BBB National Programs Archive

Inquiry Reveals Flaws in Popular Mobile Apps’ Privacy Notices

Kids’ Game and Health App Collecting Location and Other User Data without Notice and Choice in Violation of Digital Advertising Alliance Principles

Arlington, VA – July 14, 2016 – Industry’s independent cop, the Online Interest-Based Advertising Accountability Program, continues to patrol the mobile beat. Its latest cases, SEGA and iTriage, bring to light problems with two widely-used apps that allowed third parties to collect and use consumers’ precise location data for interest-based advertising before providing the required notice and obtaining users’ affirmative consent. SEGA’s Sonic Runners, a gaming app, also raised issues under the Children’s Online Privacy Protection Act, as incorporated in the Digital Advertising Alliance Self-Regulatory Principles. Both companies cooperated with the Accountability Program’s review and have pledged to comply with the Digital Advertising Alliance’s stringent standards in all their current and future offerings to the public.

The Accountability Program’s testing of SEGA’s Sonic Runners revealed that the game failed to provide transparency and consumer control, as mandated under the DAA’s Mobile Guidance, which are designed to ensure that consumers understand whether their data will be used for IBA before they activate the app and can exercise choice about IBA. Moreover, because Sonic Runners attracts a substantial number of children under 13, the Accountability Program reviewed whether it was in compliance with the DAA’s Principles, which only allow such collection in compliance with COPPA. Under COPPA, apps that attract mixed audiences of users both over and under 13 must ensure that no personal information—including unique identifiers used for advertising purposes—is collected from any children under 13 without either obtaining verifiable parental consent or meeting one of the law’s exceptions.

Sonic Runners used an age gate to identify and prevent the collection of personal information from children under 13. However, the Accountability Program’s tests of SEGA’s app revealed its age-gating mechanism was not functioning properly. Moreover, the Accountability Program discovered that SEGA had permitted a third-party ad network to collect precise location data for IBA through Sonic Runners without providing notice of this third-party collection and obtaining prior affirmative consent from users. As soon as SEGA was alerted about these compliance issues, the company removed Sonic Runners from the app stores where it was previously available and altered the game to remove all third-party advertising software before offering it to the public again. SEGA also engineered a mandatory update that was sent to all current users of the game. The update included a disclosure stating that the new version of the app prevents the collection of advertising identifiers from children under the age of 13.

The iTriage app has a variety of healthcare-related functions, such as enabling users to find covered medical service providers; look up information on medical conditions and terms; enter insurance account information; schedule appointments; and keep track of medical records. When tested, the iTriage app requested permission to access the user’s identity, calendar, location, photo and media files, and Wi-Fi connection information, which were necessary to fulfill some of the app’s functions but were not being used for IBA. However, the app neglected to tell the user that precise location information would also be transferred to its advertising partners for use in IBA. Under the Mobile Guidance, before allowing third parties to obtain precise location for IBA, an app must get affirmative consent from its users. Triage committed to stop the use of precise location information for advertising and to give users the transparency and choice the DAA Principles demand with respect to collection and use of data for IBA. In addition, iTriage agreed to add real-time notice of data collection and use for IBA that links to an opt-out mechanism on both its app and its website. iTriage’s parent company, Aetna, also agreed to add these features to its website before it began any collection and use of data across sites for IBA. iTriage and Aetna have pledged that if they expand their IBA to include third parties’ use of personal directory data or healthcare data to be used for interest-based advertising, they will be transparent to users, who will be given the choice whether to participate.

“Today’s decisions are a win for both consumers and advertisers,” commented Genie Barton, Director of the Accountability Program. “Consumers are empowered to make informed choices about their data… Companies earn the trust of their audience by engaging with them with transparency and respect for their choices.”

Today’s releases bring to 68 the public actions taken by the Accountability Program.