The advertising industry's self-regulatory enforcement group issued its first actions applying its mobile principles.

The Online Interest-Based Advertising Accountability Program (the Accountability Program) administered by the Advertising Self-Regulatory Council (ASRC) issued three decisions applying the Application of Self-Regulatory Principles to the Mobile Environment (the Mobile Principles) under the Self-Regulatory Principles for Online Behavioral Advertising (the OBA Principles) set forth by the Digital Advertising Alliance (DAA). The Mobile Principles address the unique aspects of the mobile environment and are designed to maintain a consistent approach to notice and choice for interest-based advertising (IBA).

Spinrilla

According to the Accountability Program, Spinrilla LLC, a publisher of a mobile app that can be used to stream hip hop music, allowed third parties to collect user data for IBA purposes, including cross-app and location data. The Accountability Program claimed that Spinrilla did not provide the required notice and enhanced notice links indicating that data was being collected by third parties for IBA purposes.

Spinrilla agreed to make a number of changes in response to the Accountability Program's allegations. For example, the company will direct mobile users who follow the privacy policy links in the Google Play and Apple App stores to an IBA disclosure at the top of Spinrilla's privacy policy page that explains the IBA on the Spinrilla app, a statement that Spinrilla adheres to the principles (that is, the OBA Principles and the Mobile Principles, as well as the Self-Regulatory Principles for Multi-Site Data and the Application of the Self-Regulatory Principles of Transparency and Control to Data Used Across Devices), and the choices available to users.

In addition, Spinrilla agreed to include a privacy policy link to the IBA disclosure for its app on the iOS and Android platforms, and it revised its app so that precise location data no longer could be collected by third parties. The company also made a number of changes to its website to bring it into compliance with the OBA. These included adding links for "Ad Choices" and its privacy policy to the footer of its website.

Bearbit Studios

According to the Accountability Program, Bearbit Studios' mobile app "Smashy Road: Wanted" allowed third parties to collect user data for IBA even when the user appeared to be under the age of 13 without providing parental notice and consent as required under the OBA Principles and the Children's Online Privacy Protection Act (COPPA). The Accountability Program also alleged that it could not easily locate Bearbit's privacy policy by visiting any of the websites associated with Bearbit, and that when ultimately located, the company's privacy policy failed to disclose third-party data collection occurring through its apps or that consumers could opt out of IBA on their mobile devices. Nor did it include a statement of the company's adherence to the OBA Principles.

The Accountability Program also alleged that the "Smashy Road" app did not comply with COPPA in that it did not have a way to obtain verifiable parental consent or a compliant age screen to prevent third-party collection of information from children under the age of 13 without prior parental consent.

In response to the Accountability Program's allegations, Bearbit added privacy policy links on the "Smashy Road" app pages in both the Google Play and Apple App stores that direct users to Bearbit's privacy policy page. It also added an IBA disclosure to the top of that page that described third-party IBA activity, Bearbit's adherence to the OBA Principles, and information about choice mechanisms including how to turn on the "Limit ad tracking" and "Opt out of interest-based ads" settings on iOS and Android mobile devices.

Because the "Smashy Road" app is a mixed-audience app, Bearbit was permitted to add a neutral age screen to the app that requires users to enter their year of birth before beginning play and that disables collection of persistent identifiers for IBA for users who say they are under 13.

Top Free Games

The Accountability Program alleged that "Mouse Maze," a Top Free Games mobile gaming app that appeared to be directed to children, allowed third parties to collect user data for IBA without providing the required notice and enhanced notice. The Accountability Program also alleged that the app's pages in both Apple's and Google's mobile app stores included only a link to the stores' privacy policy that directed users to the top of Top Free Games' privacy policy, and no link was provided to the section in the company's privacy policy that described IBA. Additionally, the policy did not link to a choice mechanism that met DAA specifications or to an opt-out mechanism for data-collection by third parties, nor did it have a statement indicating that the company adhered to the OBA Principles, according to the Accountability Program. Finally, it alleged that the app's collection of unique identifiers took place without obtaining verifiable parental consent or age-gating to comply with COPPA.

Despite Top Free Games' contentions that it was a foreign company with apps geared to users in many countries, that it was "not yet prepared to determine if the US OBA Principles are the most appropriate self-regulatory regime for it to follow," and that "Mouse Maze" was targeted to a general audience, the company agreed to age-gate the app. Top Free Games also agreed to revise its privacy policy link on its Apple App Store page for "Mouse Maze" to direct users to the "Third Party Advertising and Analytics" section, which explains the IBA on its products, content and websites. It also added a "How to Access, Update, and Manage Your Information – Opting Out of Third Party Tailored Advertising" link, as well as links to the Network Advertising Initiative website and the DAA Consumer Choice page, among other things.

The Accountability Program concluded that Top Free Games had demonstrated that, at least with respect to "Mouse Maze," "it was willing to change its practices to meet the industry standards" represented by the OBA Principles. It should be noted, however, that the Accountability Program said that it will continue to monitor Top Free Games' other apps for compliance with the OBA Principles "on a regular basis."

Update from ASRC and DAA Conferences

At recent conferences sponsored by the DAA and the Accountability Program, an Accountability Program representative noted that enforcement had evolved from focusing on issues with cookies, to concerns about proper notice and choice, and now to mobile and other emerging technologies. All parties involved in the ecosystem are required to comply with the OBA Principles, the representative added.

Federal Trade Commission (FTC) Associate Director, Division of Privacy and Identity Protection, Bureau of Consumer Protection Maneesha Mithal, in a policy keynote address, praised self-regulatory regimes such as the DAA's but noted that the FTC would like to see an expansion of the definition of sensitive data and a narrowing of the exceptions for compliance with the principles.

Bottom Line

As both these enforcement actions and regulators' recent remarks make clear, mobile apps and other emerging technologies are now subject to enforcement actions for failing to comply with the OBA Principles. All parties involved in IBA, whether on websites, through mobile devices or with cross-device tracking, should carefully examine their compliance with the OBA Principles, particularly if their apps and websites are directed to children.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.