies, and that has materialized in the Guide about the use of cookies (only available in Spanish). The Spanish DPA publishes regularly here the news and interpretations on cookies.

In addition, we are developing a Code of self regulation on digital media covering aspects such as branded content, viewability, privacy or minors between other issues. To get involved, or if you have a question for the IAB Spain legal team contact us at paulaatiabspain.net or call +34 91.402.76.99



Regulatory Structure
In Turkey there is no specific legislation regulating digital advertising. As a result, many different sources impacting the local regulatory structure in Turkey should be taken into account. Consumer Protection Law no. 6502, which entered into force on May 28th, 2014 and replaced the Law no 4077 on Consumer Protection, contains general provisions with regard to all kinds of commercial advertisements. Restrictions and principles concerning commercial advertisements will be specified in the regulation to be published pursuant to the Consumer Protection Law. Consumer Protection Law further sets forth new rules with respect to the Advertisement Board, competent authority regarding the advertisements established under the Ministry of Customs and Trade, and provides changes in the structure of the Board. According to the recently published Advertisement Board Regulation, the Board consists of 19 members from various fields of profession and is authorized to impose sanctions. Unfair commercial practices are also regulated in the Consumer Protection Law. Detailed provisions concerning unfair commercial practices will be provided in the regulation to be published pursuant to the Consumer Protection Law. Such Regulation is expected to be in parallel with the European Union Directive 2005/29/EC concerning Unfair Commercial Practices. In addition to the advertising regulations within the scope of the Consumer Law, industrial regulations such as banking, law practice, pharmaceutical sectors, set forth rules concerning the advertisements specific to the related sectors.

Additionally the ad materials are treated as artwork on a legal basis and protected by Copyright Protection Law no. 5846.

In terms of self-regulation, Advertising Self-Regulatory Board has been requesting the correction of advertisements by implementing the Advertisement Implementation Principles of the International Chamber of Commerce. While the decisions of the Advertising Self-Regulatory Board are not subject to any sanctions, it bears the consciousness that advertisement should be legal, ethical and correct in advertising sector.

Recent Developments
Draft Law on the Regulation of Electronic Commerce, which was drafted in parallel with the European Union Directive 2000/31/EC on electronic commerce, regulates the commercial electronic communications. The Draft Law adopts the “opt-in” system with regard to commercial communications, and states that communications may only be carried out in the event that the prior consent of the recipient has been obtained (in writing or via means of electronic communication), provided that the content of the communication is in line with said consent. The Draft Law is now in the agenda of the General Assembly and expected to be negotiated and enacted in the near future.

Another Draft Law that may have impacts on digital advertising is the Draft Law on the Protection of Personal Data, which is expected to come into effect sometime this year. This Draft Law provides the general principles in relation to data protection and sets forth the obligations and responsibilities of the processors and controllers of data. Besides, Turkish Constitutional Court has recently held a decision and revoked the articles of the Electronic Communications Law no. 5809 which grants an authority to the Information and Communications Technologies Authority to publish secondary legislation concerning processing of personal data and protection of privacy. Accordingly, said issues concerning the personal data in electronic communications sector is expected to be regulated as a separate code within the 6 month period following the publication of the said decision in Official Gazette on July 26th, 2014.

In addition to the legislations above, the law regarding the publications held in online environment and the related crimes (No: 5651) has been recently extended as follows:

  • Web access blocking will be implemented as URL based system rather than blocking the whole domain.
  • In case of detection of personality rights infringement, the owner of website containing such content is warned. Previously this warning was held via court order; after the recent modification, the way of issuing such warning is extended as any means of communications. Additionally, if the content owner doesn’t respond to the warning, a legal action will be taken on the website.
  • Every individuals and corporates may apply for access blocking due to infringement of personality rights.
  • The responsibilities of content owners and Internet service providers (ISP) have been extended as below:
    • Storing traffic data (Including IP data) of at least last 1 year and at most 2 years.
    • Providing information to The Presidency of Telecommunication & Communication (PTC) upon request
  • The majority of the web access blocking will be performed by a committee founded by ISP’s operating in Turkey except the cases that are done directly by the PTC without denunciation.
  • The PTC President will hold the decision of web access blocking on a URL directly under the purpose of protection of private life.

