OIBAAP – Accountability Program

December 2018


Another Cross-Device Enforcement

Mobile advertising network provided Kiip allegedly collected user data across apps for use in IBA without providing the notice and choice required under DAA Principles. The Kiip privacy policy included description of its use of data for IBA, several methods for how to opt-out, and a statement of adherence to DAA Principles. However, the following shortcomings were identified:
• Kiip’s own opt-out required users to enter a Device Advertising ID in order to opt-out, but failed to (i) provide users with a definition of the term, (ii) how to find it, or (iii) verify the validity of user entered data.
• Kiip’s references to device level setting only passively mentioned users could opt-out of ‘most’ in-app ads, but did not state Kiip would honor such settings.
As such, Kiip failed to provide the required easy-to-use choice mechanisms.

The OIBAAP also identified at least one app using Kiip that did not disclose, nor obtain consent for, the collection and use of Precise Location Data (here to the fourteenth decimal place).

With respect to multi-site and cross-device data, the OIBAAP raised concerns relating to the sufficiency of disclosures, finding:
(i) the statement, “Users are bound by any changes to the Privacy Policy when he or she uses the Platform after such changes have been first posted,” did not comport with the requirement to obtain user consent to material changes in Kiip IBA practices, and
(ii) statements in Kiip marketing materials that “[m]illions of our device IDs are linked to an email address, which maps data to a verified user and maximizes cross-device opportunities,” implied the use of cross device data – use undisclosed to end users.

In response, Kiip has:
• Updated its privacy policy to include a reference to the NAI Mobile Choices page (https://www.networkadvertising.org/mobile-choice), confirming that following the steps listed will effectuate an opt out from Kiip’s IBA
• Updated its privacy policy to provide instructions to users about how to utilize device-level settings to withdraw consent for the collection of Precise Location Data on an app-by-app basis
• Updated its privacy policy to provide notification of cross device identification for IBA, including how to opt-out
• Agreed to update its contracts to bind Kiip first-party partners to provide compliant enhanced notice to users, and committed to performing an initial assessment of its partners’ compliance with this rule
• Agreed to update its contracts to ensure Kiip first-party partners provide users the ability to consent to the third-party collection and use of Precise Location Data for IBA
• Modified its privacy disclosures to indicate privacy policy in effect at the of device capture / data collection applies, and flag devices in its database to indicate which version of the company’s privacy policy governs

With the concerns raised voluntarily corrected, the OIBAAP considers the matter closed.
https://www.bbb.org/globalassets/local-bbbs/council-113/media/behavioral-advertising/kiip-decision.pdf
jbho: This was one of the most detailed decisions I’ve seen from the OIBAAP. It provides excellent guidance for complying with the new Cross-Device rules.

Note that Adbrain was called out for similar overly-complicated opt-out.

Although here, Kiip is essentially maintaining the same opt-out mechanism, but with additional detail on how to use.

Kiip - custom opt-out

According to the OIBAAP, this is the 95th action to date.


SSP Upates Opt-Outs

Supply Side Platform VRTCAL Markets allegedly collected user data across apps for use in IBA without providing the notice and choice required under DAA Principles. The VRTCAL privacy policy included description of its use of data for IBA, a statement of adherence to DAA Principles, and a description of methods to opt-out. However, the following shortcomings were identified:
• Mobile opt-outs were obfuscated, since the opt-out link provided only went to the NAI opt-out landing page, and no link was provided to the NAI’s Mobile Choices page
• References to system-level opt-out settings were not accompanied with instructions to assist the average user in opting out of IBA
• Apps allowing data collection by VRTCAL did not include the required “enhanced notice”
• Apps allowing the collection and use of precise location data by VRTCAL did not disclose the collection and use of Precise Location Data for IBA, or how to opt-out of such collection and use
• The VRTCAL privacy policy contained contradictory statements about whether Desktop data was or was not used for IBA

In response, VRTCAL has:
• Updated its privacy policy to include specific instructions for opting-out of VRTCAL’s IBA in Mobile applications
• Updated its privacy policy to provide notice of collection and use of Precise Location Data, including specific instructions for opting-out
• Confirmed it does not use data from its corporate site for IBA, and removed the confusing language from its corporate privacy policy
• Agreed to update its contracts to bind VRTCAL first-party partners to provide compliant cross-app enhanced notice to users
• Agreed to update its contracts to ensure VRTCAL first-party partners provide users the ability to consent to the third-party collection and use of Precise Location Data for IBA

