Recent enforcement decisions within the digital advertising industry indicate a shift in--and a clarification of--the required disclosures for companies engaged in interest-based advertising (IBA).

In particular, these decisions, taken together, indicate that an app developer's link to its privacy policy at the point of app download may be deemed insufficient, unless the link points directly to the IBA disclosure section of the policy or there is a clear link at the top of the policy that directs the user to that section.

Further, these decisions suggest that companies that comply with the digital advertising industry's IBA self-regulatory principles should expressly affirm such compliance in their privacy policies.

Background

Some quick background: IBA is the collection of information about users' online activities across different websites or mobile applications, over time, for the purpose of delivering online advertising to those users based on those activities. Although it is an important part of the online ecosystem, if not done right, IBA can raise privacy concerns among consumers, who may feel that they are being spied upon by advertisers.

The Digital Advertising Alliance (DAA) has worked to ensure that IBA is done right. The DAA is a consortium of media and marketing associations that, in an effort to ward off legislation, has designed and implemented a selfregulatory compliance regime that seeks to address the Federal Trade Commission's (FTC) IBA notice and choice expectations. The principles underlying this compliance regime are set out in the DAA's Self-Regulatory Principles ("DAA Principles"). The DAA enforces these principles through the IBA accountability program, run by the Council of Better Business Bureaus and the Direct Marketing Association.

The DAA self-regulatory program is, at its heart, a notice-and-choice regime. In short, to facilitate such notice and choice, the DAA provides an advertising option icon to be placed in or near an online interest-based ad. By clicking on the icon, a consumer is sent to a landing page that describes the data collection practices associated with the ad and provides an opt-out mechanism.

Importantly, however, the DAA Principles have also been interpreted by the IBA accountability program to require "enhanced" notice on any website where information is collected for IBA purposes. In response to this interpretation, website publishers typically provide such notice in the form of an "Our Ads" or similarly named link in the site footer, separate from the privacy policy link, that clicks through to the same landing page as the advertising option icon or to similar notice and choice information.

The Recent Decisions

In its recent enforcement actions, the IBA accountability program appears to have exported this manifestation of the enhanced notice requirement to mobile applications, notwithstanding  the provisions of the DAA's guidance on the Application of Self-Regulatory Principles to the Mobile Environment, first published in 2013.

That guidance expressly provides that app publishers (i.e., "first parties") that permit third parties to collect information for IBA purposes must "provide a clear, meaningful, and prominent link to a disclosure that either points to a choice mechanism or setting that meets Digital Advertising Alliance specifications or individually lists such Third Parties." This notice must be provided in two separate locations:

  • Either prior to download (e.g., in the app store on the application's page), during download, on first opening of the app or at the time cross-app data is first collected; and
  • In the application's settings or any privacy policy.

The IBA accountability program appears, however, to be taking the position that a link to the privacy policy from the app store (or any other location) is not enough to meet this first prong. That is, a "clear, meaningful, and prominent link" to the IBA disclosure must be a link directly to the IBA section of the privacy policy, in the same way that the "Our Ads" or similarly named link in the site footer clicks through to the IBA section of the privacy policy.

The IBA accountability program's Spinrilla decision, for example, states that the accountability program could not find an "enhanced link notice separate from the privacy policy link" in the applicable app stores and affirmed that if only one privacy policy link will be used in the app store (where it is typically not possible to provide two separate links), "the link to the privacy policy must either go directly to the pertinent discussion of IBA or direct the user to that place through a clear link at the top of the privacy policy."

The other accountability program decisions, Bearbit Studios and Top Free Games, reaffirm this interpretation. In light of these decisions, app publishers may want to revisit how they provide "enhanced notice" of their IBA practices.

Finally, the Mobile Guidance states that first parties should "indicate adherence" to the DAA Principles in their privacy policies. The accountability program decisions noted the absence of this language in the companies' privacy policies, and the companies appear to have added language to their disclosures to comply with this obligation. Whether a company would want to affirmatively make this representation of its own accord is something that may warrant additional consideration, as the company's failure to fully comply with such a representation could give rise to a charge of deception under Section 5 of the FTC Act or a similar state law.

The Upshot

In light of these developments, a company engaged in IBA should

  • If engaged in IBA with respect to one or more of its apps, review how it discloses its IBA practices at the point of app download; and
  • Discuss with counsel the advisability of expressly stating adherence to the DAA Principles in its privacy policy.