New Self-Regulatory Guidance Joins Other Privacy and Transparency-Related Considerations for Participants in the Mobile Ecosystem
On July 24, 2013, the Digital Advertising Alliance (DAA), comprised of the largest media and marketing trade associations in the U.S., released new guidance regarding mobile and other devices (Mobile Guidance).1 The Mobile Guidance explains how the DAA’s existing Self-Regulatory Principles for Online Behavioral Advertising (OBA Principles)2 and Self-Regulatory Principles for Multi-Site Data (MSD Principles)3 (together, the DAA Principles) apply to companies operating in the mobile ecosystem. It sets forth specific requirements for the collection and use of precise location information, as well as two new categories of data: “cross-app data” and “personal directory data.”
By articulating clear obligations for companies with respect to these types of data, the Mobile Guidance represents a milestone for the mobile advertising industry, which has been debating how to provide adequate notice and choice to consumers for quite some time. Noncompliance ultimately will be subject to the Online Interest-Based Advertising Accountability Program, operated by the Council of Better Business Bureaus.4 Participants in the mobile ecosystem—including app developers, analytics companies, ad networks, app platform providers, and providers of devices and related services—should evaluate their practices in light of the Mobile Guidance.
The Mobile Guidance arrives amid a crowded landscape of recent developments relating to privacy and transparency in the mobile context. It follows sets of best practices for the mobile space set forth by the Federal Trade Commission (FTC) in February 2013 and by California Attorney General Kamala Harris in January 2013. It also joins the draft Short Form Notice Code of Conduct to Promote Transparency in Mobile App Practices, developed through the multistakeholder process convened by the National Telecommunications and Information Administration (NTIA) regarding mobile app transparency, and temporarily “frozen” for use in testing by participating organizations on July 25, 2013.5 The FTC’s and California Attorney General Harris’ recommendations, together with the NTIA’s short-form notice code of conduct, once finalized, will join the Mobile Guidance in presenting several privacy- and transparency-related considerations for participants in the mobile space.
In July 2009, the DAA published the OBA Principles, the online advertising industry’s effort to establish standard business practices concerning the collection of information about people’s online behavior across websites and its use in online behavioral advertising (OBA).6 They consist of seven principles, most notably requirements of clear notice to consumers about the collection and use of data for OBA purposes, and consumer choice regarding whether such data can be used for OBA.7 In 2011, the DAA expanded its self-regulatory program to cover “multi-site data,” which is all data collected from particular computers or devices regarding web viewing over time and across unaffiliated websites, and not just that collected for OBA purposes.8
The Mobile Guidance provides direction regarding how the DAA Principles apply within the mobile website and app environments. In particular, the Mobile Guidance:
- makes clear that the DAA Principles apply in the mobile context and elaborates on how they apply;
- explains how the DAA Principles apply to data collected on a particular device regarding app use over time and across non-affiliate applications (cross-app data)9;
- explains how the DAA Principles apply to data about the physical location of a device that is sufficiently precise to locate a specific individual or device (precise location data); and
- explains how the DAA Principles apply to the collection, use, and disclosure of calendar, address book, phone/text log, or photo/video data created by a consumer that is stored on or accessed through a device (personal directory data).
The Mobile Guidance sets out responsibilities for first parties and third parties. A “first party” is an entity that owns or has control over an app with which a consumer interacts, as well as the entity’s affiliates. An entity is a “third party” to the extent that it collects cross-app data or precise location data from or through a non-affiliate’s application, or collects personal directory data from a device.10
Application of Self-Regulatory Principles Across Channels
The Mobile Guidance first emphasizes that the DAA Principles apply consistently across all channels, regardless of the type of computer or device involved.11 In commentary, however, the DAA acknowledges the technical limitations of different types of devices and systems. As a result, compliance with the DAA Principles in the mobile context may take a form different from compliance in the desktop computer environment, and implementation may vary based on the technological demands of other channels as well. The DAA anticipates providing further guidance on implementation practices.
Under the Mobile Guidance, third parties should provide clear, meaningful, and prominent notice of their cross-app data collection and use practices. Such notice should be provided on the third parties’ own websites or made accessible from any app from or through which they collect cross-app data.
Additionally, third parties should provide enhanced notice of their cross-app data collection and use practices by either using a notice in or around ads delivered using cross-app data (which can be satisfied through the use of the AdChoices icon) or in a number of ways that require the cooperation of the first party. If they do not provide enhanced notice in these ways, third parties should be listed individually on a mechanism or setting that meets DAA specifications and is linked from the first party’s disclosure. Third parties who obtain consent12 to their use and disclosure of cross-app data are not required to provide this enhanced notice.