With the concerns raised voluntarily corrected, the OIBAAP considers the matter closed.
https://www.bbb.org/globalassets/local-bbbs/council-113/media/behavioral-advertising/vrtcal-decision.pdf
jbho: note that VRTCAL claimed it did not use its own SDKs to collect data. It used javascript tags to sync up with other third-party SDKs that appended data to complete the ad buy processes. To its credit, it appears VRTCAL didn’t attempt to disavow responsibility for the activities of these third party apps. Perhaps the issue could have been avoided if the apps have been appropriately scanned and vetted with a tool like Kryptowire before launching?

 

September 2018


Retailer Updates Website And Mobile App

Sporting goods retailer Finish Line allegedly allowed third parties to collect user data for use in IBA without providing the notice and choice required under DAA Principles. The OIBAAP found that Finish Line:
• failed to present an “enhanced notice link” on pages web pages where data collection took place
• failed to present enhanced notice in its mobile app
• failed to present opt-out links, either directly to third parties or to an industry-developed consumer choice mechanism
• failed to state adherence to DAA principles in its privacy notice

The OIBAAP further saw the collection of latitude and longitude coordinates to six decimal places, but no disclosure of collection an use of precise location data for IBA. Nor were instructions for users to withdraw consent provided.

In response, Finish Line added an enhanced notice link to its website labeled “Interest-Based Ads Policy,” separate from its “Privacy Policy” link. The link takes users directly to a page that discloses third-party activity, along with links to the DAA’s WebChoices and NAI’s opt-out page. Finish Line also implemented its own custom opt-out mechanism, to cover companies not listed on the DAA and NAI opt-out pages. The company also revised its privacy policy to include IBA disclosures, prominently linked at the top of the policy, describing the types of third-party tracking on its sites and mobile apps, along with instructions for opting-out. A statement of adherence to the DAA Principles was added as well. Links to the privacy policy were added to the Apple App Store and Google Play.

For precise location data, Finish Line updated its privacy disclosures to include language indicating that the company may collect precise location data for IBA purposes. The disclosures include instructions for disabling this collection by modifying device-level app permissions or simply uninstalling the app. The company also added a pop-up box that is presented to users when they first open the Finish Line app, that links to the precise location data disclosures. The box appears before the default system-level dialogue that allows users to consent (or not) to the collection of location data through the Finish Line app, meeting the consent requirement of the DAA’s Mobile Guidance.

The OIBAAP found these changes brought the company into full compliance with its obligations under the OBA Principles.
https://www.bbb.org/globalassets/local-bbbs/council-113/media/behavioral-advertising/finish-line-decision.pdf
jbho: the IBA page created by Finish Line is quite comprehensive. One of the best I’ve seen. Check it out! https://www.finishline.com/interest-based-ads-policy
Finish Line - custom opt-out
Including the custom opt-out pictured above, the page leads you to 5 different opt-out methods – three for desktop and two for mobile apps.

According to the press release, this is the 93rd public action taken by the Accountability Program


Retailer Updates Website IBA Disclosures

Clothing retailer Ledbury allegedly allowed third parties to collect user data for use in IBA without providing the notice and choice required under DAA Principles. The OIBAAP found that Finish Line:
• failed to describe its IBA practices on its website
• failed to present an “enhanced notice link” on pages web pages where data collection took place
• failed to present opt-out links, either directly to third parties or to an industry-developed consumer choice mechanism
• failed to state adherence to DAA principles in its privacy notice
• failed to get adequate consent to changes in its privacy notice

In response, Ledbury added an enhanced notice link on its website labeled “Interest-Based Ads Policy,” separate from its “Privacy Policy” link. The link takes users directly to a dedicated page describing third-party IBA activity on its website, and provides a link to the DAA’s WebChoices opt-out page. The page includes a statement of adherence to the DAA Principles. Ledbury also amended its privacy notice to clarify consumers may be asked to consent to material changes to the company’s IBA practices.

The OIBAAP found these changes brought the company into full compliance with its obligations under the OBA Principles.
https://www.bbb.org/globalassets/local-bbbs/council-113/media/behavioral-advertising/ledbury-decision.pdf
jbho: yet another reminder to make sure your footers are complete and your privacy policies are up to date.


