BBB National Programs Archive
App Publishers Privacy Tips
They may be small, but mobile devices are powerful computers. And even though our smartphones may fit in the palm of our hands, we still expect them to act like regular computers, with icons for launching programs and menus full of easy-to-understand options and commands. So why shouldn’t consumer privacy controls look similar, too? The Digital Advertising Alliance followed this logic when it adapted its privacy Principles to the mobile environment in 2013, translating web-based privacy standards for interest-based ads (IBA) to the mobile environment.
There are a lot of details to the Mobile Guidance, but they all flow from three simple ideas:
- Users deserve up-front notice if their online activities will be monitored to deliver interest-based ads.
- Users who choose not to participate in the interest-based advertising ecosystem should be able to easily exercise this choice.
- Users’ sensitive data should not be collected for advertising purposes unless they explicitly consent.
Thus, as an app publisher, your compliance strategy should include periodic reviews of: (a) the user experience of downloading and first opening your mobile app, (b) the clarity of your privacy disclosures, and (c) the consistency of your disclosures with any third-party integrations in your app. We discuss these ideas in our recent Finish Line decision, but we wanted to provide you with a shorter summary of your responsibilities here.
Users need to receive “enhanced notice” of any third-party IBA activity (including data collection) that takes place in your app. You can provide this up-front notice at a number of different times and locations, each of which is spelled out in the Mobile Guidance. (For the compliance-minded in the audience, the relevant section is III.A.(3).) All of these options may seem confusing at first blush, but they can be summed up very simply: you have to provide consumers enhanced notice at or before the first time third-parties collect data for IBA on your app.
Ask yourself: will a user know that their data is being collected for IBA when they first launch my app?
Special Data Types
Apps must request permissions from users in order to access certain sensitive resources on a user’s phone. Standard procedure in the mobile app world involves showing users an operating-system-generated prompt to request the relevant permission. But be careful about relying on the default system prompts alone to request consent for your collection of this data, because they may not give users the whole story.
Think about adding a custom dialog box before the system prompt that specifically describes why your app needs access to this sensitive data. If you share this data with third parties for IBA, this should be clear to the user before they give consent. This helps to guarantee that you have gotten consent from your users to use their data in ways that might not be obvious to them. This is particularly relevant in the case of precise location data, about which we recently conducted a webinar with the Digital Advertising Alliance and a major app developer.
And as always, whether it’s at the beginning of your development process, the end, or in between, you can contact the Online Interest-Based Advertising Accountability Program for advice about meeting industry best practices.