The digital advertising industry’s decision to start enforcing its self-regulatory principles will mean that mobile platform advertisers and other entities will face additional consumer notification, data use, and data security requirements when seeking to collect consumer data from mobile devices for advertising purposes.
Mobile app developers, advertisers and owners, take note: come September 1, you may have to obtain consent before collecting, using or allowing others to collect and use certain data from consumers’ mobile devices. The Digital Advertising Alliance (DAA) has announced that it will begin to enforce its DAA Principles in the mobile environment (the DAA Mobile Guidance) on September 1, 2015. The DAA Mobile Guidance builds on the DAA’s self-regulatory principles to address how app developers and owners, digital advertisers, and other entities in the mobile space may collect and use consumer data from mobile platforms – including cross-app, precise location (i.e. geolocation), and personal directory data – for interest-based advertising purposes. While giving consumers more control over their mobile data was one justification for the DAA’s decision, the net effect is that advertisers and other entities in the mobile ecosystem will need to review and possibly alter their data collection policies and procedures by late summer, lest they run afoul of the enforcement authorities in September.
Ad Industry Steps up Consumer Notice, Consent, Data Security Requirements
At the heart of the DAA’s self-regulatory provisions are a number of consumer notification and consent requirements for first-party entities that own or have control over a particular app and third-party entities that collect consumers’ data through a device or first-party app. Such entities must:
- Provide enhanced consumer notification and seek consent when collecting cross-app data from a mobile device;
- Provide enhanced notice and seek consent when collecting and using a consumer’s geolocation data, or when geolocation data is transferred to a third party;
- Give consumers a mechanism to withdraw any prior consent authorizing the collection and use of their data; and
- Not intentionally access, obtain or use a consumer’s personal directory data – such as their contacts list – without authorization.
Covered entities must also adhere to specific limitations on data collection and use, which may ultimately impact the value of information gathered from consumers. For instance, entities may not collect, use or transfer data to determine an individual’s eligibility for employment, credit, insurance, or health care treatment. Further, third parties cannot collect and use cross-app or personal directory data that contains sensitive information – such as an individual’s Social Security number, bank information, pharmaceutical prescriptions or medical records – without an individual’s consent. Finally, all covered entities must take steps to ensure the security of the data collected by maintaining physical, electronic, and administrative safeguards.
Enforcement of the DAA Mobile Guidance
With enforcement of the DAA Mobile Guidance set to begin in less than four months, digital advertisers and mobile app owners that incorporate advertising into their products should pay special attention to their duties under the DAA’s self-regulatory principles. If challenged, companies who directly engage in interest-based advertising or allow others to collect consumer data from their websites, mobile sites and applications for interest-based advertising purposes will need to demonstrate compliance to the Council of Better Business Bureaus and the Digital Marketing Association, both of which are charged with enforcing the DAA Mobile Guidance’s terms. The DAA notes that both enforcement entities will work with companies that are out-of-step with the Guidance to bring them into compliance. Failure to cooperate with such an investigation or come into full compliance could result in a referral to a regulatory agency with enforcement authority, such as the Federal Trade Commission or the Consumer Financial Protection Bureau. It should also be noted that the DAA views the scope of enforcement of its principles quite broadly, applying them to first parties and third parties alike, and bringing compliance actions against entities that are neither members of the DAA, nor have represented compliance with the DAA’s self-regulatory principles.
Updates to NAI Code
At the same time, the Network Advertising Initiative has issued an update to its Code of Conduct that is designed to clarify certain obligations in the 2013 version of the Code, but not add new substantive requirements. Specifically, the updates include some of the following clarifications:
- The Code does not apply to the activity of linking devices based on the assumption that the device belongs to the same user or household;
- Adds a new oversight and monitoring section which explains that NAI has the final say on interpreting the Code, not the FTC, and explicitly asks that the FTC only address a member’s failure to comply with the NAI’s interpretation and application of the Code;
- Adds a definition for “Retargeting” and includes this practice of collecting data about a user’s activity on one web domain for the purpose of delivering an advertisement based on that data on a different, unaffiliated domain under the Code;
- Provides a more robust definition of “Sensitive Data” related to health or medical conditions or treatments; and
- Under a member’s obligation to promote transparency, the revised Code removes the reference to enforcing contractual notice requirements and replaces it with an obligation to confirm that websites where the member collects data furnish appropriate notices.
Unlike the DAA’s self-regulatory principles, application and enforcement of the NAI Code applies only to NAI members. However, if an organization represents that they adhere to the NAI practices, the Federal Trade Commission and state regulators could bring enforcement actions against those companies for failing to keep their promises.