App Publishers Privacy Tips

Aug 2, 2019 by BBB National Programs

They may be small, but mobile devices are powerful computers. And even though our smartphones may fit in the palm of our hands, we still expect them to act like regular computers, with icons for launching programs and menus full of easy-to-understand options and commands. So why shouldn’t consumer privacy controls look similar, too? The Digital Advertising Alliance followed this logic when it adapted its privacy Principles to the mobile environment in 2013, translating web-based privacy standards for interest-based ads (IBA) to the mobile environment.

There are a lot of details to the Mobile Guidance, but they all flow from three simple ideas:

  1. Users deserve up-front notice if their online activities will be monitored to deliver interest-based ads.
  2. Users who choose not to participate in the interest-based advertising ecosystem should be able to easily exercise this choice.
  3. Users’ sensitive data should not be collected for advertising purposes unless they explicitly consent.

Thus, as an app publisher, your compliance strategy should include periodic reviews of: (a) the user experience of downloading and first opening your mobile app, (b) the clarity of your privacy disclosures, and (c) the consistency of your disclosures with any third-party integrations in your app. We discuss these ideas in our recent Finish Line decision, but we wanted to provide you with a shorter summary of your responsibilities here.

User Experience

Users need to receive “enhanced notice” of any third-party IBA activity (including data collection) that takes place in your app. You can provide this up-front notice at a number of different times and locations, each of which is spelled out in the Mobile Guidance. (For the compliance-minded in the audience, the relevant section is III.A.(3).) All of these options may seem confusing at first blush, but they can be summed up very simply: you have to provide consumers enhanced notice at or before the first time third-parties collect data for IBA on your app.  

Ask yourself: will a user know that their data is being collected for IBA when they first launch my app?


This one is straightforward. You need to spell out—in writing—what third-party IBA practices you allow in your app. Usually, companies put this in a section of their privacy policy, but you can use a dedicated webpage, too. Either way, you need to tell your users if you are allowing other companies to collect and use their data for IBA, and you should provide them with instructions they can use to opt out. The opt-out requirement, when translated to the mobile space, means that many companies either include a link to the DAA’s AppChoices app or link to explanations of how to engage the system-level opt-out settings on iOS and Android.

Remember: the cookie-based opt-out solution in your privacy policy does not apply to your mobile app!


Set up an internal compliance routine to ensure that, as your app develops, your privacy disclosures do not fall out of date. If you add new third-party integrations, it’s a good idea to make sure your privacy policy reflects any changes to data collection or sharing arrangements that may result. And if those changes bring new IBA practices to your app, you should ensure that consumers get appropriate notice of and control over them. Work with your vendors up front to ensure that everyone is aware of their compliance needs and obligations.

Special Data Types

Apps must request permissions from users in order to access certain sensitive resources on a user’s phone. Standard procedure in the mobile app world involves showing users an operating-system-generated prompt to request the relevant permission. But be careful about relying on the default system prompts alone to request consent for your collection of this data, because they may not give users the whole story.

Think about adding a custom dialog box before the system prompt that specifically describes why your app needs access to this sensitive data. If you share this data with third parties for IBA, this should be clear to the user before they give consent. This helps to guarantee that you have gotten consent from your users to use their data in ways that might not be obvious to them.

And as always, whether it’s at the beginning of your development process, the end, or in between, you can contact the Online Interest-Based Advertising Accountability Program for advice about meeting industry best practices.

Suggested Articles


Are used cars covered under lemon laws?

Do your homework to make sure the used car you plan to buy is not a lemon, and if it is, does the lemon law cover it? The answer may depend on where you purchased the vehicle or where you live.
Read more

Case Study: Getting to Compliance with CARU and COPPA

In a recent case, CARU worked with TickTalk to help them achieve compliance with CARU’s Privacy Guidelines and the Children’s Online Privacy Protection Act (COPPA). CARU sat down with TickTalk once the case had closed to discuss their experience as well as some of the privacy challenges many companies face in the children’s space.
Read more

What to Know About the Georgia Lemon Law

BBB AUTO LINE provides an overview of each state’s lemon laws. In our ongoing blog series, we offer further insights on the laws for select states, and how BBB AUTO LINE can support consumers with lemon law disputes. Florida, California, and Texas have been covered. This post reviews the nuances of the lemon law in the Peachtree State – Georgia.
Read more

The TAPP Roadmap: Helping U.S. Companies Responsibly Collect and Manage Teenager Data

The TeenAge Privacy Program (TAPP) Roadmap was designed to assist any business that wishes to engage proactively with teen consumers, providing an operational framework to map the broad spectrum of potential harms impacting teens onto a concrete set of operational considerations.
Read more