Inquiry Reveals Flaws in Popular Mobile Apps’ Privacy Notices
Kids’ Game and Health App Collecting Location and Other User Data without Notice and Choice in Violation of Digital Advertising Alliance Principles
Arlington, VA – July 14, 2016 – Industry’s independent cop, the Online Interest-Based Advertising Accountability Program, continues to patrol the mobile beat. Its latest cases, SEGA and iTriage, bring to light problems with two widely-used apps that allowed third parties to collect and use consumers’ precise location data for interest-based advertising before providing the required notice and obtaining users’ affirmative consent. SEGA’s Sonic Runners, a gaming app, also raised issues under the Children’s Online Privacy Protection Act, as incorporated in the Digital Advertising Alliance Self-Regulatory Principles. Both companies cooperated with the Accountability Program’s review and have pledged to comply with the Digital Advertising Alliance’s stringent standards in all their current and future offerings to the public.
The Accountability Program’s testing of SEGA’s Sonic Runners revealed that the game failed to provide transparency and consumer control, as mandated under the DAA’s Mobile Guidance, which are designed to ensure that consumers understand whether their data will be used for IBA before they activate the app and can exercise choice about IBA. Moreover, because Sonic Runners attracts a substantial number of children under 13, the Accountability Program reviewed whether it was in compliance with the DAA’s Principles, which only allow such collection in compliance with COPPA. Under COPPA, apps that attract mixed audiences of users both over and under 13 must ensure that no personal information—including unique identifiers used for advertising purposes—is collected from any children under 13 without either obtaining verifiable parental consent or meeting one of the law’s exceptions.
Sonic Runners used an age gate to identify and prevent the collection of personal information from children under 13. However, the Accountability Program’s tests of SEGA’s app revealed its age-gating mechanism was not functioning properly. Moreover, the Accountability Program discovered that SEGA had permitted a third-party ad network to collect precise location data for IBA through Sonic Runners without providing notice of this third-party collection and obtaining prior affirmative consent from users. As soon as SEGA was alerted about these compliance issues, the company removed Sonic Runners from the app stores where it was previously available and altered the game to remove all third-party advertising software before offering it to the public again. SEGA also engineered a mandatory update that was sent to all current users of the game. The update included a disclosure stating that the new version of the app prevents the collection of advertising identifiers from children under the age of 13.
The iTriage app has a variety of healthcare-related functions, such as enabling users to find covered medical service providers; look up information on medical conditions and terms; enter insurance account information; schedule appointments; and keep track of medical records. When tested, the iTriage app requested permission to access the user’s identity, calendar, location, photo and media files, and Wi-Fi connection information, which were necessary to fulfill some of the app’s functions but were not being used for IBA. However, the app neglected to tell the user that precise location information would also be transferred to its advertising partners for use in IBA. Under the Mobile Guidance, before allowing third parties to obtain precise location for IBA, an app must get affirmative consent from its users. Triage committed to stop the use of precise location information for advertising and to give users the transparency and choice the DAA Principles demand with respect to collection and use of data for IBA. In addition, iTriage agreed to add real-time notice of data collection and use for IBA that links to an opt-out mechanism on both its app and its website. iTriage’s parent company, Aetna, also agreed to add these features to its website before it began any collection and use of data across sites for IBA. iTriage and Aetna have pledged that if they expand their IBA to include third parties’ use of personal directory data or healthcare data to be used for interest-based advertising, they will be transparent to users, who will be given the choice whether to participate.
“Today’s decisions are a win for both consumers and advertisers,” commented Genie Barton, Director of the Accountability Program. “Consumers are empowered to make informed choices about their data… Companies earn the trust of their audience by engaging with them with transparency and respect for their choices.”
Today’s releases bring to 68 the public actions taken by the Accountability Program.
Subscribe to the Ad Law Insights or Privacy Initiatives newsletters for an exclusive monthly analysis and insider perspectives on the latest trends and case decisions in advertising law and data privacy.
Latest Decisions
Direct Selling Self-Regulatory Council Recommends Valentus Discontinue Earnings and Product Performance Claims
McLean, VA – December 23, 2024 – The Direct Selling Self-Regulatory Council (DSSRC) recommended Valentus, a direct selling company that sells nutritional and lifestyle products, discontinue earnings and health-related product performance claims made on social media and on the Valentus website.
Direct Selling Self-Regulatory Council Refers Olive Tree Earnings Claims to the FTC and California AG for Possible Enforcement Action
McLean, VA – December 20, 2024 – The Direct Selling Self-Regulatory Council (DSSRC) referred Olive Tree to the Federal Trade Commission (FTC) and California Attorney General's Office for possible enforcement action after Olive Tree failed to respond to a DSSRC inquiry into earnings claims.
Children’s Advertising Review Unit Recommends JustPlay Discontinue or Modify Daisy the Yoga Goat Claims
New York, NY – December 19, 2024 - The Children’s Advertising Review Unit (CARU) launched an investigation into advertising for Just Play’s furReal Daisy the Yoga Goat seeking to determine if the toy’s product packaging and commercial advertisements comply with CARU’s Self-Regulatory Guidelines for Children’s Advertising.
In National Advertising Division Fast-Track SWIFT Challenge, Oral Essentials Voluntarily Modifies “Made in USA” Claims
New York, NY – December 19, 2024 – In a National Advertising Division challenge, Oral Essentials agreed to permanently modify its claim that certain Oral Essentials oral healthcare products are “Made in USA.”