ADVERTISING, MARKETING & PROMOTIONS
>> ALERT DIGITAL ADVERTISING ALLIANCE OFFERS NEW PRIVACY GUIDANCE FOR MOBILE ENVIRONMENT The core provisions of the Digital Advertising Alliance (DAA) new guidance are not yet in effect and will not be enforced while the mobile industry works on implementation issues, but the “implementation phase” has begun. BACKGROUND The DAA has issued new guidance explaining how its Self-Regulatory Principles for Online Behavioral Advertising (OBA Principles) and Multi-Site Data (MSD Principles) (together, the Self-Regulatory Principles) apply to certain types of data in the mobile environment. The DAA said that the new guidance clarifies that its previously-issued Self-Regulatory Principles apply to the mobile environment as well. The themes from the OBA Principles of transparency, consumer control, sensitive data, data security and accountability are all part of the new guidance. The DAA also made it clear, however, that the release of the new guidance began an “implementation phase” and that, during this phase, the guidance will not be in effect or enforced by the DAA accountability mechanisms with respect to three newly-defined classes of critical mobile data: Cross-App Data, Precise Location Data, and Personal Directory Data. (These data categories are discussed further below.) After the DAA has announced to covered companies that this new
THE BOTTOM LINE For all practical purposes, the portions of the DAA guidance that break new ground are not yet in effect and will not be enforced while the mobile industry works on implementation issues, but the “implementation phase” has now begun. However, this new guidance is going to be with the industry for the foreseeable future and covered entities should begin the process of considering: which of their activities in the mobile environment are within the scope of the guidance, and the extent to which they will likely need to change their practices to comply. guidance is effective and enforceable, any entity engaged in the collection and use of Cross-App Data, Precise Location Data, or Personal Directory Data will be subject to the DAA accountability mechanisms (managed by the Council of Better Business Bureaus and the Direct Marketing Association) for engaging in practices that do not adhere to the SelfRegulatory Principles as discussed in the new guidance.
might not be feasible to provide notice of multi-site data collection on the specific webpage where this data was collected even if there was an arrangement with a “first party” for the provision of that notice. In these cases, the DAA said, it would be “acceptable” for notice to be provided where the notice was “clear, meaningful, and prominent.”
Significantly, the DAA acknowledged that it might not be feasible to comply with the Self-Regulatory Principles on all devices in the same manner as in a desktop computer environment.
The guidance explains how the existing Self-Regulatory Principles that are applicable to companies engaged in online behavioral advertising, including advertisers, agencies, media, and technology companies, apply to certain types of data in the mobile environment. The DAA said that it
As an example, the DAA recognized that on devices with small screens it
>> continues on next page
Attorney Advertising 1313
ADVERTISING, MARKETING & PROMOTIONS >> ALERT intends for the Self-Regulatory Principles to apply consistently across these channels, and it stated that the existing Self-Regulatory Principles and definitions remain in full force and effect, including the purpose limitations set forth in the MSD Principles. In particular, the new guidance explains when to provide enhanced notice about data collected on a particular device over time and across different applications, as well as notice for the collection of Precise Location or Personal Directory Data. It also applies the principle of consumer control to these data collection practices.
DATA CATEGORIES The guidance defines (and sets forth various requirements pertaining to) three important categories of mobile data: 1) C ross-App Data – data collected from a particular device regarding app usage over time on nonaffiliated apps 2) P ersonal Directory Data – such as calendar, address book, phone/ text log and photo/video data, and 3) P recise Location Data – data about the physical location of the individual/device
Depending upon a party’s status as a “first party” or a “third party,” Cross-App Data collection and use can trigger notice obligations consisting of clear, meaningful and prominent notice of this data collection and use practices and enhanced notice in or around ad advertisement. Alternatively, a user could consent to the use of Cross-App Data. A choice mechanism, similar to the Ad Choices icon used on web sites pursuant to the Self-Regulatory Principles, will become part of the mobile principles. The use of Precise Location Data follows a similar procedure, with the additional requirement of obtaining consent from a user to transfer this data to a third party. Use of Personal Directory Data is restricted without authorization of the user. However, notice regarding this data collection and use is not required for operations/systems management, market research, product development and reporting for ad delivery purposes. In addition, de-identified data that does not associate or connect an individual with a particular device is also carved out from certain compliance obligations. None of the three categories of data may be used for employment, credit, healthcare treatment or insurance eligibility.
FUTURE GUIDANCE This new guidance is not the last guidance that the DAA said that it plans to issue on privacy. In the future, the DAA stated, it will release a consolidated set of Self-Regulatory Principles that integrates this guidance document with the OBA Principles and MSD Principles, resulting in one uniform set of Self-Regulatory Principles.
FOR MORE INFORMATION Richard S. Eisert Partner 212.468.4863 [email protected]
Gary A. Kibel Partner 212.468.4918 [email protected]
or the D&G attorney with whom you have regular contact.
Davis & Gilbert LLP T: 212.468.4800 1740 Broadway, New York, NY 10019 www.dglaw.com © 2013 Davis & Gilbert LLP