On the same day that the Federal Trade Commission was holding a workshop on cross-device tracking, the privacy self-regulatory group Digital Advertising Alliance released guidance related to the cross-device collection and use of data for targeted advertising.
The new guidance clarifies how the DAA’s existing principles (for online behavioral advertising, multi-site data and data collected in the mobile environment) apply to data collected and/or used across devices, such as when data collected from a particular device or browser is used with another device or browser that is linked to the browser or device on which such data was collected (or transferred to a non-affiliate) for purposes of engaging in practices that are covered by the DAA Principles.
The guidance addresses the two main elements of the DAA Principles: Transparency (i.e., notice) and Consumer Control (also known as Choice, which in this context is the opportunity to opt out).
The responsibilities with respect to providing Transparency and Consumer Control vary depending on whether an entity is a First Party (e.g., a web publisher or owner/operator of a mobile app) or a Third Party (e.g., ad networks and analytics companies).
According to the new guidance, entities collecting Multi-Site Data (i.e., data collected from a particular computer or device regarding web viewing over time and across non-Affiliate websites) and Cross-App Data (i.e., data collected from a particular device regarding application use over time and across non-Affiliate application) from a particular browser or device for use on a different computer or device should include in the notice on their own websites “the fact that data collected from a particular browser or device may be used with another computer or device that is linked to the browser or device on which such data was collected, or transferred to a non-Affiliate for such purposes.” For Third Parties engaging in this practice, this notice should be provided on their own websites or should be accessible from or through the mobile apps from which they collect Cross-App Data.
In addition, when data is collected or used on a website or through a mobile app, the First Party should provide a clear, meaningful and prominent link to a disclosure that either links to the industry-developed website or choice mechanism that provides consumer choice or that individually lists the Third Parties that are engaged in the collection of Multi-Site Data or Cross-App Data through its website or mobile app. (A website does not need to include a link in instances where the Third Party provides Transparency as required by the DAA OBA Principle II.A.2(a). This section provides that Third Parties should provide notice of the collection of data through a clear, meaningful and prominent link to a disclosure in or around the advertisement delivered on the web page where data is collected.)
The new DAA guidance clarifies that consumers must have the ability to exercise choice (i.e., an opt-out mechanism) with respect to any of the following data collection and use practices:
- The collection of Multi-Site Data on the browser, or Cross-App Data on the device, on which choice is being exercised, for use on another computer or device that is linked with the browser or device on which the choice is being exercised.
- The use of Multi-Site Data or Cross-App Data on the browser or device on which choice is being exercised, when that data was collected on another computer or device that is linked with the browser or device on which choice is being exercised.
- The transfer to a non-Affiliate of Multi-Site Data and/or Cross-App Data collected from the browser or device on which choice is being exercised.