In late June, the Digital Advertising Alliance (DAA) released its highly-anticipated guidelines regarding how self-regulatory principles apply to the mobile environment. These guidelines offer some sort of framework on how previously issued Self-Regulatory Principles for Online Behavioral Advertising (OBA) and Self-Regulatory Principles for Multi-Site Data apply to mobile, focusing on:
- Cross-app data collection
- Use of precise geo-location data sufficient to physically locate a specific device
- Personal directory data, such as address book and calendar that is created by the consumer, and stored on and accessed through a specific device
The previously issued principles for desktop also apply to the mobile web environment as they would desktop web. The DAA recognizes some technical features unique to mobile web and may provide guidance around implementation of the principles relevant to mobile web.
A closer look…
The mobile principles outline requirements for both first- and third-parties around when notice, enhanced notice, access to consumer controls, and prior consent is required. Enhanced notice and prior consent are required if:
- Cross app data is collected from all, or substantially all, applications on a specific device
- Precise geo-location data is collected and used by third parties or transferred to third parties. The consumer must be able to withdraw consent and be directed to specific device or platform settings to do so.
Personal directory data should not be accessed, obtained or used, without prior authorization. First parties should not authorize third parties to access, and obtain and use personal directory data without authorization.
There are, of course, limited purposes where data may be collected for specific purposes, such as operations and systems management, without notice and choice. These purposes would follow the previously issued principles, along with requirements around security and sensitive data. There are also restrictions under which data may be collected, used or transferred in order to determine employment, credit, health care treatment or insurance eligibility.
The mobile principles fall under the scope of the DAA’s accountability program, which is responsible for the enforcement of the principles.
Mobile Privacy Apps
In order to support its new guidelines, the DAA also announced that it had created an app that enables consumers to opt out of behavioral advertising on smart phones and tablets. The app represents the DAA’s most recent action in implementing the mobile privacy guidelines. The group requires ad networks and other companies to inform consumers about online behavioral advertising – also referred to as cross-app advertising in the mobile environment – and to allow consumers the chance to opt out. The DAA’s app will be made available later this year.
Other privacy compliance organizations, including TRUSTe and Ghostery currently offer apps that allow mobile users to opt out of behaviorally targeted mobile ads.
Along with the DAA-endorsed tool for desktop opt outs, the new DAA app allows users a way to opt out of receiving all behaviorally-targeted ads, or selecting which ad networks (and other third parties) to avoid.
However, it is not clear if people will rely on apps to opt out of behavioral targeting, when the largest mobile operating systems come with built-in controls that enable people to avoid cross-app targeting. For instance, Apple offers a “limit ad tracking” setting, which communicates to ad networks that users don’t want to be tracked. Apple requires developers to agree that they honor that setting, which means that they don’t serve ads to users based on their activity across a variety of apps. Google offers a similar feature for Android devices.
In June, the Digital Advertising Alliance (DAA) released its mobile privacy guidelines, which set out rules for collecting data and serving ads on mobile devices. Later, it announced that it was in the process of finalizing a mobile privacy app that would help support and implement its latest guidelines.
CIPP Exam Preparation
In preparation for the Certified Information Privacy Professional/Information Technology (CIPP/IT) exam, a privacy professional should be comfortable with topics related to this post, including:
- IT development lifecycle (I.B.)
- Data collection and transfer (I.C.)
- Privacy and system design (I.I.)
- Software-based notice and consent (IV.B.)
- Online services – online advertising (IV.B.c.vi.4.)