Industry Groups Release Privacy Standards for Mobile App Ads

On July 24, 2013, the Digital Advertising Alliance (DAA) issued new guidance, Application of Self-Regulatory Principles to the Mobile Environment, for advertisers, agencies, media, and technology companies on how to provide consumers with control over the use of cross-app (i.e., behavioral advertising), personal directory, and precise location data in mobile apps.  The new guidance applies the DAA’s 2010 Self-Regulatory Principles for Online Behavioral Advertising and 2012 Principles for Multi-Site Data to Mobile Environments.  On the same day, the Network Advertising Initiative (NAI), a member of the DAA with its own self-regulatory rules and enforcement program, released a self-regulatory Mobile Application Code for NAI members that governs behaviorally targeted ads on mobile devices.  The key principles adopted by each organization are described below.

There have been significant developments in the mobile privacy landscape over the last several years (see our article on the White House privacy report and app actions, available here), all of which will have a significant impact on companies' advertising and marketing practices.  Agency enforcement and private litigation relating to consumer privacy are on the rise (see our article on emerging trends in privacy and data security litigation, available here), and we expect that trend to continue as the landscape continues to evolve.

DAA Principles

The DAA guidance applies to Third Parties (entities that collect Cross-App Data or Precise Location Data from or through a non-affiliate’s app or collect Personal Directory Data from a device) and First Parties (the entity that owns or controls an app and its affiliates).  It addresses the use and collection of Cross-App Data (data collected from a particular device regarding app use over time and across non-affiliate apps), Precise Location Data (data obtained from a device about the physical location of the device that is sufficiently precise to locate a specific individual or device), and Personal Directory Data (calendar, address book, phone/text log, or photo/video data that is stored on or accessed through a particular device).  The DAA will work with stakeholders to develop a choice mechanism for Cross-App Data, after which time the DAA will enforce the new self-regulatory principles through established accountability mechanisms. 

Cross-App Data

Third Parties:  Except for purposes of operations and system management, market research and product development, or where data has been de-identified, Third Parties should provide notice of collection and use practices (on websites or accessible from any app), and a mechanism for exercising choice.  In addition, except for the purposes described above or where they obtain consent, Third Parties should give enhanced notice of collection and uses practices through a clear and prominent link in the app (i) in or around an ad delivered using Cross-App Data, (ii) before the app is installed as part of the downloading process, or (iii) in the app’s settings or privacy policy.

First Parties:  First Parties that authorize Third Parties to collect and use Cross-App Data should provide a link to a disclosure that either points to a choice mechanism or lists such Third Parties. Such a link is not required (i) for operations and system management, market research and product development, or where data has been de-identified, or (ii) where Third Parties provide the enhanced notice described above or obtain consent. 

No entities should collect and use Cross-App Data through their provision of a service or technology that collects such data from all apps without consent, except for operations and system management, market research and product development, or where data has been de-identified.  All entities should provide consumers an easy means to withdraw consent.

Precise Location Data

First Parties:   Except for purposes of operations and system management, market research and product development, or where data has been de-identified, First Parties should provide notice (on their websites or accessible from their apps) of transfers of data to Third Parties or the collection and use of data by Third Parties through a First Party’s app.  In addition, except for the purposes described above, First Parties should provide enhanced notice of Third Parties’ collection and use of data from or through a First Party’s app or a First Party’s transfer of such data to Third Parties.  First Parties should also obtain consent (and a means for withdrawing consent) to transfer data to Third Parties or for Third Parties to collect and use data from or through the First Party’s app or to transfer such data to non-affiliates.

Third Parties:  Except for purposes of operations and system management, market research and product development, or where data has been de-identified, Third Parties should provide notice (on websites or accessible from apps) of data collection and use practices, as well as tool for providing or withdrawing consent.  In addition, except for the purposes described above, Third Parties should obtain consent, or obtain assurances of consent from First Party app provider, before collecting and using data or transferring such data to non-affiliates. 

Personal Directory Data

First Parties should not authorize Third Parties to access, and Third Parties should not themselves access, a device without authorization, and obtain and use data for any purposes except operations and system management, market research and product development, or where data has been de-identified.

NAI Principles

The NAI Mobile Application Code prescribes guidelines for NAI members relating to Cross-App Advertising, or the delivery of advertising based on Cross-App Data (data collected through apps owned or operated by different parties on a particular device for the purpose of delivering advertising based on the preferences or interests inferred from the data), as well as Ad Delivery and Reporting (the collection of information about a device for the purpose of delivering ads of providing advertising-related services).   The Code  addresses transparency and notice, choice, use limitations, transfer restrictions, and data access, quality, security, and retention principles for Cross-App Data. 

Key principles are as follows:

• Companies should provide website notices that describe their collection and use practices and provide an opt-out mechanism, and should require the apps, where they collect data for Cross-App Advertising, to post a notice or link to a notice in any store or on any website that describes their practices.
• Companies should provide notice of data collection and use practices, as well as the choices available to consumers, in or around the ads that are informed by such data.
• The level of choice that must be provided depends on the sensitivity and intended use of the data.  The use of non-personally identifiable information (PII), such as unique identifiers or IP addresses, and the use of PII to be merged with non-PII on a going-forward basis for Cross-App Advertising, require an opt-out mechanism.  Merging with previously collected non-PII, Sensitive Data (Social Security numbers, financial account numbers, and the like), and Precise Location Data for Cross-App Advertising requires opt-in consent.
• Companies should not intentionally access a device without the user’s consent and obtain Personal Directory Data for Cross-App Advertising.
• Companies should not create Cross-App Advertising segments targeting children under 13 without obtaining verifiable parental consent.
• Companies should contractually require unaffiliated parties to which they provide PII for Cross-App Advertising or Ad Delivery and Reporting to adhere to the Code, and contractually require that all parties to whom they provide non-PII collected across apps owned or operated by different entities not merge such non-PII with PII held by the receiving party or re-identify the individual without the individual’s opt-in consent. 

*   *   *

The DAA and NAI principles are generally consistent with each other, and reflect the industry’s continuing efforts to ensure the privacy of consumer data in the mobile space.  These new standards illustrate the important role of self-regulation in addressing technological changes affecting advertising and privacy.  In assessing their advertising and marketing practices, including those that touch on data collection, businesses should consider not just applicable laws, but industry guidelines as well. 

For more information on privacy and digital media issues, please contact Keller and Heckman LLP Partners Sheila Millar (+1 202.434.4143, millar@khlaw.com) or Tracy Marshall (+1 202.434.4234, marshall@khlaw.com).