Such changes are not directly applicable to digital ad industry, however in some cases firms are regarded as content owners and ISP’s and the ad spaces on such firms can be affected from the implementation of the law. The cases that a URL has been subject to the web access blockage, the ad spaces (therefore the advertisers and the content owners) will be affected. Again on a reverse viewpoint, if the content of an ad creative is subject to web access blocking due to the violation of competition law, every URL that the creative is shown will be subject to access block.

United Kingdom

Regulatory Structure
In the United Kingdom digital advertising is regulated by a combination of legislative rules and self-regulatory codes. Over 100 pieces of legislation relate to advertising in the UK and as in other European Member States a number of these laws are European-law, most prominently the Data Protection Act of 1998, the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 and the Consumer Protection from Unfair Trading Regulations (2008).

Advertising industry self-regulation comes in the form of the UK Code of Non-Broadcast Advertising, Sales Promotion and Direct Marketing, more commonly referred to as the CAP Code. This code states that all ads must be legal, decent, honest and truthful. The CAP code is enforced by the regulator, the Advertising Standards Authority (ASA) which works predominantly works on the basis of consumer complaints. Where the ASA upholds a complaint and the advert or marketing communication is not taken down voluntarily, the ASA may impose sanctions to enforce compliance. The number and seriousness of sanctions that the ASA can apply vary depending on the type of infringement. In severe instances, CAP may refer the advertising to Trading Standards to legally force an advert or marketing communication to be withdrawn. Since March 2011 the ASA’s remit has extended to include non-paid for space (e.g. communications under a marketers control on social media, or a marketers own website).

From February 2013 the ASA has also acted as the UK’s regulatory backstop to the self-regulatory framework for Online Behavioural Advertising. All national Self-Regulatory Organisations (SROs) across most European countries are implementing similar rules to ensure the ‘tried and tested’ consumer complaints process for advertising content can apply to behavioural advertising. Learn more about the self-regulatory framework in our Q&A here: http://www.iabuk.net/iab-uk-s-guide-to-the-eu-self-regulatory-initiative-for-behavioural-advertising

Recent Developments
As consumer habits change, the media landscape alters and the UK digital advertising market continues to see growth unlike any other media. With these changes, there has been a rise in interest from UK policy makers, academics and other interest groups. Much of this interest stems from a focus on responsible advertising, but increasingly the UK market is facing on what advertising itself funds and what ‘irresponsible’ ad placement means for brand safety. These debates include, but are not limited to:

For further information about policy issues, regulations and industry self-regulatory initiatives across digital advertising disciplines, visit our policy guide: http://www.iabuk.net/policy/digital-policy-guide

Contact Information
The IAB UK policy team regularly undertakes research to understand how consumers are impacted across these policy issues and we develop market guidance to help all parties to act responsibly. Check back on our site to learn more: http://www.iabuk.net/policy/ To get involved, or if you have a question for the IAB UK policy team contact us at [email protected] or call +44 (0)20 7050 6964.


United States

Regulatory Structure
In the United States, digital advertising is regulated in 3 distinct ways: At the federal level, The Federal Trade Commission (FTC) regulates the content of digital advertising and disclosures made in privacy policies. At the state level, a wide variety of laws address the requirement of a privacy policy, the content of privacy policies, mandatory data security safeguards, and notice requirements in the event of data breaches. Furthermore, self-regulation, such as the Digital Advertising Alliance (DAA) Principles, supplements federal and state regulation and requires additional commitments from participating companies. Rulemaking authority belongs to the

The most prominent requirement to be aware of as an advertiser or marketer is Section 5 of the FTC Act, which states “unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful.

For more information about the U.S. regulatory landscape, visit https://www.iab.com/public_policy/digitalad101.

