Continuing its efforts to have app and website operators provide users with enhanced notice about third-party data collection, the Digital Advertising Alliance (DAA) Online Accountability Program recently issued a pair of new decisions.
The first case involved Dine Brands Global, the owner and operator of The International House of Pancakes (IHOP) and Applebee’s. As part of its regular monitoring activities, the Accountability Program visited the restaurants’ websites and observed “a number” of third-party interest-based advertising (IBA) entities known to be collecting data about visitors.
Pursuant to the DAA Self-Regulatory Principles for Online Behavioral Advertising (Principles), all first parties authorizing third parties to engage in IBA on their websites must provide consumers with meaningful notice and choice in the form of enhanced notice.
As the IHOP and Applebee’s sites both lacked the required notice, the Accountability Program reached out to Dine Brands.
Dine Brands also promised to ensure that an enhanced notice link would be available on other company websites that authorize third-party data collection for IBA.
In the second case, the Accountability Program similarly discovered third parties that collect cross-app data likely for IBA on the Lose It! site—an exercise and weight loss app published by Massachusetts-based FitNow—which also failed to provide enhanced notice for consumers.
One of the third parties also appeared to be collecting location data, the self-regulatory body said.
As for the location data issue, FitNow found that the data was collected for a purpose related to the app’s functionality. To ensure that no accidental exfiltration of such data could occur, the company included a patch to its mobile app that disabled the collection of location data entirely.
To read the Dine Brands Global decision, click here.
To read the FitNow decision, click here.
Why it matters: These decisions continue a “long line” of enforcement actions by the DAA against apps and website publishers for failing to provide users with enhanced notice about third-party data collection. Companies engaged in IBA should take note of these developments and reassess their compliance program to ensure that their data handling and advertising practices are in line with the expansive self-regulatory framework that governs this space. Companies should keep in mind the requirements of the various accountability programs to ensure that enhanced notice and functional opt-outs are provided and, in many circumstances, that consumer consent, where required, has been obtained.
Websites and mobile apps that are uncertain as to whether they comply (or need to comply) with the DAA’s enhanced notice requirements should as a first step perform an audit of third-party tracking occurring on their sites and apps—whether by doing an inventory of tags placed on their site/app or by reviewing third-party contracts (or, preferably, both). Third parties, in turn, should increasingly expect to be held to an “enhanced notice” standard regardless, given the gaps in first-party compliance that are likely to occur.