The Digital Advertising Alliance (the “DAA”) recently released guidance on the application of the DAA’s self-regulatory principles for online behavioral advertising (the “ Self-Regulatory Principles ”) to the mobile marketing environment, specifically mobile data collection, sharing, and use practices (the “ Guidance ”). The DAA’s Self-Regulatory Principles are intended to be consistent across all media channels, but given technological challenges and differences, the Guidance was issued specifically to assist with compliance in the mobile environment.

By way of background, the DAA is the largest self-regulatory agency in the interactive media and marketing industry. It is made up of many marketing bodies, including the Internet Advertising Bureau, Direct Marketing Association, and National Advertising Initiative, just to name a few, and it represents over ninety percent of companies advertising to U.S. consumers on the internet. The DAA’s Self-Regulatory Principles provide guidance for online behavioral advertising and multi-site data collection and use. The heart of the Self-Regulatory Principles is that any data collection practices provide “transparency” and “control” to consumers. “Transparency” about what data is being collected and how, and “control’ over the collection and use of the data. One of the DAA’s more well-known contributions in this regard is its Advertising Option Icon initiative through which an icon is used to inform consumers that various forms of data are being collected and used to deliver individualized advertising, and also to provide consumers with a method of opting out of the use of that data.

Specifically, the Guidance covers data in three areas: (i) data collected from a particular device regarding application use over time and across unaffiliated applications (“Cross-App Data”); (ii) data obtained from a particular device that is sufficient to identify the precise physical location of the device (“Precise Location Data”); and (iii) data such as a calendar, address book, phone/text log, or photo/video data created and stored on or accessed through a device (collectively, “Personal Directory Data”).

For those unfamiliar with this area, we have provided a set of definitions at the bottom of this Alert that may be useful.

  1. Cross-App Data

Transparency

Third Parties collecting Cross-App Data should clearly and meaningfully provide notice of their practices for doing so (“CAD Notice”). CAD Notice should (a) be on the Third Party’s website and/or accessible from any application from or through which it collects Cross-App Data, and (b) provide the following information:

  • The type of data that will be collected, including any Personally Identifiable Information (“PII”);
  • How the data will be used, including whether it will be transferred to a non-Affiliate;
  • An easy-to-use mechanism for consumers to exercise choice about the collection, use, and/or transfer of the data; and
  • A clear statement that the entity adheres to the Self-Regulatory Principles of the DAA.

If a Third Party obtains consent from the consumer prior to collecting or using Cross-App Data, then providing CAD Notice as set forth above is sufficient. If no prior consent is obtained, however, the Third Party should also provide enhanced notice (“Enhanced CAD Notice”). Enhanced CAD Notice is to be provided in addition to, not instead of, CAD Notice. Thus, CAD Notice is an element of Enhanced CAD Notice. Enhanced CAD Notice may be accomplished in any one of the following ways:

  • Provide CAD Notice in or around an advertisement that was delivered using the Cross-App Data.
  • Arrange with the First Party for CAD Notice to be provided (a) before the application is installed, (b) as part of the process of downloading the application to the device, (c) at the time the application is opened for the first time, OR (d) at the time the Cross-App Data is collected, AND in the application’s settings or any privacy policy.
  • If a Third Party neither obtains consent from the consumer prior to collecting or using Cross-App Data nor provides Enhanced CAD Notice as set forth in the two prongs above, compliance is still possible if (a) the First Party affirmatively authorizes the Third Party to collect Cross-App Data, (b) the First Party provides a clear, meaningful, prominent link to a disclosure (the “First Party Disclosure”), and (c) the First Party Disclosure (i) individually lists the Third Party, or (ii) points to a DAA approved choice mechanism or setting that lists the Third Party.

A link to a First Party Disclosure should be provided whenever a First Party authorizes a Third Party to collect Cross-App Data. The link should be provided (a) before the application is installed, (b) as part of the process of downloading the application to the device, (c) at the time the application is opened for the first time, OR (d) at the time the Cross-App Data is collected, AND in the application’s settings or any privacy policy. Further, in addition to the requirements that the First Party Disclosure identify any authorized Third Party that does not either (i) obtain prior consent and provide CAD Notice or (ii) provide Enhanced CAD Notice, the First Party Disclosure should also indicate adherence to the Self-Regulatory Principles. A First Party does not need to provide a link to a First Party Disclosure where the Third Party either (i) obtained prior consent and provided CAD Notice or (ii) provided Enhanced CAD Notice.

Control

Third Parties should provide consumers with the ability to exercise choice over the collection and use of Cross-App Data collected from them. Consumers should be given at least as much notice as is provided in Enhanced CAD Notice or a sufficient listing of the Third Party in a First Party Disclosure.

Cross-App Data should not be collected or used from all or substantially all applications on a device without first obtaining consent. Consent should apply to the device from which or for which the consent was provided. Further, entities that have obtained consent should provide an easy-to-use means for which a consumer can withdraw consent.

  1. Precise Location Data (“PLD”)

Transparency

First Parties should provide clear, meaningful, and prominent notice before they transfer PLD to a Third Party or affirmatively authorize a Third Party to collect and use PLD from the First Party’s application (“First Party PLD Notice”). First Party PLD Notice should (a) be on the First Party’s website and/or accessible from the application from or through which PLD is collected, and (b) provide the following information:

  • The fact that PLD is transferred to, collected, or used by any Third Party;
  • Instructions for accessing and using a tool for providing or withdrawing consent for the transfer, use, and collection of PLD by First Party-authorized Third Parties; and
  • A clear statement that the First Party adheres to the Self-Regulatory Principles.

