App Publishers Privacy Tips

May 5, 2020 by Digital Advertising Accountability Program

They may be small, but mobile devices are powerful computers. And even though our smartphones may fit in the palm of our hands, we still expect them to act like regular computers, with icons for launching programs and menus full of easy-to-understand options and commands. So why shouldn’t consumer privacy controls look similar, too? The Digital Advertising Alliance followed this logic when it adapted its privacy Principles to the mobile environment in 2013, translating web-based privacy standards for interest-based ads (IBA) to the mobile environment.

There are a lot of details to the Mobile Guidance, but they all flow from three simple ideas:

  1. Users deserve up-front notice if their online activities will be monitored to deliver interest-based ads.
  2. Users who choose not to participate in the interest-based advertising ecosystem should be able to easily exercise this choice.
  3. Users’ sensitive data should not be collected for advertising purposes unless they explicitly consent.

Thus, as an app publisher, your compliance strategy should include periodic reviews of: (a) the user experience of downloading and first opening your mobile app, (b) the clarity of your privacy disclosures, and (c) the consistency of your disclosures with any third-party integrations in your app. We discuss these ideas in our recent Finish Line decision, but we wanted to provide you with a shorter summary of your responsibilities here.

User Experience

Users need to receive “enhanced notice” of any third-party IBA activity (including data collection) that takes place in your app. You can provide this up-front notice at a number of different times and locations, each of which is spelled out in the Mobile Guidance. (For the compliance-minded in the audience, the relevant section is III.A.(3).) All of these options may seem confusing at first blush, but they can be summed up very simply: you have to provide consumers enhanced notice at or before the first time third-parties collect data for IBA on your app.  

Ask yourself: will a user know that their data is being collected for IBA when they first launch my app?

Disclosures

This one is straightforward. You need to spell out—in writing—what third-party IBA practices you allow in your app. Usually, companies put this in a section of their privacy policy, but you can use a dedicated webpage, too. Either way, you need to tell your users if you are allowing other companies to collect and use their data for IBA, and you should provide them with instructions they can use to opt out. The opt-out requirement, when translated to the mobile space, means that many companies either include a link to the DAA’s AppChoices app or link to explanations of how to engage the system-level opt-out settings on iOS and Android.

Remember: the cookie-based opt-out solution in your privacy policy does not apply to your mobile app!

Consistency

Set up an internal compliance routine to ensure that, as your app develops, your privacy disclosures do not fall out of date. If you add new third-party integrations, it’s a good idea to make sure your privacy policy reflects any changes to data collection or sharing arrangements that may result. And if those changes bring new IBA practices to your app, you should ensure that consumers get appropriate notice of and control over them. Work with your vendors up front to ensure that everyone is aware of their compliance needs and obligations.

Special Data Types

Apps must request permissions from users in order to access certain sensitive resources on a user’s phone. Standard procedure in the mobile app world involves showing users an operating-system-generated prompt to request the relevant permission. But be careful about relying on the default system prompts alone to request consent for your collection of this data, because they may not give users the whole story.

Think about adding a custom dialog box before the system prompt that specifically describes why your app needs access to this sensitive data. If you share this data with third parties for IBA, this should be clear to the user before they give consent. This helps to guarantee that you have gotten consent from your users to use their data in ways that might not be obvious to them. This is particularly relevant in the case of precise location data, about which we recently conducted a webinar with the Digital Advertising Alliance and a major app developer.

And as always, whether it’s at the beginning of your development process, the end, or in between, you can contact the Online Interest-Based Advertising Accountability Program for advice about meeting industry best practices.

Suggested Articles

Blog

The Evolution of CARU: Laying the Foundation in the 70s and 80s

For the last 50 years, companies marketing to children have held each other to a high ethical standard. The Children’s Advertising Review Unit (CARU) was established in 1974 as the U.S. mechanism of independent self-regulation for protecting children from deceptive or inappropriate advertising. Spanning decades, CARU’s early cases reflect the evolution of the children’s advertising and marketing space.
Read more
Blog

Think of the Children: A Comparison of APRA and COPPA 2.0

It is vital that the business community at large parse through the differing approaches of COPPA 2.0 and APRA to children's privacy and understand where these bills would overlap or contradict each other. To help, the Children’s Advertising Review Unit (CARU) privacy team is breaking them down.
Read more
Blog

Unlocking Global Data Privacy Interoperability with CBPRs

In our digitally connected world, safeguarding personal data is essential. To help accomplish that goal, the new Global Cross Border Privacy Rules (CBPR) System launched this week by the Department of Commerce, offering a much-needed framework for a new era of international data protection.
Read more
Blog

Integrating Soft Law as a ‘Middle Way” for Business and Nonprofit Success

Now is not the time for businesses and nonprofits to go to extremes either. A middle way – a pathway that is built on a strong corporate governance foundation with a keen cognizance of the law – is the optimal path forward for continued innovation.
Read more