Date: Jul 26, 2013
On July 24, 2013, the Digital Advertising Alliance (DAA) issued new guidance, Application of Self-Regulatory Principles to the Mobile Environment, for advertisers, agencies, media, and technology companies on how to provide consumers with control over the use of cross-app (i.e., behavioral advertising), personal directory, and precise location data in mobile apps. The new guidance applies the DAA’s 2010 Self-Regulatory Principles for Online Behavioral Advertising and 2012 Principles for Multi-Site Data to Mobile Environments. On the same day, the Network Advertising Initiative (NAI), a member of the DAA with its own self-regulatory rules and enforcement program, released a self-regulatory Mobile Application Code for NAI members that governs behaviorally targeted ads on mobile devices. The key principles adopted by each organization are described below.
There have been significant developments in the mobile privacy landscape over the last several years (see our article on the White House privacy report and app actions, available here), all of which will have a significant impact on companies' advertising and marketing practices. Agency enforcement and private litigation relating to consumer privacy are on the rise (see our article on emerging trends in privacy and data security litigation, available here), and we expect that trend to continue as the landscape continues to evolve.
The DAA guidance applies to Third Parties (entities that collect Cross-App Data or Precise Location Data from or through a non-affiliate’s app or collect Personal Directory Data from a device) and First Parties (the entity that owns or controls an app and its affiliates). It addresses the use and collection of Cross-App Data (data collected from a particular device regarding app use over time and across non-affiliate apps), Precise Location Data (data obtained from a device about the physical location of the device that is sufficiently precise to locate a specific individual or device), and Personal Directory Data (calendar, address book, phone/text log, or photo/video data that is stored on or accessed through a particular device). The DAA will work with stakeholders to develop a choice mechanism for Cross-App Data, after which time the DAA will enforce the new self-regulatory principles through established accountability mechanisms.
First Parties: First Parties that authorize Third Parties to collect and use Cross-App Data should provide a link to a disclosure that either points to a choice mechanism or lists such Third Parties. Such a link is not required (i) for operations and system management, market research and product development, or where data has been de-identified, or (ii) where Third Parties provide the enhanced notice described above or obtain consent.
No entities should collect and use Cross-App Data through their provision of a service or technology that collects such data from all apps without consent, except for operations and system management, market research and product development, or where data has been de-identified. All entities should provide consumers an easy means to withdraw consent.
Precise Location Data
First Parties: Except for purposes of operations and system management, market research and product development, or where data has been de-identified, First Parties should provide notice (on their websites or accessible from their apps) of transfers of data to Third Parties or the collection and use of data by Third Parties through a First Party’s app. In addition, except for the purposes described above, First Parties should provide enhanced notice of Third Parties’ collection and use of data from or through a First Party’s app or a First Party’s transfer of such data to Third Parties. First Parties should also obtain consent (and a means for withdrawing consent) to transfer data to Third Parties or for Third Parties to collect and use data from or through the First Party’s app or to transfer such data to non-affiliates.
Third Parties: Except for purposes of operations and system management, market research and product development, or where data has been de-identified, Third Parties should provide notice (on websites or accessible from apps) of data collection and use practices, as well as tool for providing or withdrawing consent. In addition, except for the purposes described above, Third Parties should obtain consent, or obtain assurances of consent from First Party app provider, before collecting and using data or transferring such data to non-affiliates.
Personal Directory Data
First Parties should not authorize Third Parties to access, and Third Parties should not themselves access, a device without authorization, and obtain and use data for any purposes except operations and system management, market research and product development, or where data has been de-identified.
The NAI Mobile Application Code prescribes guidelines for NAI members relating to Cross-App Advertising, or the delivery of advertising based on Cross-App Data (data collected through apps owned or operated by different parties on a particular device for the purpose of delivering advertising based on the preferences or interests inferred from the data), as well as Ad Delivery and Reporting (the collection of information about a device for the purpose of delivering ads of providing advertising-related services). The Code addresses transparency and notice, choice, use limitations, transfer restrictions, and data access, quality, security, and retention principles for Cross-App Data.
Key principles are as follows:
* * *
The DAA and NAI principles are generally consistent with each other, and reflect the industry’s continuing efforts to ensure the privacy of consumer data in the mobile space. These new standards illustrate the important role of self-regulation in addressing technological changes affecting advertising and privacy. In assessing their advertising and marketing practices, including those that touch on data collection, businesses should consider not just applicable laws, but industry guidelines as well.
For more information on privacy and digital media issues, please contact Keller and Heckman LLP Partners Sheila Millar (+1 202.434.4143, firstname.lastname@example.org) or Tracy Marshall (+1 202.434.4234, email@example.com).