Unless all third parties operating on the first party’s app have provided enhanced notice or have obtained consent to their cross-app data collection and use practices, any first party who affirmatively authorizes a third party to collect and use cross-app data also should provide notice in a specified time and manner.
Third parties should provide consumers with choice regarding their collection and use of cross-app data and should describe those choice mechanisms in the relevant notices described above. Additionally, first parties who affirmatively authorize third parties to collect and use cross-app data should link to an appropriate choice mechanism.
The Mobile Guidance also provides that entities should not collect and use cross-app data through their provision of a service or technology that collects cross-app data from all or substantially all apps on a device without obtaining consent and providing an ongoing, easy-to-use means for users to withdraw such consent.
Precise Location Data
For precise location data, the Mobile Guidance imposes requirements similar to those in the DAA Principles, but allocates responsibility differently to account for first parties’ greater ability to provide notice to consumers and obtain their consent in the mobile space.
First parties should provide notice of transfers of precise location data to third parties, as well as third parties’ collection and use of such data from or through the first party’s app and with the first party’s affirmative authorization. This notice should be on the first party’s website or accessible from or through the app from which precise location data is collected.
First parties also should provide enhanced notice regarding the collection and use of precise location data. The Mobile Guidance specifies permissible manners to provide such enhanced notice and notes that any method, or combination of methods, that provides equivalently clear, meaningful, and prominent enhanced notice is permissible.
Third parties should provide basic notice of their collection and use practices regarding precise location data on their own websites or made accessible from any app from or through which they collect precise location data.
First parties should obtain consent (i) for their transfer of precise location data to third parties, (ii) for affirmatively authorized third parties to collect and use precise location data from or through the first party’s app, and (iii) for their transfer of precise location data to non-affiliates. The first party also should provide an easy-to-use tool for users to withdraw such consent.
In addition, third parties should ensure that consent has been provided for their own precise location data practices, either directly or by obtaining reasonable assurances from the first party that it has obtained consent.13
Finally, the DAA notes in the Mobile Guidance that due to technical limitations of different devices and systems, it may not be feasible to comply with its guidance regarding precise location data on all devices in the same manner. The DAA may provide further guidance on implementation practices.
Personal Directory Data
The Mobile Guidance creates a new category of data, “personal directory data,” which is “calendar, address book, phone/text log, or photo/video data created by a consumer that is stored on or accessed through a particular device.”14
The Mobile Guidance provides that third parties should not, without user authorization, intentionally access, obtain, and use personal directory data. Additionally, first parties should not affirmatively authorize any third party to do so.
Exceptions and Specific Restriction on Uses for Eligibility Purposes
The Mobile Guidance generally exempts first parties and third parties from their notice and choice obligations under the Mobile Guidance with respect to cross-app data, precise location data, and personal directory data that (i) is collected and used for specified purposes such as market research, product development, or operations and systems management, or (ii) has gone through, or within a reasonable period of time from collection goes through, an appropriate de-identification process. These exceptions are very similar to those contained in the MSD Principles. Also consistent with the MSD Principles, the Mobile Guidance specifies that, notwithstanding any of its other provisions, cross-app data, precise location data, and personal directory data should not be collected, used, or transferred for purposes of employment eligibility; credit eligibility; healthcare treatment eligibility; or insurance eligibility, underwriting, or pricing.
Other Mobile App Disclosure and Privacy Guidelines
The Mobile Guidance joins a number of other privacy-related considerations for app developers, ad networks, and other participants in the mobile app ecosystem, along with others potentially to come.
FTC Mobile Disclosures Report
As covered previously in Eye on Privacy,15 the FTC issued a report in February 2013 encouraging all participants in the mobile ecosystem to work together to develop improved mobile privacy disclosures and industry best practices.16 Notably, the FTC report recommends that app developers:
- publish appropriate privacy policies, and make them available through app stores/marketplaces;
- provide just-in-time disclosures and obtain affirmative express consent in order to collect information considered by the FTC to be sensitive;
- coordinate with ad networks, analytics companies, and other third-party service providers to obtain clear information about their privacy practices, in order to disclose them appropriately; and
- participate in self-regulatory programs, industry organizations, and trade associations to prepare uniform, short-form privacy disclosures.
