The Digital Advertising Alliance (DAA), a self-regulatory group comprised of advertising and media companies, released mobile privacy guidelines which supplement the DAA’s Self-Regulatory Principles for Online Behavioral Advertising (“OBA Principles”) and Multi-Site Data (“MSD Principles”). In the future, the DAA intends to release a consolidated set of Self-Regulatory Principles that integrates the mobile guidelines with the OBA Principles and MSD Principles, resulting in one uniform set of Principles. The Network Advertising Initiative, coordinating with the DAA, also released mobile guidelines on the same day, which are directed to third-party advertising companies.
The DAA’s mobile guidelines, called Application of Self-Regulatory Principles to the Mobile Environment, apply to the mobile app and mobile web site environments and establish notice (“transparency”) and consent (“control”) requirements and options for Cross-App Data, Precise Location Data, and Personal Directory Data. Cross-App Data is “data collected from a particular device regarding application use over time and across non-Affiliate applications.” Personal Directory Data includes calendar, address book, phone/text log, or photo/video data created by a consumer that is stored on or accessed through a particular device. Precise Location Data is data obtained from a device about the physical location of the device that is sufficiently precise to locate a specific individual or device. Precise Location Data may include data obtained from cell tower or Wi-Fi triangulation techniques, or latitude-longitude coordinates obtained through GPS technology, if such data is sufficiently precise to locate a specific individual or device. Precise Location Data does not include five-digit ZIP code, city name, general geographic information whether derived from an IP address or other sources, or information that does not necessarily reflect the actual location of a device such as information entered by a user or a billing address associated with an account.
The guidelines enumerate the responsibilities for First Parties (typically, the owner of the mobile app or the operator of a mobile web site, and their Affiliates) and Third Parties (such as ad networks and analytics companies) with respect to each of these kinds of data.
The notice and consent provisions do not apply:
(a) For operations and system management purposes, including:
(i) intellectual property protection;
(ii) compliance, public purpose and consumer safety;
(iii) authentication, verification, fraud prevention and security;
(iv) billing or product or service fulfillment, including improving customer experience or ensuring a high quality of service; or
(v) Reporting or Delivery;
(b) For Market Research or Product Development; or(c) Where the data has or will within a reasonable period of time from collection go through a De-Identification Process.
The guidelines also state that Cross-App Data, Precise Location Data, and Personal Directory Data should not be collected, used, or transferred for employment, insurance or credit eligibility, or health care treatment. Furthermore, except for operations or system management purposes, a Third Party should not collect and use Cross-App Data or Personal Directory Data containing financial account numbers, Social Security numbers, pharmaceutical prescriptions or medical records about a specific individual without consent. Regarding data security, the guidelines state that entities should maintain appropriate physical, electronic, and administrative safeguards to protect Multi-Site Data, Cross-App Data, Precise Location Data, and Personal Directory Data.