App Publishers Privacy Tips

Aug 2, 2019, 12:00 PM by BBB National Programs

They may be small, but mobile devices are powerful computers. And even though our smartphones may fit in the palm of our hands, we still expect them to act like regular computers, with icons for launching programs and menus full of easy-to-understand options and commands. So why shouldn’t consumer privacy controls look similar, too? The Digital Advertising Alliance followed this logic when it adapted its privacy Principles to the mobile environment in 2013, translating web-based privacy standards for interest-based ads (IBA) to the mobile environment.

There are a lot of details to the Mobile Guidance, but they all flow from three simple ideas:

  1. Users deserve up-front notice if their online activities will be monitored to deliver interest-based ads.
  2. Users who choose not to participate in the interest-based advertising ecosystem should be able to easily exercise this choice.
  3. Users’ sensitive data should not be collected for advertising purposes unless they explicitly consent.

Thus, as an app publisher, your compliance strategy should include periodic reviews of: (a) the user experience of downloading and first opening your mobile app, (b) the clarity of your privacy disclosures, and (c) the consistency of your disclosures with any third-party integrations in your app. We discuss these ideas in our recent Finish Line decision, but we wanted to provide you with a shorter summary of your responsibilities here.

User Experience

Users need to receive “enhanced notice” of any third-party IBA activity (including data collection) that takes place in your app. You can provide this up-front notice at a number of different times and locations, each of which is spelled out in the Mobile Guidance. (For the compliance-minded in the audience, the relevant section is III.A.(3).) All of these options may seem confusing at first blush, but they can be summed up very simply: you have to provide consumers enhanced notice at or before the first time third-parties collect data for IBA on your app.  

Ask yourself: will a user know that their data is being collected for IBA when they first launch my app?


This one is straightforward. You need to spell out—in writing—what third-party IBA practices you allow in your app. Usually, companies put this in a section of their privacy policy, but you can use a dedicated webpage, too. Either way, you need to tell your users if you are allowing other companies to collect and use their data for IBA, and you should provide them with instructions they can use to opt out. The opt-out requirement, when translated to the mobile space, means that many companies either include a link to the DAA’s AppChoices app or link to explanations of how to engage the system-level opt-out settings on iOS and Android.

Remember: the cookie-based opt-out solution in your privacy policy does not apply to your mobile app!


Set up an internal compliance routine to ensure that, as your app develops, your privacy disclosures do not fall out of date. If you add new third-party integrations, it’s a good idea to make sure your privacy policy reflects any changes to data collection or sharing arrangements that may result. And if those changes bring new IBA practices to your app, you should ensure that consumers get appropriate notice of and control over them. Work with your vendors up front to ensure that everyone is aware of their compliance needs and obligations.

Special Data Types

Apps must request permissions from users in order to access certain sensitive resources on a user’s phone. Standard procedure in the mobile app world involves showing users an operating-system-generated prompt to request the relevant permission. But be careful about relying on the default system prompts alone to request consent for your collection of this data, because they may not give users the whole story.

Think about adding a custom dialog box before the system prompt that specifically describes why your app needs access to this sensitive data. If you share this data with third parties for IBA, this should be clear to the user before they give consent. This helps to guarantee that you have gotten consent from your users to use their data in ways that might not be obvious to them.

And as always, whether it’s at the beginning of your development process, the end, or in between, you can contact theOnline Interest-Based Advertising Accountability Program for advice about meeting industry best practices.

Other Blog Articles


Status Update on Transatlantic Data Transfers: Building Bridges Takes Time

As 2020 draws to a close it is a good time to reflect on learnings about the future of authorized transatlantic data transfer mechanisms. In light of Brexit and continuing developments surrounding Schrems II, we discuss what the structure of the current Privacy Shield Framework can teach us much about what future commercial transfer mechanisms are likely to look like, as well as what businesses can do to shore up their compliance efforts.
Read more

Operation Income Illusion: A Positive Step by the FTC to Curb Deceptive Income Claims

The Federal Trade Commission (FTC)’s December 14 Operation Income Illusion initiative is a crackdown by the FTC and 19 federal, state, and local law enforcement partners against those that purport to offer significant income opportunities but that end up costing consumers thousands of dollars. This effort is consistent with an ongoing effort in the direct selling industry to ensure income claims are communicated truthfully and accurately.
Read more

CFBAI and CCAI 2019 Report on Compliance and Progress Published

BBB National Programs has published the Children's Food and Beverage Advertising Initiative (CFBAI) and Children’s Confection Advertising Initiative (CCAI) Report on Compliance and Progress During 2019. The report finds excellent compliance by all companies participating in the programs from January 2019 – December 2019. The report also notes the CFBAI participants’ implementation of stricter Uniform Nutrition Criteria in 2020.
Read more

CARU’s Year in Review: Defining Kidvertising and Tackling Hot Topics Head On

During an uncertain year, the team at the Children’s Advertising Review Unit (CARU) stayed busy. Through casework, online conferences, an evolving technology landscape, updates to policy and guidelines, and new thought leadership, our efforts furthered our mission to help companies comply with the laws and guidelines that protect children and their personal data.
Read more