The FTC’s mobile privacy report also recommends that ad networks and other third parties (i) coordinate with app developers, so as to allow app developers to provide more accurate privacy disclosures, and (ii) work with platforms to develop, and then ensure effective implementation of, a Do Not Track system in the mobile context. To this end, in addition to various other recommendations for app trade associations and platform providers, the FTC mobile privacy report also recommends that app platform providers create and implement a Do Not Track mechanism consistent with the FTC’s principles set forth in its consumer report on privacy.17
California Attorney General Best Practices for Mobile Privacy
NTIA Mobile Application Transparency Multistakeholder Process
Finally, app publishers, ad networks, and others in the mobile ecosystem also should be aware of the multistakeholder process convened by the National Telecommunications and Information Administration (NTIA) in June 2012,20 whose participants continue to work toward developing a voluntary code of conduct to provide transparency in how companies providing apps and interactive services for mobile devices handle personal data.21 This code of conduct, which would be adopted voluntarily by participating developers and publishers, has yet to be finalized, but generally seeks to settle on standard short-form notices that succinctly, and in a consistent format, set forth key information about data collected within apps and how that data is shared. The short form notices would be intended to help consumers compare and contrast data practices of apps, with the goal of enhancing consumer trust in app information practices.
Notably, the current draft NTIA code of conduct, which was frozen for user testing on July 25, 2013,22 calls for transparency with respect to (i) the collection of certain types of sensitive data (such as biometrics, precise location information, user files, contact information on a mobile device, and web browser history or phone or text log), as well as (ii) any user-specific data shared with ad networks, carriers, consumer data resellers, data analytics providers, providers of operating systems, app platforms, other apps, and social networks, unless those third parties are bound by contract to limit the uses of any such consumer data solely to services rendered to, or on behalf of, that app and to abstain from sharing that consumer data with subsequent third parties. Notice requirements also do not apply with respect to data collected or shared without the app developer’s affirmative authorization, so long as the app developer doesn’t have actual knowledge of (or deliberately avoid obtaining actual knowledge of) such collection or sharing before it occurs. Finally, the code’s notice requirements also do not apply with respect to the collection or sharing of any data that is not identified or that is otherwise promptly de-identified as long as reasonable steps are taken to prevent the data from being re-associated with a specific individual or device.
The Mobile Guidance likely will have significant ramifications for many participants in the mobile ecosystem. The FTC repeatedly has stated that the collection and use of information from mobile devices is one of its top agenda items because it believes consumers do not understand the collection that is occurring and how they can control it. The Mobile Guidance provides companies in the mobile space with much greater clarity regarding how to provide the transparency and consumer choice demanded by the FTC and privacy advocates. Members of the organizations that comprise the DAA, as well as other companies within the mobile industry, are encouraged to examine the Mobile Guidance in connection with a review of their own practices concerning the collection, use, and disclosure of cross-app data, precise location data, and personal directory data.
Additionally, the Mobile Guidance represents just one of several sets of guidelines issued recently regarding the collection and use of data by apps. Taken together, these various guidelines create a complex set of requirements and best practices for companies in the mobile ecosystem to consider.
1 Digital Advertising Alliance, “Application of Self-Regulatory Principles to the Mobile Environment,” 2013, available at http://www.aboutads.info/DAA_Mobile_Guidance.pdf.
2 Digital Advertising Alliance, “Self-Regulatory Principles for Online Behavioral Advertising,” 2009, available at http://www.aboutads.info/resource/download/seven-principles-07-01-09.pdf.
3 Digital Advertising Alliance, “Self-Regulatory Principles for Multi-Site Data,” 2011, available at http://www.aboutads.info/resource/download/Multi-Site-Data-Principles.pdf.
4 Only after the DAA’s choice mechanism for cross-app data is operational, and after an implementation period, will companies face DAA accountability mechanisms with respect to cross-app data, precise location data, and personal directory data. For information about the Interest-Based Advertising Accountability Program, see http://www.bbb.org/us/interest-based-advertising/.
5 The NTIA’s published Short Form Notice Code of Conduct to Promote Transparency in Mobile App Practices is available at http://www.ntia.doc.gov/files/ntia/publications/july_25_code_draft.pdf. The draft code has been released for purposes of user testing by participating companies, but has not yet been finalized.
6 OBA is the collection of data from a particular computer or device regarding web-viewing behaviors over time, and across unaffiliated websites, for the purpose of using such data to predict user preferences or interests to deliver advertising to that computer or device based on those inferred preferences or interests. For example, through OBA, a consumer shopping online for baseball tickets might receive targeted ads on other, unaffiliated websites about baseball tickets or about other products that those shopping for baseball tickets may tend to be interested in (e.g., sports magazines).
7 Digital Advertising Alliance, “Self-Regulatory Principles for Online Behavioral Advertising,” 2009, available at http://www.aboutads.info/resource/download/seven-principles-07-01-09.pdf; Digital Advertising Alliance, “Self-Regulatory Principles for Online Behavioral Advertising Implementation Guide,” 2010, available at http://www.aboutads.info/resource/download/OBA%20Self-Reg%20Implementation%20Guide%20-%20What%20Everyone%20Needs%20to%20Know.pdf.
