On the heels of recent developments affecting how mobile applications (Apps) collect, use and share consumers’ personally identifiable information (PII), the Digital Advertising Alliance (DAA) has released new guidance for the industry.  The self-regulatory principles found within the DAA’s guidance apply consistently across marketing channels and extend to App developers and owners, ad networks, App platform providers and providers of devices and related third party services.

DAA and Mobile Apps Generally

The DAA is a nonprofit organization comprised of some of the largest media and marketing trade associations in the U.S.  The goal of the organization is to advance Interest-based advertising by devising industry-wide regulations that must be adhered to in order to maintain good standing within the organization.  Most of the DAA’s regulatory efforts are meant to provide consumers with choice and control over how and whether they wish to share their information.

While all of the DAA’s guiding regulations are meant to be self-imposed by companies, any serious or continuous form of non-compliance will subject the offender to the Online Interest-Based Advertising Accountability Program (Accountability Program), operated by the Council of Better Business Bureaus. Through the Accountability Program, the Better Business Bureau has the authority to institute inquiries into cases of non-compliance, publish cases of non-participation or uncorrected non-compliance and refer such cases to the appropriate government agency for potential liability.

DAA’s Guidance on the Collection of PII and Locational Data through Apps

The DAA’s guidance addresses several types of consumer information, but two forms of information deserve special attention due to their prevalence in the industry: locational data and PII.  Locational data, as used in the guidance, constitutes any information that can be used to determine the physical location of the consumer, whether it be by using cell phone towers or GPS technology.  PII, as used in the guidance, refers to any information that could be used to identify a particular consumer, including name, address, telephone number and email address.

Whenever an App developer/owner collects and uses, or authorizes a third party to collect and use, consumer PII or locational data, it must provide the consumer with clear, meaningful and prominent notice of such practices, including listing any such third parties with whom the information is shared and provide a link that consumers may use to opt-out of/restrict/modify the collection, use and/or sharing of their information.  The link to the opt-out functionality should be accessible while using the App, within the App’s privacy policy and on the App developer/owner’s website. Furthermore, if the App developer/owner collects a consumer’s financial or health related information, it must obtain the consumer’s express consent to share this sensitive information with third parties.

Applicability of App Guidance to Third Party Advertisers

According to the DAA’s guidance, third parties that use consumers’ PII or locational data collected from others must also inform consumers about their data practices through clear, meaningful and prominent notices.  Such disclosure must be made on the third parties’ websites and, if applicable, within the associated Apps’ privacy policies.  Third parties may adequately accomplish such notice by obtaining and displaying the DAA’s Advertising Option Icon on their websites, which consumers should be able to access via links within the Apps and the associated privacy policies.   In addition, third parties are encouraged to register  on the DAA’s Consumer Opt-Out Page, where consumers may opt-out of receiving online behavioral advertising from some or all participating companies.

If a third party does not provide the requisite notice to consumers or obtain their express consent to use their PII or locational data, the App developer/owner must take all reasonable steps to protect such data from being shared with the third party and obtain satisfactory written assurance that the third party will not attempt to reconstruct any such consumer data.