Arlington, VA – December 10, 2018 – The Online Interest-Based Advertising Accountability Program, an independent enforcer of the Digital Advertising Alliance’s self-regulatory Principles, released the results of inquiries into two advertising technology companies. The companies, Kiip and VRTCAL, updated their privacy disclosures and consumer opt-out tools to ensure that they met the requirements of industry best practices for interest-based advertising.

“Making opt-out tools easy to use and ensuring they are clearly described are essential components of the DAA Principles,” said Jon Brescia, Accountability Program Director of Adjudications and Technology. “We are pleased to see that Kiip and VRTCAL have taken this philosophy to heart.”

The Accountability Program routinely tests mobile apps for compliance with the DAA Principles. As part of this work, the Accountability Program tested a popular dating app, where it observed VRTCAL collecting user data—including precise location information—for IBA. Following a review of VRTCAL’s data collection practices and privacy disclosures, the Accountability Program found that the company did not meet the requirements for transparency and control under the Principles.

After receiving an Accountability Program inquiry letter, VRTCAL immediately indicated its strong support for consumer privacy and self-regulation and worked diligently to come into compliance fully with the DAA Principles.

VRTCAL:

• clarified its disclosures of its IBA business practices,
• added instructions in its privacy policy to help users opt out of IBA taking place on smartphones,
• revised its contracts to require that its partners get consumer consent before collecting precise location data through apps for IBA, and
• added instructions to its privacy disclosures explaining how to revoke location data permissions on smartphones.

Today’s second decision concerns the mobile advertising network Kiip, which the Accountability Program determined was collecting data through a popular exercise app. While similar in content to VRTCAL, the Kiip case is a continuation of the Accountability Program’s enforcement of the Cross-Device Guidance. These rules outline the industry standards for privacy when tech companies collect data across multiple devices associated with a single user, such as a laptop, smartphone, and tablet.

To come into compliance with these best practices, Kiip updated its privacy policy to make clear to the public that the company may collect and associate data across a user’s devices. The company also explained how users can opt out of each type of device it uses to power its cross-device IBA and how their opt out choices are implemented in a cross-device context.

Additionally, Kiip took steps to clarify its description of its opt-out tool for mobile IBA, ensuring that consumers had clear instructions of how to opt out of the company’s practices on smartphones. And like VRTCAL, the company also modified its privacy policy and contractual terms to provide consumers with enhanced notice and choice about the collection of their precise location data. Finally, Kiip appreciated the fact that privacy policy changes are prospective, creating an engineering solution to put this into practice. Kiip now ties each unique ID to a privacy policy version to ensure that it will always apply the relevant data collection and use policies.

Today’s case release brings to 95 the public actions taken by the Accountability Program.