Home Home About Us Practice Areas Our Attorneys Press & Publications Events Diversity Pro-Bono Careers

Digital Media, Technology & Privacy Alert >> DAA Announces Mobile Privacy Enforcement to Begin September 1, 2015

May 18, 2015

This alert was co-authored by Todd Ruback, Chief Privacy Officer, Ghostery, Inc.

The Digital Advertising Alliance (DAA) has announced that enforcement of its principles in the mobile environment – which it first issued in July 2013 – will begin on September 1, 2015.

As discussed in a previous alert (click here to view), in July 2013 the DAA issued guidance (Mobile Guidance) explaining how its Self-Regulatory Principles for Online Behavioral Advertising (OBA Principles) and Multi-Site Data (MSD Principles) (together, the Self-Regulatory Principles), which are applicable to companies engaged in online behavioral advertising, including advertisers, agencies, media, publishers, and technology companies, apply to certain types of data in the mobile environment (such as mobile optimized websites and apps). The Mobile Guidance clarified that the OBA Principles cover all companies engaged in interest-based advertising (IBA) on mobile devices, as well as the collection of certain mobile-specific types of data. The themes from the OBA Principles of transparency, consumer control, sensitive data, data security, and accountability are all part of the Mobile Guidance.

Categories of Mobile Data
The Mobile Guidance defines (and sets forth various requirements pertaining to) three important categories of mobile data:

1) Cross-App Data – data collected from a particular device regarding app usage over time on non-affiliated apps;
2) Personal Directory Data – such as calendar, address book, phone/text log and photo/video data; and
3) Precise Location Data – data about the physical location of the individual/device.

Notice Obligations
Depending on a party’s status as a “first party” or a “third party,” Cross-App Data collection and use for IBA can trigger notice obligations consisting of clear, meaningful, and prominent notice of this data collection and use practices and enhanced notice in or around an advertisement. The generally accepted process for enhanced notice in or around an advertisement is the DAA’s Ad Choices Icon, while enhanced notice on a web site has taken many forms. The use of Precise Location Data follows a similar procedure. All three categories require varying levels of user consent, depending upon the nature of the use and sharing with third parties of this data.

Notice regarding this data collection and use is not required for operations/systems management, market research, product development, and reporting for ad delivery purposes. In addition, de-identified data that does not associate or connect an individual with a particular device also is carved out from certain compliance obligations.

None of these categories of data may be used for employment, credit, healthcare treatment, or insurance eligibility.

September 1 Deadline
When the DAA issued the guidance in July 2013, it indicated that it would not take effect or be enforced with respect to these three categories during the “implementation phase.” The DAA acknowledged that it might not be feasible to comply with the Self-Regulatory Principles on all devices in the same manner as in a desktop computer environment.

Now, with its announcement of a September 1 effective date, the phase-in period for the mobile environment comes to an end.

As of September 1, 2015, any entity engaged in IBA or the collection and use of Cross-App Data, Precise Location Data, or Personal Directory Data on a mobile device becomes subject to the DAA accountability mechanisms (managed by the Council of Better Business Bureaus (BBB) and the Direct Marketing Association (DMA)) for engaging in practices that do not adhere to the Self-Regulatory Principles as discussed in the guidance.

Enforcement in the mobile arena is likely to be similar to enforcement in the desktop environment, which has been robust, with the BBB initiating 58 actions to date. Enforcement can be both reactive to inquiries or proactive by the Online Interest-Based Advertising Accountability Program alleging, for example, that a company was engaged in IBA but lacked either an opt out or a statement of adherence to the Self-Regulatory Principles. That is followed by a public announcement of the entity’s past failure to comply with the OBA Principles and resolution of their compliance going forward. These actions can be taken against an entity whether or not it is a member of the BBB, the DMA or any of the trade associations that make up the DAA.

The Bottom Line

Enforcement of the mobile privacy guidelines is about to begin across all of the sectors of the mobile IBA ecosystem, including app providers, ad networks, brands, agencies, and publishers. Enforcement will be active by both the BBB and DMA, and therefore all companies involved in IBA within the mobile ecosystem should take the time now to review their digital practices to determine whether they need to comply with the DAA’s Self-Regulatory Principles.