BBB National Programs Archive

New Cop on the Mobile Privacy Beat

Mobile Apps Update Software, Disclosures to Comply with DAA Mobile Guidance

Arlington, VA – May 4, 2016 – The release of the Online Interest-Based Advertising Accountability Program’s compliance decisions involving popular apps published by SpinrillaTop Free Games, and Bearbit Studios puts mobile companies on notice that the Digital Advertising Alliance Self-Regulatory Principles are now in full force in the mobile world. The DAA’s Mobile Guidance incorporates the Principles and shows companies how to implement them in the technically challenging mobile environment. Consumers can now count on receiving the same real-time notice and choice about interest-based advertising on their mobile devices that they have long enjoyed when browsing the web on their desktops. The Accountability Program is also enforcing restrictions on precise location data and children’s personal information, two types of data collection and use that raise heightened privacy concerns.

The Accountability Program’s inaugural cases are particularly significant in light of mobile’s popularity. Mobile Internet access, which now surpasses desktop, continues to climb steadily. Advertising spending on mobile is set to reach 72% of all digital advertising in the next few years.

The Spinrilla decision explains the steps that an app must take to provide notice and robust choice to consumers before allowing a third party to collect precise location data from a consumer for use in IBA. Spinrilla’s top-rated audio app, downloaded by millions of music lovers, allows users to listen to digital mixtapes of songs from emerging artists. The company was unaware of its responsibilities under the DAA Principles. Spinrilla had been allowing third parties to collect the device’s precise location for use in IBA. Once contacted by the Accountability Program, Spinrilla immediately made changes to come into compliance with all its responsibilities under the DAA Principles. The company decided to rescind third-party permissions to collect precise location data. It also added transparency and consumer control about cross-app IBA by placing links in the app’s description in the Google and Apple apps stores and within the app that take users to an IBA disclosure with opt-out instructions. In addition, Spinrilla, which offers consumers similar music mixing capabilities on its website and app, added enhanced notice of data collection and use on the website.

The Accountability Program decisions regarding Bearbit Studios and Top Free Games set out the heightened duties of apps that appeal, among others, to an audience of children under 13. Bearbit Studios and Top Free Games publish a number of popular games. The Accountability Program reviewed Bearbit Studios’ Smashy Road: Wanted app and Top Free Games’ Mouse Maze app. The Accountability Program found a number of indicia that Smashy Road: Wanted and Mouse Maze would likely appeal to children under the age of 13, including the apps’ cartoon characters and settings, the simplicity of initial levels of play, and comments in user reviews. Third parties were collecting persistent identifiers used for advertising (IDFAs) on these apps.

The Sensitive Data Principle forbids the collection and use of personal information for IBA from an app directed to children or from a child known to be under the age of 13, except as compliant with the Children’s Online Privacy Protection Act. The Federal Trade Commission’s COPPA regulations define persistent identifiers used for IBA as personal information under COPPA. Where an app has a varied audience that includes a significant number of children, the app is allowed to use a mechanism to determine its users’ ages. This “age gate” is used to flag users under 13 so that their personal information is not collected by the app or by its third-party advertising partners for use in IBA. While Top Free Games maintained that it was a general audience app, it joined Bearbit in implementing an age-gating mechanism. Both companies also added enhanced notice links in their application store listings and apps that lead to disclosures containing opt-out instructions, similar to those put in place by Spinrilla.

While Top Free Games accepted the Accountability Program’s recommendations for changes to Mouse Maze, the company refused to commit to compliance with the DAA Principles going forward on its offerings to users in the United States. Top Free Games is the first company doing business in the United States that has refused to make this commitment. As a consequence, the Accountability Program will scrutinize Top Free Games’ offerings to US users through regular ongoing monitoring.

The Accountability Program’s mobile application monitoring efforts are augmented by the pro bono assistance of Virginia security firm, Kryptowire. Kryptowire’s advanced testing capabilities expand the number of applications that Accountability Program staff can examine for compliance with the Mobile Guidance.

“Today’s cases send a simple, direct message to mobile app developers and the advertising companies whose services support them: the Accountability Program is watching,” said Genie Barton, Council of Better Business Bureaus VP and Director of the Accountability Program. “We have access to sophisticated monitoring capabilities to detect violations. We advise any company grappling with implementation questions in these early days of mobile compliance—contact us for help, before we contact them with a formal inquiry. Our mission is to build trust between consumers and companies interacting on mobile devices, to the benefit of both.”

Today’s releases mark the 66th public action taken by the Accountability Program.