App Publishers Privacy Tips

Aug 2, 2019, 12:00 PM by BBB National Programs

They may be small, but mobile devices are powerful computers. And even though our smartphones may fit in the palm of our hands, we still expect them to act like regular computers, with icons for launching programs and menus full of easy-to-understand options and commands. So why shouldn’t consumer privacy controls look similar, too? The Digital Advertising Alliance followed this logic when it adapted its privacy Principles to the mobile environment in 2013, translating web-based privacy standards for interest-based ads (IBA) to the mobile environment.

There are a lot of details to the Mobile Guidance, but they all flow from three simple ideas:

  1. Users deserve up-front notice if their online activities will be monitored to deliver interest-based ads.
  2. Users who choose not to participate in the interest-based advertising ecosystem should be able to easily exercise this choice.
  3. Users’ sensitive data should not be collected for advertising purposes unless they explicitly consent.

Thus, as an app publisher, your compliance strategy should include periodic reviews of: (a) the user experience of downloading and first opening your mobile app, (b) the clarity of your privacy disclosures, and (c) the consistency of your disclosures with any third-party integrations in your app. We discuss these ideas in our recent Finish Line decision, but we wanted to provide you with a shorter summary of your responsibilities here.

User Experience

Users need to receive “enhanced notice” of any third-party IBA activity (including data collection) that takes place in your app. You can provide this up-front notice at a number of different times and locations, each of which is spelled out in the Mobile Guidance. (For the compliance-minded in the audience, the relevant section is III.A.(3).) All of these options may seem confusing at first blush, but they can be summed up very simply: you have to provide consumers enhanced notice at or before the first time third-parties collect data for IBA on your app.  

Ask yourself: will a user know that their data is being collected for IBA when they first launch my app?

Disclosures

This one is straightforward. You need to spell out—in writing—what third-party IBA practices you allow in your app. Usually, companies put this in a section of their privacy policy, but you can use a dedicated webpage, too. Either way, you need to tell your users if you are allowing other companies to collect and use their data for IBA, and you should provide them with instructions they can use to opt out. The opt-out requirement, when translated to the mobile space, means that many companies either include a link to the DAA’s AppChoices app or link to explanations of how to engage the system-level opt-out settings on iOS and Android.

Remember: the cookie-based opt-out solution in your privacy policy does not apply to your mobile app!

Consistency

Set up an internal compliance routine to ensure that, as your app develops, your privacy disclosures do not fall out of date. If you add new third-party integrations, it’s a good idea to make sure your privacy policy reflects any changes to data collection or sharing arrangements that may result. And if those changes bring new IBA practices to your app, you should ensure that consumers get appropriate notice of and control over them. Work with your vendors up front to ensure that everyone is aware of their compliance needs and obligations.

Special Data Types

Apps must request permissions from users in order to access certain sensitive resources on a user’s phone. Standard procedure in the mobile app world involves showing users an operating-system-generated prompt to request the relevant permission. But be careful about relying on the default system prompts alone to request consent for your collection of this data, because they may not give users the whole story.

Think about adding a custom dialog box before the system prompt that specifically describes why your app needs access to this sensitive data. If you share this data with third parties for IBA, this should be clear to the user before they give consent. This helps to guarantee that you have gotten consent from your users to use their data in ways that might not be obvious to them.

And as always, whether it’s at the beginning of your development process, the end, or in between, you can contact theOnline Interest-Based Advertising Accountability Program for advice about meeting industry best practices.

Other Blog Articles

Blog

Defining 'Child-Directed' and Addressing New Technology: Discussing COPPA Updates at CARU 2020

On September 22, the 2020 CARU Conference kicked off the Fall Series with a keynote from the Federal Trade Commission’s (FTC)'s Peder Magee, and Phyllis Marcus, a Partner at Huton Andrews Kurth and one of the original authors of the Children's Online Privacy Protection Act (COPPA).
Read more
Blog

What Parents Need to Know About Mobile App and Device Permissions

If there is one thing most parents know, it’s that Kids. Love. Apps. But how do you determine what apps are "safe" for your child to download? If you want to evaluate an app to determine how safe your child’s data will be if they use it, let's start by understanding the permissions the app asks for.
Read more
Blog

Schrems II: What Do Privacy Shield Businesses Need to Know?

The July 16 decision from the CJEU, known as Schrems II, addressed two mechanisms for transferring EU individuals’ personal data outside the EU. As the situation continues to develop, and before making changes to their practices around international data transfers, businesses should pause to review their data flows, contracts, and substantive commitments, and their current chain of compliance and accountability for data received from the EU.
Read more
Blog

CARU’s Summer Series Wrap-Up: The Need-to-Know Takeaways from our Expert Speakers

Now at the halfway point of the CARU Conference 2020, it seems like a good time to reflect on the four sessions of the Summer Series that are under our belt and the key takeaways from our expert speakers.
Read more