Company Proactively Resolves Issues Prior To OIBAAP Review

The OIBAAP received a complaint regarding the site Variety.com owned by Penske Media Corporation (PMC). As the OIBAAP began its inquiry, PMC had already initiated its own compliance review, and was in the process becoming compliant with the DAA Principles. PMC accelerated the implementation and included OIBAAP recommendations in its activities.

As a result of PMC’s anticipatory actions and thorough follow-through, the OIBAAP exercised its discretion to close the case by means of an Administrative Disposition rather than a decision.
https://www.bbb.org/globalassets/local-bbbs/council-113/media/behavioral-advertising/penske-media-corporation-disposition.pdf
jbho: being proactive can lead to good press.

August 2018


First Video Ad Enforcement

Mobile video advertising company Vdopia (d/b/a Chocolate), allegedly collected data for IBA through the popular dating application called Skout. Specifically, the OIBAAP suspected Vdopia was collecting Android Advertising ID (AAID) for Cross-App IBA, but:
• failed to disclose IBA practices in the Skout app or on its website
• failed to present opt-out links, either directly to the third parties or to an industry-developed consumer choice mechanism
— a cookie-based opt-out was found for desktop, but the cookie duration was only one year, instead of the DAA mandated five years
• failed to state adherence to DAA principles in its privacy notice
• failed to present an “enhanced notice link” on all pages where data collection took place

The OIBAAP further saw the collection of latitude and longitude coordinates to the seventh decimal place, but saw no mention the use of precise location data for IBA, and no instructions for users to withdraw consent from the collection of precise location data.

In response, Vdopia updated its privacy disclosures to include a statement of adherence to the DAA Principles, including instructions for users to opt out of IBA and how to withdraw consent from the collection of precise location data taking place through mobile apps. Vdopia also updated its cookie opt-out mechanism to ensure that the opt-out cookie the company set persists for five years. Additionally, Vdopia added a link to its website footer, separate and apart from its privacy policy link, entitled “Ad Choices,” that leads users directly to a compliant IBA disclosure.

Vdopia further agreed to update its contractual documents to bind its partners in the digital ad serving chain to provide enhanced notice to users.

The Accountability Program determined that Vdopia is now in full compliance.
https://www.bbb.org/globalassets/local-bbbs/council-113/media/behavioral-advertising/chocolate-decision.pdf
jbho: according to the press release, this is the 90th action under the Accountability Program, and the first under the recent video ad requirements.

Although, technically, the LKQD enforcement could be considered the first. At that time, however, the video ad requirements weren’t yet in force.

June 2018

Fraud Use Okay, But Policy Updates Needed

URL shortening service Adf.ly (x19 Limited) allegedly collected data for Interest Based Advertising (IBA), including canvas fingerprints, but:
• failed to disclose its collection of data for IBA as a third-party
• failed to provide a compliant IBA opt-out mechanism
• failed to ensure “enhanced notice links” were present on pages where it collected data
• failed to state adherence to DAA principles in its own privacy policy

In response, Adf.ly clarified that it used canvas fingerprints only to detect and prevent fraud, and data collected as a third party was not being used for IBA. Since this is permitted under the DAA Principles, no further action was necessary.

As for its own website, Adf.ly added an enhanced notice link labelled “AdChoices” – separate from its privacy policy – to the footer of its website pages, that links directly to a section of its privacy policy that discloses IBA activity and links to the DAA WebChoices opt-out page. A statement of adherence to DAA principles has also been added to its privacy policy.

The Accountability Program determined that Adf.ly is now in full compliance.
https://www.bbb.org/globalassets/local-bbbs/council-113/media/behavioral-advertising/x19-decision.pdf
jbho: Although there were no third party issues here, a reminder that first parties and third parties are both obligated to comply with the DAA principles, and must work together to do so.

For the record, ‘canvas fingerprinting’ is a statistical/probabilistic identification technique that leverages the HTML5 canvas element to calculate an identifier based on the way fonts and images are rendered on a browser. The OIBAAP addressed use of these and other “alternative identifiers” in a compliance warning in 2014. The Alternative Identification Technology Compliance Warning (CW-02-2014) can be found at http://www.asrcreviews.org/wp-content/uploads/2014/08/Alternative-Identifiers-Compliance-Warning.pdf

With this notice, the OIBAAP indicated that 89 formal actions have been taken to date.