Whenever a First Party affirmatively authorizes a Third Party to collect and use PLD from a First Party’s application or transfers PLD to a Third Party, the First Party should also provide enhanced notice (“First Party Enhanced PLD Notice”). First Party Enhanced PLD Notice is to be provided in addition to, not instead of, First Party PLD Notice. Thus, First Party PLD Notice is an element of First Party Enhanced PLD Notice. First Party PLD Enhanced Noticed will be accomplished by any one of the following three methods:

  • By providing First Party PLD Notice (i) as part of the process of downloading the application to the device, (ii) at the time the application opens the first time, or (iii) at the time the data is collected;
  • By linking to a clear, meaningful, and prominent disclosure (“First Party PLD Disclosure”) that provides First Party PLD Notice and is displayed as (i) part of the process of downloading the application to the device and before the application is installed, (ii) at the time that the application is opened for the first time, OR (iii) at the time the PLD is collected, AND in the application’s settings or privacy policy; or
  • Any other method or combination of methods that provides equivalently clear, meaningful, and prominent enhanced notice.

Third Parties should provide clear, meaningful, and prominent notice of their PLD collection and use practices (“Third Party PLD Notice”). Third Party PLD Notice should (a) be on the Third Party’s website and/or accessible from any application from or through which it collects PLD, and (b) provide the following information:

  • The fact that PLD is collected;
  • How the PLD will be used and whether it will be transferred to a non-Affiliate;
  • Clear instructions for accessing and using the mechanism available for providing or withdrawing consent for the transfer, use, and collection of PLD; and
  • A clear statement that the Third Party adheres to the Self-Regulatory Principles.

Control

First Parties should obtain consent to transfer PLD to Third Parties or for affirmatively authorized Third Parties to collect and use PLD from or through the First Party’s application or to transfer the PLD to a non-Affiliate for the same purposes. The mechanism for providing and withdrawing consent should be easy to use and should apply to the application and device from and for which the consent is provided. Instructions for how to provide and withdraw consent should be at least as sufficient as the notice that should be provided for First Party PLD Notice.  

First Parties do not need to obtain consent where the Third Party obtained consent before collecting or using PLD. Control as a Self-Regulatory Principle is satisfied by a First Party where it uses an easy-to-use process or setting offered by an application platform to provide notice, obtain consent, and permit withdrawal of consent for the use and collection of PLD through the application.

Third Parties that collect, use, and/or transfer PLD should obtain consent or obtain reasonable assurances that the First Party obtained such consent in the manner described above.  

  1. Personal Directory Data

Third Parties should not intentionally access a device without authorization and use Personal Directory Data for any purpose.  

First Parties should not affirmatively authorize any Third Party to intentionally access a device without authorization and obtain and use Personal Directory Data for any purpose.

Limitations on Transparency and Control

While the Self-Regulatory Principles require that transparency and control be provided for Cross-App Data, Precise Location Data, and Personal Directory Data, there are exceptions. Such data can be collected and used for the below reasons without adherence to the foregoing guidelines provided that the data is not collected or used for any other purpose:

  • Operations and system management purposes, e.g., intellectual property protection, compliance, and fraud prevention;
  • Market research or product development; or
  • Where the data has or will within a reasonable period of time from collection go through the process of de-identification, i.e. stripped of its ability to identify a specific individual or device.

Restrictions

The Guidance provides that use of Cross-App Data, Precise Location Data, and Personal Directory Data for certain purposes should remain off limits. This includes collecting, using, or transferring the data to determine eligibility for certain purposes, and collecting and using health and financial data. Specifically, health and financial data should not be used or collected at all, and no other forms of data should be collected, used, or transferred for the purpose of determining eligibility for employment, credit, health care treatment, or insurance and underwriting and pricing.  

Finally, any entity collecting any data should maintain appropriate physical, electronic, and administrative safeguards to protect it.  

Conclusion

Finally, the Guidance will not be immediately enforced by the DAA’s accountability board. The Self-Regulatory Principles will continue to be enforced for other methods of data collection, but a grace period (how long is still unknown) will be in place before enforcing application of those principles to Cross-App Data, Precise Location Data, and Personal Directory Data. That being said, the sooner the better. It is crucial to protect the robustness of the marketplace, as well as enhance trust among consumers that their data is subject to strict and transparent privacy controls. For anyone working in the mobile marketing eco-system, the Guidance provides a set of very helpful rules for ensuring that data collection practices, new and old, are treated uniformly. If you have any concerns about the Self-Regulatory Principles or about the Guidance, Kilpatrick Townsend’s Advertising team can assist with any questions you may have.

Definitions

“Affiliate”: an entity that controls, is controlled by, or is under common control with another entity.

“First Party”: the entity offering the application and its Affiliates, i.e. the entity that the consumer interacts with directly. This includes agents, which means that the Self-Regulatory Principles apply even if the First Party’s obligations are outsourced.

“Third Party”: an entity that collects Cross-App Data or Precise Location Data from or through a non-Affiliate’s application, or collects Personal Directory Data from a device. In some situations, a First Party can be a Third Party for certain activities and vice versa. It all depends on how the consumer reasonably understands its relationship with the entity for those activities, and whether the there is a direct interaction between the consumer and the entity.