Client Alert

Enforcement of DAA Principles Appears to Shift Disclosure Requirements

10 Aug 2016

Recent enforcement decisions by the self-regulatory interest-based advertising (IBA)[1] accountability program[2] suggest a shift in, and clarification of, required disclosures. Specifically, as discussed below, the accountability program has indicated that: (1) an app developer’s link to its privacy policy at the point of app download is insufficient, unless the link points directly to the IBA section of the policy or there is a clear link at the top of the policy that directs the user to that section; and (2) companies that comply with the Digital Advertising Alliance (DAA) Principles should expressly affirm such compliance in their privacy policies.

By way of background, the DAA is a consortium of media and marketing associations that has designed and implemented a self-regulatory compliance regime in an effort to address the IBA notice and choice expectations of the Federal Trade Commission (FTC). In May of this year, the IBA accountability program issued three decisions enforcing the self-regulatory program as applied to the mobile environment, as articulated in the DAA’s Mobile Guidance of 2013.[3]

The DAA self-regulatory program is, at its heart, a notice-and-choice regime. In short, to facilitate such notice and choice, the DAA provides an advertising option icon to be placed in or near an interest-based ad. The icon, when clicked, delivers consumers to a landing page that describes the data collection practices associated with the ad and provides an opt-out mechanism. Importantly, however, the DAA Principles have also been interpreted by the IBA accountability program to require “enhanced” notice on any website where information is collected for IBA purposes. In response to this interpretation, website publishers typically provide such notice in the form of an “Our Ads” or similarly named link in the site footer, separate from the privacy policy link, that clicks through to the same landing page as the advertising option icon, or to similar notice and choice information.

In its recent enforcement actions, the IBA accountability program appears to have exported this manifestation of the enhanced notice requirement to mobile applications, notwithstanding the provisions of the Mobile Guidance. That guidance itself states that app publishers (i.e., “first parties”) that permit third parties to collect information for IBA purposes must “provide a clear, meaningful, and prominent link to a disclosure that either points to a choice mechanism or setting that meets Digital Advertising Alliance specifications or individually lists such Third Parties.” This notice must be provided in two separate locations:

  • Either prior to download (e.g., in the app store on the application’s page), during download, on first opening of the app, or at the time cross-app data is first collected; and
  • In the application’s settings or any privacy policy.

The IBA accountability program appears, however, to be taking the position that a link to the privacy policy from the app store (or any other location) is not enough to meet this first prong. That is, a “clear, meaningful, and prominent link” to the IBA disclosure must be a link directly to the IBA section of the privacy policy, in the same way that the “Our Ads” or similarly named link in the site footer clicks through to the IBA section of the privacy policy. The Spinrilla decision, for example, states that the accountability program could not find an “enhanced link notice separate from the privacy policy link” in the applicable app stores and affirmed that if only one privacy policy link will be used in the app store (where it is typically not possible to provide two separate links), “the link to the privacy policy must either go directly to the pertinent discussion of IBA or direct the user to that place through a clear link at the top of the privacy policy.” The other decisions, Bearbit and Top Free Games, reaffirm this interpretation. In light of these decisions, app publishers may want to revisit how they provide “enhanced notice” of their IBA practices.

Finally, the Mobile Guidance states that first parties should “indicate adherence” to the DAA Principles in their privacy policies. The accountability program decisions noted the absence of this language in the companies’ privacy policies, and the companies appear to have added language to their disclosures to comply with this obligation. Whether a company would want to affirmatively make this representation of its own accord is something that may warrant additional consideration, as the company’s failure to fully comply with such a representation could give rise to a charge of deception under Section 5 of the FTC Act or a similar state law.

* * *

In light of these developments, a company engaged in IBA should:

  • If engaged in IBA with respect to one or more of its apps, review how it discloses its IBA practices at the point of app download; and
  • Discuss with counsel the advisability of expressly stating adherence to the DAA Principles in its privacy policy.



[1] IBA is the collection of information about users’ online activities across different websites or mobile applications, over time, for the purpose of delivering online advertising to those users based on those activities.

[2] Formally, the Advertising Self-Regulatory Council/Council of Better Business Bureau’s Online Interest-Based Advertising Accountability Program.

[3] For background on the DAA program and its applicability to the mobile environment, see our MoFo Privacy Minute of June 19, 2015, Digital Advertising Alliance Focuses on Mobile Ads.

Close
Feedback

Disclaimer

Unsolicited e-mails and information sent to Morrison & Foerster will not be considered confidential, may be disclosed to others pursuant to our Privacy Policy, may not receive a response, and do not create an attorney-client relationship with Morrison & Foerster. If you are not already a client of Morrison & Foerster, do not include any confidential information in this message. Also, please note that our attorneys do not seek to practice law in any jurisdiction in which they are not properly authorized to do so.