The Digital Advertising Alliance (DAA), a self-regulatory organization that has established and enforces responsible privacy practices across industry for relevant digital advertising, has begun to enforce its Principals applicable to “interest-based” advertising in the mobile context.

Independent oversight of the DAA Principals is conducted by The Council of Better Business Bureaus (CBBB) and the Direct Marketing Association (DMA) through the Online Interest-Based Advertising Accountability Program (the Accountability Program).

The recent decisions of the Accountability Program are a helpful roadmap for best practices to avoid unwanted scrutiny on how a mobile app should comply with DAA Principals – and privacy rules generally applicable in the United States. Read more>

In particular, the Accountability Program has found a few Apps that had not been adequately providing the required “notice and choice” for the use of digital trackers in the mobile environment.  Furthermore, as some of the Apps under review appeal to children under the age of 13, these Apps agreed to adopt “age gates” in order to come into compliance with the DAA Principals, because the data tracking techniques used for interest-based advertising purposes may be permissible for adults – but not for children under the Children’s Online Privacy Protection Act (COPPA).

Enhanced Notice of Tracking Activities

In its recent decisions, the Accountability Program has required apps to enhance the disclosure of data tracking – through links at the App Store and in the App itself.  For example, in a matter relating to the gaming app “Mouse Maze” owned by Top Free Games, Top Free Games agreed to revise the content of its privacy policy and then updated the privacy policy link on the page in the Apple App Store so that the link now directs users to a section of the policy entitled “Third Party Advertising and Analytics.”

This portion of the policy describes the advertising taking place on all of Top Free Games’ services, and contains a link to a section in the privacy policy entitled “Opting out of Third Party Tailored Advertising”, which contains further links to the Network Advertising Initiative website, the DAA Consumer Choice page, and the UK’s Your Online Choices page. This section also contains instructions on how to download the DAA’s AppChoices app and how to reset a mobile device’s advertising ID.  Additionally, Top Free Games added to the games settings a privacy policy link under the “options” tab that takes the user to its interest-based advertising disclosure.

The Accountability Program required Sprinilla (distributor of a music app) and Bearbit Studios (distributor of the game Smashy Road) to adopt similar measures for purchasers of their apps.

What to Do About Under Age Visitors

While many apps and sites are targeted at a general audience, the COPPA rules are quite strict about requiring parental consent to collect personal information – including the persistent identifiers used for targeted advertising purposes – from visitors who are actually known to be under 13 years old, or from visitors to sites directed at children.

In its recent decisions, the Accountability Program required the use of age gates to prevent the impermissible collection of information from children by two apps that claimed to be of general interest, but appeared to have substantial appeal to children.

In determining that the apps were directed at children, the Accountability Program looked at various aspects, including the nature of the apps – one focuses on the exploits of a cartoon mouse with exaggerated features which inhabits a colorful, cartoon environment – the other a car being chased by a police car in a colorful cartoonish environment, as well as the App Store ratings – one was given a 4+ rating and the other a 9+ rating, meaning the game is suitable for ages 4 and over or 9 and over.

In order to bring the apps into COPPA compliance, the owners of these apps agreed to implement an age-screening gate so that the app would no longer itself – or permit third parties to – collect interest-based advertising data from visitors under 13.

Adopt Best Practices

Distributors of mobile apps should consider adopting these steps that the Accountability Program has required – to assure compliance with the DAA’s self-regulatory requirements (including the COPPA requirements), as well as provide a valuable baseline in the event that the FTC or other regulators take a more stringent view of the required privacy notifications.

This is an area of rapidly changing requirements, and app distributors may be unaware of the extent of the data tracking they are enabling on the apps they distribute.  A savvy app distributor would be smart to comply with these DAA requirements, and be well positioned as the rules continue to evolve.