App Publishers Privacy Tips

Aug 2, 2019, 12:00 PM by BBB National Programs

They may be small, but mobile devices are powerful computers. And even though our smartphones may fit in the palm of our hands, we still expect them to act like regular computers, with icons for launching programs and menus full of easy-to-understand options and commands. So why shouldn’t consumer privacy controls look similar, too? The Digital Advertising Alliance followed this logic when it adapted its privacy Principles to the mobile environment in 2013, translating web-based privacy standards for interest-based ads (IBA) to the mobile environment.

There are a lot of details to the Mobile Guidance, but they all flow from three simple ideas:

  1. Users deserve up-front notice if their online activities will be monitored to deliver interest-based ads.
  2. Users who choose not to participate in the interest-based advertising ecosystem should be able to easily exercise this choice.
  3. Users’ sensitive data should not be collected for advertising purposes unless they explicitly consent.

Thus, as an app publisher, your compliance strategy should include periodic reviews of: (a) the user experience of downloading and first opening your mobile app, (b) the clarity of your privacy disclosures, and (c) the consistency of your disclosures with any third-party integrations in your app. We discuss these ideas in our recent Finish Line decision, but we wanted to provide you with a shorter summary of your responsibilities here.

User Experience

Users need to receive “enhanced notice” of any third-party IBA activity (including data collection) that takes place in your app. You can provide this up-front notice at a number of different times and locations, each of which is spelled out in the Mobile Guidance. (For the compliance-minded in the audience, the relevant section is III.A.(3).) All of these options may seem confusing at first blush, but they can be summed up very simply: you have to provide consumers enhanced notice at or before the first time third-parties collect data for IBA on your app.  

Ask yourself: will a user know that their data is being collected for IBA when they first launch my app?


This one is straightforward. You need to spell out—in writing—what third-party IBA practices you allow in your app. Usually, companies put this in a section of their privacy policy, but you can use a dedicated webpage, too. Either way, you need to tell your users if you are allowing other companies to collect and use their data for IBA, and you should provide them with instructions they can use to opt out. The opt-out requirement, when translated to the mobile space, means that many companies either include a link to the DAA’s AppChoices app or link to explanations of how to engage the system-level opt-out settings on iOS and Android.

Remember: the cookie-based opt-out solution in your privacy policy does not apply to your mobile app!


Set up an internal compliance routine to ensure that, as your app develops, your privacy disclosures do not fall out of date. If you add new third-party integrations, it’s a good idea to make sure your privacy policy reflects any changes to data collection or sharing arrangements that may result. And if those changes bring new IBA practices to your app, you should ensure that consumers get appropriate notice of and control over them. Work with your vendors up front to ensure that everyone is aware of their compliance needs and obligations.

Special Data Types

Apps must request permissions from users in order to access certain sensitive resources on a user’s phone. Standard procedure in the mobile app world involves showing users an operating-system-generated prompt to request the relevant permission. But be careful about relying on the default system prompts alone to request consent for your collection of this data, because they may not give users the whole story.

Think about adding a custom dialog box before the system prompt that specifically describes why your app needs access to this sensitive data. If you share this data with third parties for IBA, this should be clear to the user before they give consent. This helps to guarantee that you have gotten consent from your users to use their data in ways that might not be obvious to them.

And as always, whether it’s at the beginning of your development process, the end, or in between, you can contact theOnline Interest-Based Advertising Accountability Program for advice about meeting industry best practices.

Suggested Articles


Avoid Misleading Messages When Advertising Medical Devices

Advertisers of medical devices face complex tasks when marketing their products. In addition to complying with FDA regulations, medical device advertising is subject to the same truth-in-advertising principles set by the FTC. In addition to express claims, marketers are responsible for all the messages reasonably conveyed to consumers in their advertising and should ask some important questions to ensure consumers are not misled. Ask yourself these questions when advertising medical devices to avoid conveying misleading messages.
Read more

The Do’s and Don’ts of Buying Smart for Baby: A Primer from Privacy Experts

Researching a new product and finding the critical or in-depth information you are looking for to build confidence in your purchasing decision often requires sifting through superficial lists of “best products.” These lists are often sponsored by the products they feature, which means instead of a focus on being helpful they are full of incentivized endorsements and affiliate links. In this blog, we provide a list – not a sponsored list – of some do’s and don’ts for how to confidently research smart devices.
Read more

When Web Designs Turn Into Dark Patterns And What To Do About It

Recently I wrote about the proliferation of dark patterns and tried to give readers a sense of just how widespread these practices are. But it is not just the pervasiveness of dark patterns that has lawmakers and regulators concerned, it is the intent behind them and their impact on consumers. Nonprofit leaders, in particular, should be aware of this and how to guard against it given that they are well-positioned to garner and enhance consumer trust.
Read more

Politics Aside, Advertising Gains Guidance on Deception and Substantiation in the 1980s

As we continue to celebrate the 50th anniversary of the National Advertising Division (NAD) we are looking forward while taking stock of past decades, with a special focus on decisions and developments that continue to impact advertising law and NAD cases today. This month we highlight two pivotal moments from the 1980’s that helped shape NAD’s jurisprudence.
Read more