The Digital Advertising Alliance (“DAA”) recently released a guidance document titled Application of Self-Regulatory Principles to the Mobile Environment (“Mobile Guidance”). The Mobile Guidance does not purport to establish new principles, but rather to explain how the DAA’s existing principles — the Self-Regulatory Principles for Online Behavioral Advertising and for Multi-Site Data — apply to the “mobile Web site and application environment.” Still, the Mobile Guidance contains a considerable amount of new direction that should interest publishers, advertisers, and other companies that operate in the online advertising space. Below is an overview of key takeaways from the Guidance.
The Guidance explains how companies operating in the mobile space should provide consumers “transparency and “control” (i.e., notice and choice) in connection with four types of data: Multi-Site Data, Cross-App Data, Precise Location Data, and Personal Directory Data.
Although the DAA’s definitions of these types of data focus on the way in which data is collected, the application of the key principles of “Transparency” and “Control” depends mainly on the way the data is used. For example, the Multi-Site Principles define “Multi-Site Data” as “data collected from a particular computer or device regarding Web viewing over time and across non-Affiliate Web sites.” This definition focuses on the nature of the collection, but the “Transparency” and “Control” principles’ application to the data turns on the way the data is used: if Multi-Site Data is used for one of many enumerated purposes (e.g., IP protection, product or service fulfillment, and product development), the Principles’ transparency and control principles do not apply.
Thus, the guidelines suggest that companies evaluate their obligations not only by considering whether the data they collect is covered by the Principles, but also by determining how that data will be used. With that background, we turn to a discussion of the Mobile Guidance.
Multi-Site Data
Multi-Site Data (defined above) in the mobile context is data collected about consumers’ activities across non-affiliate mobile websites; it does not include data about the use of non-affiliate apps. (The latter is called “Cross-App Data,” which we discuss below). Entities that collect Multi-Site Data from mobile devices must comply with the Multi-Site Principles, which require companies that collect Multi-Site Data (so-called “Third Parties”) for purposes other than an enumerated exception to provide notice to consumers and an opportunity to opt out of the use of Multi-Site Data. First Parties—companies that own or control the websites where Multi-Site Data is collected—must provide, among other things, notice of such collection and a link directing consumers to a place where they can exercise choices about the use of their data.
Cross-App Data
“Cross-App Data,” defined for the first time in the Mobile Guidance, is “data collected from a particular device regarding application use over time and across non-Affiliate applications.” In commentary on this definition, the DAA explains that Cross-App Data includes “unique values assigned or attributed to a device or a unique combination of characteristics associated with a device where combined with Cross-App Data.” This commentary seems intended to explain that unique identifiers associated with a device are Cross-App Data when combined with information about a particular device’s use of non-Affiliate applications, but this is not entirely clear.
Unless the data is collected for one of several enumerated purposes, Third Parties—i.e., companies that collect Cross-App Data about the use of apps that they do not own or control—must provide notice about their practices (e.g., on their websites) and also “enhanced notice,” a link to information about their practices that may be provided in a number of different places (e.g., in or around an ad served within the app, in the app’s settings, or in the app’s privacy policy). Third Parties must also provide an opt-out for Cross-App Data collection for certain purposes.
First parties—the entities that own or control the apps where Cross-App Data is collected—should include a link that directs users to a place where they can exercise choice or learn the identity of the Third Parties that collect Cross-App Data through the application.
Notably, the Guidance explains that because there currently is no industry-wide choice mechanism for Cross-App Data (as there is in the web context), the requirements with respect to Cross-App Data (as well as Precise Location Data and Personal Directory Data) “will not be in effect or enforced by the DAA.” Presumably, these requirements will become enforceable after the industry-wide choice mechanism is created.
Precise Location Data
“Precise Location Data” is “data obtained from a device about the physical location of the device that is sufficiently precise to locate a specific individual or device.” Although this definition is rather general, the DAA’s commentary clarifies that it covers location as derived from GPS and cell tower/Wi-Fi access point triangulation, and does not cover location information derived from IP addresses.
First and Third Parties should provide transparency and control in ways similar to those discussed above in connection with Cross-App Data. It bears noting, however, that the activity subject to these requirements is the collection of Precise Location Data by a company other than the company that owns the app. The Transparency and Control principles apply only where an owner or controller of the app (i.e., the First Party) “affirmative[ly] authoriz[es]” a non-affiliate (i.e., a Third Party) to collect Precise Location Data from a user of the app.
Personal Directory Data
The term “Personal Directory Data” is a misnomer: it includes not only a person’s address book, but also “calendar . . . phone/text log, [and] photo/video data created by a consumer and stored or accessed through a particular device.” According to the Mobile Guidance, Third Parties should not intentionally access a device without authorization and obtain and use Personal Directory Data (unless the purpose for such access falls within one of several enumerated exceptions). And First Parties should not “affirmatively authorize” Third Parties to collect Personally Directory Data (again unless the Data is collected for one of the enumerated purposes).
The restrictions around the use of Personal Directory Data presumably emanate from the FTC’s investigation of, and eventual settlement with, Path, the social networking provider that allegedly uploaded user address books without informing users or obtaining consent, a practice, the FTC alleged, that was inconsistent with Path’s privacy policy.
The Mobile Guidance is a something of an interim document. The DAA promises a consolidated set of principles that apply across devices sometime in the future; the requirements around Cross-App, Precise Location, and Personal Directory Data will, for the time being, not be enforced; and the Guidance is peppered with promises of further guidance on addressing the technical challenges of complying with the Self-Regulatory Principles on small screens.
But the Mobile Guidance is nevertheless an important document because it furthers the process of rethinking consumer privacy protections for the mobile space. The FTC, California Attorney General, and, most recently, the NTIA all have contributed to this process since the beginning of the year. The Mobile Guidance, as well as the Network Advertising Initiative’s Mobile Application Code, represent industry’s initial response to the regulators’ calls for greater transparency and choice in the mobile environment.