OIBAAP – Accountability Program

January 2017

Decisions 69, 70, and 71

The OIBAAP issued decisions against three more companies for alleged violations of the Self-Regulatory Principles for Online Behavioral Advertising. Highlights include:

AAA of Northern California, Nevada and Utah

• failed to present sufficient opt-out links in its privacy policy
• linked only to an Adobe opt-out web page
• failed to state adherence to DAA principles in its privacy notice

In response, AAA implemented an “Ad Preference” link, separate from its privacy policy, in its website footer that directs users to a page that addresses third-party IBA on its website, including a link to http://www.aboutads.info/choices. AAA has also added a statement of adherence to the DAA principles to its privacy policy. The Online Interest-Based Advertising Accountability Program (OIBAAP) commended AAA on its cooperation and considers the matter closed.

Anheuser-Busch

• failed to present an “enhanced notice link” on all pages where data collection took place
• failed to state adherence to DAA principles in its privacy notice

In response, Anheuser-Busch implemented an enhanced notice link (AdChoices icon), separate from its privacy policy, in its website footer that directs users to the section of its privacy policy that addresses third-party IBA on its website, including a link to http://www.aboutads.info/choices. Anheuser-Busch has also added a statement of adherence to the DAA principles to its privacy policy. The Program commended Anheuser-Busch on its cooperation and considers the matter closed.
Wayfair

• failed to present an “enhanced notice link” on all pages where data collection took place

In response, Wayfair implemented an “Interest-Based Ads” link, separate from its privacy policy, in its website footer (and footers of all websites it owns) that directs users to a page that addresses third-party IBA on its website, including a link to http://www.aboutads.info/choices. The Program commended Wayfair on its cooperation and considers the matter closed.
http://www.asrcreviews.org/accountability-program-takes-action-on-consumer-complaints/
jbho: A reminder to make sure your footers are complete and your privacy policies are up to date.

 

September 2016

BBB Behavioral Ad Program Cites Dropbox, Harte Hanks, and Panasonic

The Better Business Bureau issued decisions against three companies for alleged violations of the Self-Regulatory Principles for Online Behavioral Advertising. Highlights include:

Dropbox

  • failed to present an “enhanced notice link” on all pages where data collection took place
  • failed to disclose third-party data collection in its privacy notice
  • failed to present opt-out links, either directly to the third parties or to an industry-developed consumer choice mechanism
  • failed to state adherence to DAA principles in its privacy notice

In response, Dropbox implemented a “Cookies” link, distinct from the ‘Privacy & Terms’ link, on all Dropbox website pages. The link directs users to a page that includes an IBA disclosure describing third-party data collection on the website, as well as a statement of adherence to the DAA principles. The Online Interest-Based Advertising Accountability Program (OIBAAP) considers the matter closed.

Harte Hanks

  • failed to present an “enhanced notice link” on all pages where data collection took place
  • failed to disclose third-party data collection in its privacy notice
  • failed to state adherence to DAA principles in its privacy notice

In response, Harte Hanks committed to implementing a “Cookies & Advertising” link, distinct from the ‘Privacy & Terms’ link, on all Harte Hanks website pages. The link will direct users to a page that includes an IBA disclosure describing third-party data collection on the website, as well as a statement of adherence to the DAA principles. The OIBAAP will leave the matter open, pending implementation of the promised changes.

Panasonic

  • failed to present an “enhanced notice link” on all pages where data collection took place
  • failed to disclose the totality of third-party data collection in its privacy notice
    • Panasonic did explain its use of Google and Adobe’s services with links to those companies’ opt outs. However, this listing only pertained to the analytic functions performed by these companies
  • failed to present all opt-out links, either directly to the third parties or to an industry-developed consumer choice mechanism
    • the section mentioned above did not contain opt-out mechanisms for other companies
  • failed to state adherence to DAA principles in its privacy notice

In response, Panasonic implemented an “Interest-based ad disclosure” link, distinct from the ‘Privacy’ link, on all Panasonic website pages. The link directs users to a page that includes an IBA disclosure describing third-party data collection on the website, as well as a link to the DAA Consumer Choice Page (www.aboutads.info/choices), and a statement of adherence to the DAA principles. The Online Interest-Based Advertising Accountability Program (OIBAAP) considers the matter closed.
http://www.asrcreviews.org/privacy-watchdog-sniffs-out-websites-compliance-violations/
jbho: by my count, this brings the number of actions taken by the OIBAAP to 71.

 

July 2016

Two More AppMakers Allegedly Violate Industry’s Mobile Privacy Code

Mobile app makers iTriage (Aetna) and Sega allegedly inappropriately collected app-data for Interest Based Advertising (IBA) The Digital Advertising Association (DAA) Online Interest-Based Advertising Accountability Program (OIBAAP) investigations revealed:

Aetna’s iTriage (healthcare app)

  • Collected, and allowed third parties to collect Device IDs & Precise Location Data without providing notice
  • Failed to provide enhanced notice in its privacy policy
  • Failed to provide opt-out information in its privacy policy
  • Failed to state adherence to DAA principles in its privacy policy
  • Failed to provide IBAs disclosures either during download or upon first opening the app
  • Failed to provide links to the privacy policy in the app
  • Failed to provide links to the privacy policy on the App Store (there was a link on Google Play)
  • Failed to clarify whether sensitive health information would be used for IBA

The App did request – through permission tools – that the user grant the app access to the user’s identity, calendar, location, photo and media files, and Wi-Fi connection information. However, the permission tools were silent as to any transfer to third parties or whether data would be used for IBA.

In response, iTriage agreed to add IBA disclosures in the app stores, in the app, and in its privacy policy. It also agreed to add an “Interest Based Ads” link to the footer of website pages where data for IBA is collected by third parties. Finally, iTirage also agreed to cease collection of precise location information and collect only ‘course’ location information (iTriage clarified it did not collection sensitive health or personal directory information for IBA purposes). The OIBAAP considers the matter tentatively closed, but retained jurisdiction while iTriage completes the promised updates.

Sega’s Sonic Runner (game app)

  • Collected, and allowed third parties to collect Device IDs & Precise Location Data without providing notice
  • Collected the above information on children o continued to collect irrespective of data entered during the ‘age gate’ at app open
  • Failed to provide enhanced notice in its privacy policy
  • Failed to provide opt-out information in its privacy policy
  • Failed to state adherence to DAA principles in its privacy policy
  • Failed to provide IBAs disclosures either during download or upon first opening the app
  • Failed to provide links to the privacy policy in the app

In response, Sega pulled the app from the app store, notified users of the compliance issue, and forced updates to a fixed version of the app. Additionally, Sega agreed to add a privacy policy to the app that calls out IBA disclosures, adherence to DAA principles, and how to opt-out. The OIBAAP considers the matter closed.
These are the 67th and 68th public actions taken by the Accountability Program.
http://www.asrcreviews.org/inquiry-reveals-flaws-in-popular-mobile-apps-privacy-notices/
jbho: A reminder that industry standards do have teeth. If a company doesn’t cooperate, they could be referred to the FTC. 

And the BBB appears to be watching closely. Remember they recently announced they hired tech company Kryptowire to help the inspect websites & apps for compliance with DAA principles. http://www.asrcreviews.org/accountability-program-announces-work-with-kryptowire/

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s