8 For additional information on the MSD Principles, please see our WSGR Alert at http://www.wsgr.com/WSGR/Display.aspx?SectionName=publications/PDFSearch/wsgralert-online-advertising-data-collection.htm.
9 Cross-app data also includes unique values assigned or attributed to a device, or a unique combination of characteristics associated with a device, where combined with cross-app data. It does not include (i) precise location data, (ii) personal directory data, (iii) data that has been de-identified in accordance with the Mobile Guidance, or (iv) data that is collected across unaffiliated apps but is not associated or combined across such apps.
10 In situations where it is clear that the consumer is interacting with a portion of an app that is not an ad and is being operated by a different entity than the app owner, the different entity would not be a third party due to the consumer’s reasonable understanding of the nature of the direct interaction with that entity.
11 As a result of the consistent application of the DAA Principles across channels, the principles should be considered in connection with the collection of data from computers and devices, such as navigation devices and connected television devices in addition to mobile devices.
12 The Mobile Guidance, consistent with the DAA Principles, defines “consent” as “an individual’s action in response to a clear, meaningful, and prominent notice regarding the collection and use of data for a specific purpose.”
13 The Mobile Guidance lays out several illustrative actions that a third party may take to obtain reasonable assurances that a first party has obtained consent to its collection and use of precise location data. For example, a third party may obligate the first party contractually to obtain consent to the third party’s data collection or use, or may verify that the first party publicly represents that it obtains consent to the transfer of precise location data to a third party.
14 Personal directory data also includes unique values assigned or attributed to a device or a unique combination of characteristics associated with a device, where combined with data, meeting the definition of personal directory data. Personal directory data does not include data that is not associated with a specific individual or device, such as data that has been de-identified.
15 FTC Releases Privacy Disclosure Guidelines for Mobile Ecosystem, WSGR Eye on Privacy (March 2013), available at http://www.wsgr.com/publications/PDFSearch/eye-on-privacy/Mar2013/#1.
16 FTC Staff Report: Mobile Privacy Disclosures: Building Trust Through Transparency (February 2013), available at http://www.ftc.gov/os/2013/02/130201mobileprivacyreport.pdf. The report was issued by the FTC in view of its prior work in the mobile arena, together with panel discussions on, and written comments received in connection with, a March 2012 workshop focused on transparency in mobile apps.
17 The FTC’s report, Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers (March 2012), is available at http://www.ftc.gov/os/2012/03/120326privacyreport.pdf. We summarize this report in our WSGR Alert available at http://www.wsgr.com/WSGR/Display.aspx?SectionName=publications/PDFSearch/wsgralert-FTC-final-privacy-report.htm. Since the issuance of the FTC’s report, there has been significant industry effort at coming up with a uniform Do Not Track standard. As of the date of this publication, however, there is no industry-wide consensus on Do Not Track.
18 California Attorney General Issues Privacy Practice Recommendations for Mobile Ecosystem, WSGR Eye on Privacy (March 2013), available at http://www.wsgr.com/publications/PDFSearch/eye-on-privacy/Mar2013/index.html#2_1.
19 Attorney General Harris’ report, Privacy on the Go: Recommendations for the Mobile Ecosystem (January 2013), is available at http://oag.ca.gov/sites/all/files/pdfs/privacy/privacy_on_the_go.pdf.
20 The NTIA’s multistakeholder process on mobile app transparency was convened pursuant to the call for action in the Obama Administration’s February 2012 report on consumer privacy, Consumer Data Privacy in a Networked World: a Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy (available at http://www.whitehouse.gov/sites/default/files/email-files/privacy_white_paper.pdf) (Administration Privacy Report), which, among other things, proposed a Consumer Privacy Bill of Rights and the establishment of multistakeholder processes to develop enforceable codes of conduct implementing that Consumer Privacy Bill of Rights. Our WSGR Alert regarding the Administration Privacy Report is available at http://www.wsgr.com/WSGR/Display.aspx?SectionName=publications/PDFSearch/wsgralert-consumer-privacy-bill-of-rights.htm.
21 Information on the NTIA’s process, including the most recent draft code of conduct, meeting agendas, and other documentation, is available at http://www.ntia.doc.gov/other-publication/2013/privacy-multistakeholder-process-mobile-application-transparency.
22 The current draft code of conduct is available at http://www.ntia.doc.gov/files/ntia/publications/july_25_code_draft.pdf.