Another Enforcement Put To Bed

Mattress company Purple Innovation collected data on its websites for Interest Based Advertising (IBA), but allegedly:
• failed to present an “enhanced notice link” on all pages where data collection took place
• failed to disclose third-party data collection in its privacy policy (the privacy policy included a section on “Third Party Services,” but did not mention IBA)
• failed to provide links to opt-out pages, either directly to the third parties or to an industry-developed choice mechanism
• failed to state adherence to DAA principles in its privacy policy

In response, Purple Innovation added an enhanced notice link labelled “Interest-based Ads” – separate from its “Terms & Privacy” link – to each page on its website, that links directly to a section of its privacy policy that discloses IBA activity and links to the DAA WebChoices opt-out page. A statement of adherence to DAA principles has also been added to its privacy policy.

The Accountability Program determined that Purple Innovations is now in full compliance.
https://www.bbb.org/globalassets/local-bbbs/council-113/media/behavioral-advertising/purple-decision.pdf
jbho: another reminder to make sure your footers are complete and your privacy policies are up to date.

March 2018

Ski Resort Service Gives Policies A Lift

Ski resort advance-purchase lift ticket eCommerce platform Liftopia collected data on its websites for Interest Based Advertising (IBA), but allegedly:
• failed to provide an “enhanced notice link” on pages collecting data for IBA
• failed to state adherence to DAA principles in its privacy notice
Liftopia did, however, provide links to industry standard IBA opt-outs in its privacy notice, including:
• The DAA Self-Regulatory Program website – http://www.aboutads.info/
• The Network Advertising Initiative website – http://networkadvertising.org/

In response, Liftopia added an enhanced notice link labelled “Your Ad Choices” – separate from its privacy policy link – to its website footer, and added a statement of adherence to DAA principles to its privacy notice. The Accountability Program determined that Liftopia now is in full compliance.
https://www.bbb.org/globalassets/local-bbbs/council-113/media/behavioral-advertising/liftopia-decision.pdf
jbho: another reminder to make sure your footers are complete and your privacy policies are up to date.

December 2017

OIBAAP Announces First Cross-Device Enforcement

Video advertising company LKQD Technologies allegedly collected Android Advertising IDs (AAIDs) for the purposes of cross-device Interest Based Advertising. In this case, the OIBAAP examined data collection in the “Once” app. The OIBAAP determined that LKQD
• failed to disclose third-party data collection in its privacy notice
• failed to state adherence to DAA principles in its privacy notice
• failed to present an “enhanced notice link” when downloading, installing, or using the “Once” app
• required users contact LKQD via post to opt-out of IBA in its privacy notice
• provided a cookie based opt-out that was only valid for three years

In response, LKQD has:
• updated its privacy notice to describe its use of cross-app and cross-device data
• updated its privacy notice to include a statement of adherence to DAA principles
• agreed to include the AdChoices icon on all IBA ads it serves
• updated its privacy notice to clarify opt-out choices for web browsers do not apply to mobile apps and that choices must be expressed on each browser or device where a consumer wishes to opt out
• updated its privacy notice to include a link to the AppChoices app and WebChoices opt-out page
• integrated its opt-out mechanism into the DAA “WebChoices” opt-out page and AppChoices app
• extended the lifetime of opt-out cookies to five years

Specific to cross-device IBA, LKQD has:
• updated its privacy notice to describe its use of cross-device data
• updated its privacy notice to clarify opt-out choices for web browsers do not apply to mobile apps and that choices must be expressed on each browser or device where a consumer wishes to opt out
• updated its privacy notice to include a link to the AppChoices app and WebChoices opt-out page
• integrated its opt-out mechanism into the DAA “WebChoices” opt-out page and AppChoices app
DAA Opt-Outs

