ISSUE-25: New text for Aggregated data: collection and use for audience measurement research

Here is the text revised in the light of last week's discussion (new text in
red). It includes a definition of pseudonymisation and references to various
texts to save some back and forth.

Kathy Joe
ESOMAR

Normative:
Information may be collected, retained and used by a third party for
audience measurement research where the information is used to calibrate or
otherwise support data collected from opted-in panels, which in part
contains information collected across sites and over time from user agents.
A third party eligible for an audience measurement research permitted use
MUST adhere to the following restrictions. The data collected by the third
party:
€     Must be pseudonymised before statistical analysis begins, and
€     Must not be shared with any other party unless the data are
de-identified prior to sharing, and
€     Must be deleted or de-identified as early as possible after the
purpose of collection is met and in no case shall such retention, prior to
de-identification, exceed 53 weeks and
€     Must not be used for any other independent purpose.
€     In addition, the third party must be subject to an independent
certification process under the oversight of a generally-accepted market
research industry organization that maintains a web platform providing user
information about audience measurement research. This web platform lists the
parties eligible to collect information under DNT standards and the audience
measurement research permitted use and it provides users with an opportunity
to exclude their data contribution.
Non-normative: collection and use for audience measurement research
Audience measurement research creates statistical measures of the reach in
relation to the total online population, and frequency of exposure of the
content to the online audience, including paid components of web pages.
Audience measurement research for DNT purposes originates with opt-in panel
output that is calibrated by counting actual hits on tagged content on
websites. The panel output is re-adjusted using data collected from a
broader online audience in order to ensure data produced from the panel
accurately represents the whole online audience.
This online data is collected on a first party and third party basis. This
collection tracks the content accessed by a device rather than involving the
collection of a user¹s browser history. The ultimate production of audience
measurement statistics requires measurement of devices, not individuals.
The collected data is retained for a given period for purposes of sample
quality control, and auditing.  During this retention period contractual
measures must be in place to limit access to, and protect the data, as well
as restrict the data from other uses. This retention period is set by
auditing bodies, after which the data must be de-identified.
The purposes of audience measurement research must be limited to:
·    Facilitating online media valuation, planning and buying via accurate
and reliable audience measurement.
·    Optimizing content and placement on an individual site.
The term ³audience measurement research² does not include sales,
promotional, or marketing activities directed at a specific computer or
device.  Audience measurement data must be reported as aggregated
information such that no recipient is able to build commercial profiles
about particular individuals or devices.
Proposed definition: Pseudonymisation is the process of disguising
identities by attaching a coded reference to a record to allow the data to
be associated with a particular device or individual without identifying
them. In audience measurement, the data collected is tied to devices, not
individuals.
References
DAA text on market research: Market research means the analysis of:  market
segmentation or trends; consumer preferences and behaviours, research about
consumers, products or services; or the effectiveness of marketing or
advertising.  A key characteristic of market research is that the data is
not re-identified to market directly back to, or otherwise re-contact a
specific computer or device. Thus, the term ³market research² does not
include sales, promotional, or marketing activities directed at a specific
computer or device.

Art29WP definition of pseudonymisation is the process of disguising
identities. The aim of such a process is to be able to collect additional
data relating to the same individual without having to know his identity.
This is particularly relevant in the context of research and statistics.
Aggregation: Data is displayed as totals, so no data relating to or
identifying any individual is shown.
ICO Definition of pseudonymisation: De-identified data so that a coded
reference or pseudonym is attached to a record to allow the data to be
associated with a particular individual without the individual being
identified.
German Telemedia Act (to which Albrecht amendments to the General Data
Protection Regulation refer).
Section 14 Inventory data
(1) The service provider may collect and use the personal data of a
recipient of a service only if it is needed for the establishment, content
or amendment of a contractual relationship between the service provider and
the recipient on the use of telemedia (inventory data).
(2) By order of the competent agencies, the service provider may in
individual cases provide information about inventory data to the extent that
this is needed for purposes of prosecution of crime, for the prevention of
danger by the police authorities of the Länder, for the fulfilment of the
statutory duties of the agencies of the Federation and the Länder
responsible for protection of the constitution, the Federal Intelligence
Service or the Military Counterintelligence, or for the enforcement of
intellectual property rights.
Section 
15 Data on usage
(1) The service provider may collect and use the personal data of a
recipient of a service only to the extent necessary to enable and invoice
the use of telemedia (data on usage). Data on usage are in particular
1. characteristics to identify the recipient of the service,
2. details of the beginning and end of the scope of the respective usage,
and
3. details of the telemedia used by the recipient of the service.
(2) The service provide may collate a recipient¹s usage data regarding the
use of different telemedia to the extent necessary for invoicing the
recipient of the service.
(3) For the purposes of advertising, market research or in order to design
the telemedia in a needs-based manner, the service provider may produce
profiles of usage based on pseudonyms to the extent that the recipient of
the service does not object to this. The service provider must refer the
recipient of the service to his right of refusal pursuant to Sub-section 13
No. 1. These profiles of usage must not be collated with data on the bearer
of the pseudonym.
(4) The service provider may use data on usage beyond the end of the session
to the extent necessary for invoicing the recipient of the service
(invoicing data). The service provider may disable the data in order to
fulfil existing statutory, by-law-based or contractual retention periods.
(5) The service provider may transmit invoicing data to other service
providers or third parties to the extent necessary to ascertain the fee and
to invoice the recipient of the service. If the service provider has
concluded a contract with a third party on the collection of the fee, he may
transmit invoicing data to a third party to the extent necessary for this
purpose. Data on usage may be transferred in anonymous form for the purpose
of market research by other service providers. Section 14 (2) applies
mutatis mutandis.
 
Kathy Joe,
Director, International Standards and Public Affairs

Eurocenter 2, 11th floor
Barbara Strozzilaan 384
1083 HN Amsterdam
The Netherlands
Tel: +31 20 664 2141
Fax: +31 20 589 7885
www.esomar.org <http://www.esomar.org/>

ESOMAR is the essential organisation for encouraging, advancing and
elevating market research worldwide.




> 

Received on Tuesday, 26 March 2013 17:29:53 UTC