Recent Developments
The U.S. is currently negotiating two free-trade agreements that could impact the digital advertising industry. The Trans-Pacific Partnership (TPP) is a proposed agreement between the U.S. and 11 countries in the Asia Pacific Region and the Trans-Atlantic Trade and Investment Partnership (TTIP) is a proposed agreement between the US and EU. Both negotiations could play a role in securing the Internet ecosystem and companies’ abilities to transfer data cross borders, a fundamental requirement of a global digital supply chain.

For more information about these agreements and other policy initiatives, visit https://www.iab.com/public_policy/legislative_regulatory_update.

Contact Information
For more information please contact Alex Propes at [email protected].

Global Legal Summaries 4


Regulatory structure

In Uruguay, digital advertising is regulated by a combination of norms that range from general to specific. Regulation is set through laws (jurisdiction of the Parliament), decrees that apply those laws (jurisdiction of the Executive branch) and self-regulation by private entities (Code of Advertising Practices by CONARP). Among those mentioned, the following are important to mention:

– Consumer Protection Law (17.250): Precisely regulates the right to true, clear and sufficient information for consumers and prohibits misleading advertising, establishing several legal consequences on this matter.

– Promotion and Protection of Competition Law (18.159): Promotes the well-being of current and future consumers and users, through the promotion and protection of competition, stimulation of economic efficiency and freedom and equality in market access conditions for businesses and products.

– Copyright Law (9.739 and 17.616 / 17.805): This law protects the right of authors of every literary, scientific or artistic creation, and recognizes their ownership on every production of their thought, science, or art applying to artists and performers, producers of phonograms or broadcasting organizations.

– Laws, decrees and conventions regarding intellectual or industrial property, brands and patents: These establish the legal framework that protects the right of creators and regulates its creation and broadcast (Art. 33 of the Constitution, Art. 491 of the Civil Code, Law 17.011, 1883 Paris Convention on the Protection of Industrial Property, 1889 Montevideo Treaty on Copyright, Intellectual Property related to Commerce Agreement and Brands and Geographical Indications Agreement, Patents and Industrial Design Law (17.164), 1889 Montevideo Treaty on Patent Invention and 1886 Berne Convention for the Protection of Literary and Artistic Works, and the Rome Convention for the Protection of Performers, Producers of Phonograms and Broadcasting Organizations.

– Personal Data Protection Law (18.331): Law that applies to natural and legal persons data. Art. 22 applies to data for advertising purposes.

– Tobacco Control Law (18.256 and 19.244): Advertising, promotion, sponsorship and point-of- sale exhibition of tobacco products are prohibited.

– Electronic Document and Digital Signature Law (18.600): Guarantees the authenticity of electronic documents and electronic signatures, by recognizing digital signatures as having the same value and legal effect as those of written signatures.

– Norms regarding electronic commerce: August 8th, 2005 Decree No246/005, incorporating MERCOSUR’s Resolution 21/04 which regulates the consumer’s right to information on commercial transactions performed on the Internet. April 11th, 2005 Decree No134/005 which establishes rules for animal commercialization through online auction or through a screen. December 20th, 2001 Decree No506/001 which establishes rules on international postal parcels delivered via electronic commerce operations.

– CONARP (National Council on Self-Regulatory Advertising): Non-profit, non-governmental organization, constituted by AUDAP (Uruguayan Advertising Agencies Association) and CAU (Uruguayan Advertisers Bureau), and is also a member of CONARED (Latin American Network of Advertising Self-Regulatory Organizations). CONARP has a very active role in Uruguay, although their decisions are not mandatory. Their objective is to ensure free and responsible commercial communications, promoting the practice of self-regulated advertising.

Recent Developments

The Executive will send draft legislation to the Parliament to pass a bill aiming to prohibit alcoholic beverage brands from sponsoring sport events and the participation of anyone under 25 years old in their advertising. In the past few years, the government has been aggressive in their mission to regulate alcohol advertising and unhealthy food and beverage advertising.

Media Law (19.307): Law that aims to regulate the audiovisual market, space assignment for community television, payment for frequency usage and anti-monopoly measures.

Draft Bill on Spam and Electronic Mail: Aims to regulate mailing of messages unsolicited by the recipients.


 back to top