DAA’s Mobile Privacy Rules

The Digital Advertising Alliance (DAA), industry coalition behind the behavioral ad and data collection privacy initiative, is gearing up to launch their new mobile privacy standards. This long-awaited guidance has been slow to arrive. Even now, it is unclear when the mobile privacy guidelines will actually appear, as Stu Ingis, DAA counsel, estimated they would be complete “This spring – a few weeks to a couple of months,” although, the group was “still working on the substance.”


According to insiders who have worked with the final drafts, the new standards will address targeting ads based on information collected across apps, and will allow consumers to opt out. The mobile rules are also likely to require companies to obtain users’ opt-in consent before collecting some information, such as address-book data.

However, the fact that the DAA has still not finalized the guidelines makes it difficult for the self-regulatory process. Without official guidance from the DAA, participants lack the industry-imposed rules on whether opting-out would simply prevent participating mobile ad networks from serving behaviorally-targeted ads in apps, or go further by preventing collection of some forms of data.

Another issue is the fact that most consumers don’t distinguish between location data and other information collected through mobile apps, which indicates that government regulators and legislators may not do so either. While device location data can be collected by apps and used to target ads, there is no DAA guideline which determines whether an advertiser could aim a geo-targeted ad in a mobile app to someone who has opted out through the TRUSTe or Evidon systems.

As the DAA has been silent on self-regulatory services, it poses another question. Mike Zaneis, SVP and general counsel of the Interactive Advertising Bureau asks, “We don’t have mobile principles yet so we are not in a position to endorse; what would we be endorsing against?”

It is not exactly clear what’s behind the delay of the guidelines. Some suspect that technical hurdles may contribute. Cookies are typically not the identifier of choice in the mobile app environment, where multiple types of device identifiers are employed. This means that opting out from mobile ads in apps has a much more permanent effect than on the desktop. If cookies are cleared online, an opt-out cookie gets trashed, which re-enables tracking and targeting.

Privacy Challenges in Mobile Platforms

A major privacy challenge posed by mobile platforms is that devices are usually tied to specific individuals, meaning that data linked to those devices isn’t necessarily “anonymous.” For this reason, the new DAA rules will likely encourage companies to take steps to de-identify information.

Another significant privacy challenge is that opting out of mobile targeting can be an inconvenient process. Previously, some individual mobile networks have permitted consumers to opt out by providing their phones’ device identifiers, or unique character strings. Advertising networks then retain records of the devices that have opted out of online behavioral advertising.

Users of Apple devices have the option of activating a “limit ad tracking” setting, which communicates to networks that users don’t want to be tracked. The tech giant also recently began limiting developers’ ability to access unique device identifiers (UDIDs). As an alternative, Apple offers “advertising identifiers,” which consumers can control by either resetting or deleting.

However, certain developers still retain access to the old UDIDs, which can be used for tracking. Even without access to the UDIDs, companies can identify devices through other characteristics.

In Context

The DAA’s new privacy standards appear within a climate of increased regulatory scrutiny on how companies collect and use data, especially data gathered through mobile devices. The Federal Trade Commission (FTC) and California Attorney General have weighed in with recommendations regarding mobile privacy.

In the previous year, for instance, the Commerce Department has held several meetings between a wide array of online companies and advocates, in an attempt to forge a consensus on mobile privacy guidelines.

A number of mobile app developers – including the well-known Path and Hipster – were recently accused of uploading users’ address books without their permission. The mobile social network Path recently agreed to create a comprehensive privacy policy to settle FTC charges which stemmed from the alleged uploads. Path also agreed to pay $800,000 in order to settle separate allegations that it violated the Children’s Online Privacy Protection Act (COPPA), by inappropriately collecting personal data from children under age 13.


This article discusses the Digital Advertising Alliance’s (DAA) mobile privacy guidelines. These new standards will address targeting ads based on information collected across apps, and will allow consumers to opt out.

CIPP Exam Preparation

In preparation for the Certified Information Privacy Professional/Information Technology (CIPP/IT), a privacy professional should be comfortable with topics related to this post, including:

  • Business use of mobile services (I.C.f.ii.)
  • Privacy by policy (III.B.)
  • Limiting or preventing automated data capture (III.E.a.)

Leave a Reply




You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>