In a prior post we noted the Digital Advertising Alliance’s (DAA) intention, late last year, to begin enforcement of the Application of Self-Regulatory Principles to the Mobile Environment (Mobile App Guidelines), which apply to all participants in the mobile advertising ecosystem. The DAA recently followed through on this promise by issuing its inaugural enforcement decision under the Mobile App Guidelines through the Online Interest Based Accountability Program (Accountability Program). Previously, the Accountability Program had only issued enforcement decisions related to serving interest-based advertisement on websites.

To initiate its Mobile App Guidelines enforcement efforts, the Accountability Program conducted an audit of popular applications on the Android and iOS operating systems. The Accountability Program identified Spinrilla – a mobile app that streams hip-hop music – as a company that did not have the enhanced notice links that are required when third parties collect cross-app and precise location data for use in interest-based advertising (IBA). In the decision, the Accountability Program examined Spinrilla’s mobile application data collection practices for cross app and precise location data, as well as the data collection practices for an affiliated website. The decision also discussed Spinrilla’s responsibility to provide notice (enhanced) and obtain consent as both a first-party mobile app publisher and a first-party website operator. The principles emphasized by the Accountability Program in Spinrilla can be distilled as follows:

Enhanced Notice Required for Mobile Cross-App Data Collection by Third Parties for IBA

The Accountability Program determined that the links to Spinrilla’s generic privacy policies in the mobile applications stores that did not contain an IBA disclosure, and that did not mention the Spinrilla App or website, were not compliant with the Mobile App Guidelines regarding the collection of cross-app data by third parties taking place on the Spinrilla app and site. Instead, Spinrilla was obligated to provide enhanced notice – a clear, meaningful and prominent link to a disclosure that:

  1. describes the collection of cross app or location data by a third party;
  2. points to a choice mechanism (e.g., the industry-wide AppChoices program) or list of all third parties with links to their opt outs; and
  3. contains a statement of adherence to the Digital Advertising Alliance (DAA) Online Behavioral Advertising (OBA) Principles (collectively DAA Principles).

The decision describes the process by which enhanced notice should have been provided. Spinrilla should have provided enhanced notice either prior to download, during download or upon first opening of the app, or at the time the cross app data is first collected and in the application settings or privacy policy. Ultimately, Spinrilla complied with this guidance by updating the privacy policy links in the Apple App and Google Play stores to direct users to a page that contains an IBA disclosure on the top that indicates adherence to the DAA Principles and provides users with a list of choice mechanisms. Spinrilla also added a privacy policy link to its app settings.

Notice and Prior Consent Required for Collection of Location Data by Third Party

The Mobile App Guidelines also impose obligations on a mobile app publisher that authorizes a third party to collect user location data, to provide notice and enhanced notice of the collection of data precise enough to locate a specific device or individual. In general, Spinrilla was required to provide clear, meaningful and prominent notice placed on the company’s website or accessible through the App, that clearly describes:

  1. the fact that precise location data is transferred to or collected by any third party;
  2. instructions for accessing and using a consumer-friendly tool for providing or withdrawing consent; and
  3. the fact that Spinrilla adheres to the DAA Principles.

The Accountability Program also noted that Spinrilla must provide enhanced notice that contains a link to the general disclosure described above. This notice and link must be provided during the process of downloading an application, at the time the application is opened or at the time the data is first collected and in the applications settings or privacy policy. Companies may use any method of enhanced notice, as long as it is clear, meaningful and prominent.

The Mobile App Guidelines further required Spinrilla to obtain prior consent to allow third parties to collect precise location data for IBA purposes. Spinrilla should have provided easy-to-use tools for providing and withdrawing consent to collection of location data at any time. The Accountability Program noted that this principle can be satisfied by allowing consumers to provide or withdraw consent as part of the download and/or app install process. The decision indicates that Spinrilla agreed to cease collecting location data rather than implement the required notification and consent measures relating to location data collection.

Websites Affiliated with Mobile Apps Must Also Comply with OBA Principles

The Accountability Program also looked at Spinrilla’s obligations related to its website where it also authorizes third parties to collect and use data for IBA. The Accountability Program noted that the DAA Principles require Spinrilla to include enhanced notice on each page where data is collected or used for IBA. The decision reports that Spinrilla agreed to comply by adding an “Ad Choice” link to its website footer that complied with these requirements. Although not mentioned, this distinction illustrates the application of different rules, particularly regarding how to give notice, related to data collection between Spinrilla’s online and mobile app services. Further, it should be noted that the DAA opt-out mechanisms for mobile and for web are technically distinct, and companies should make efforts to inform users of the need to opt out of the web-based service and, separately, out of the mobile app service, to avoid confusion.

Website and App Publishers Should Ensure DAA Participation and Compliance

Many mobile apps and websites now have some sort of IBA or other data practices that trigger the DAA Principles. Even those that do not serve ads on the app or site may well be engaging in the “retargeting” of the user with an ad from the app or site operator when the user leaves and goes to a third-party site where ads are served. Publishers are often unaware of what data collection and other practices their vendors and other third parties are engaging in on their site and app. Leading analytic companies and advertising services companies are DAA participants and frequently contractually require compliance with the DAA Principles, or have their own similar notice and opt-out requirements. To comply with the DAA Principles, companies have to make a statement of adoption in their privacy notices. Thus, noncompliance could be the basis for a finding of a false and deceptive statement in violation of Section 5 of the FTC Act, especially if the adoption statement and corresponding opt-out notice are not narrowly and carefully worded. As a result, publishers should shore up their notices and consent mechanisms to be consistent with this and other guidance from the Accountability Program regarding the DAA Principles, including the new Mobile App Guidelines. Companies that are found to be non-compliant by the Accountability Program should move quickly to cooperate and address those areas, as they could otherwise invite regulatory scrutiny. The Accountability Program staff is available to provide guidance to companies as to how to participate and comply.