The OIBAAP also observed the app was collecting geolocation to five (5) decimal places, meaning the data was “precise.” However, LKQD failed to inform users of any use of precise geolocation data in IBA, get consent for that use, and provide an easy-to-use mechanism by which consumers could withdraw consent for the collection and use of precise location data for IBA. LKQD clarified that although the app provided five (5) decimal places, its software immediately truncated the information to two (2) decimal places. Based on this, the OIBAAP found the location data was not “precise,” obviating the need to discuss notice and consent for use of location data.
https://www.bbb.org/globalassets/local-bbbs/council-113/media/behaviorial-advertising/lkqd-decision.pdf
jbho: the OIBAAP used this enforcement notice as an opportunity to remind companies engaged in cross-device IBA to ensure that their notices adequately explain this fact in clear, meaningful language. “Companies should review their opt-out mechanisms and make certain that they adequately describe what a consumer needs to do to opt out of IBA from particular devices or to opt out of IBA on all devices. If a consumer needs to opt out on each browser or device, companies should say this clearly. If companies instead offer, for example, account-level cross-device opt outs, they should explain this to consumers. Consumers should be able to know from the face of companies’ disclosures what effects their choices will have.” The OIBAAP encouraged companies with questions to contact them, with the reassurance that questions will be handled in confidence, and no confidential question will ever result in a compliance action.

Also helpful to get clarification as the threshold for “precise” in collection and use of geolocation data. NAI guidance indicates two decimal places is a de facto imprecise location, and recommends truncation as a way to render location imprecise. Alternatively, if the location describes a shape, place, or group of places larger than 785,398 meters, the NAI also considers the location to imprecise.

Although not mentioned, the impetus for enforcement here may have been the sensitive nature of the Once app?
Once app - consolidated
Play screenshots from 11 Dec 2017.

Finally, relevant to LKQD’s role as a video advertising provider, the OIBAAP also announced that all video ads will be required to include the AdChoices icon and opt-outs. All video ads must comply with this requirement by April 1, 2018.
If your video provider is using the VAST 4.0 standard, you should be well on the way to compliance.

August 2017


Opt-Out Too Complicated

The Online Interest Based Advertising Accountability Program (OIBAAP) cited Adbrain for failing to provide an easy-to-use mobile opt-out mechanism. Adbrain’s Opt-Out page required users to enter the “device ID” of a device to be opted-out, but failed to specify which ID they meant, or provide instructions on how to find it (The ID to be entered was the iOS ID for Advertisers [IDFA] or Android Advertising ID [AAID]).

In response, Adbrain updated its Opt-Out page to link to instructions for finding an IDFA/AAID. While the OIBAAP appreciated this effort, it felt the mechanism still fell short of a consumer-friendly opt-out. Adbrain committed to further modifying and simplifying its opt-out solution. The OIBAAP considers the matter provisionally closed, pending Adbrain’s promised updates.

The OIBAAP also cited Adbrain for the following website failures:
• Failed to present an “enhanced notice link” on all pages where data collection took place (neither the ‘Opt-Out’ nor ‘Cookie Policy’ links led to the required IBA disclosures)
• Failed to state adherence to DAA principles in its privacy notice

To address the issues raised, Adbrain has added an “AdChoices” link (with logo) to its website footer that links directly to an updated section of its Cookie Policy that indicates the presence of third-party IBA, as well as updated its privacy notice to include a statement of adherence to the DAA principles. The OIBAAP considers these matters resolved.
https://www.bbb.org/globalassets/local-bbbs/council-113/media/behaviorial-advertising/adbrain-decision.pdf
jbho: Note that Adbrain got points for creativity, but it appears they were dinged for going overboard when they should have been using a simpler opt-out solution. Here the OIBAAP specifically called out the DAA’s AppChoices:

“(Adbrain’s solution) stands in stark contrast with the many consumer-friendly offerings found throughout the industry. For example, the Accountability Program pointed to commonly employed choice mechanisms such as the DAA’s AppChoices one-button ‘on’ and ‘off’ switch for IBA or the device-level ‘Opt-out of interest-based advertising’ and ‘Limit Ad Tracking’ settings available on the Android and iOS operating systems.” (emphasis added)

The OIBAAP stated this most recent action brings its total to 80 public actions taken.


DAA Compliance Obligations Can’t Be Shifted

The Online Interest Based Advertising Accountability Program (OIBAAP) cited Exponential (Tribal Fusion) for failing to ensure websites on which it served ads, or websites from which it collected data, adhered to DAA principles. Exponential argued it contractually required its clients comply with all applicable laws, provided guidance and training on complying with laws, as well as performed random spot-checks of publisher sites. The OIBAAP felt that, although commendable, Exponential’s measures fell short since
• Contracts did not explicitly bind clients to DAA principles
• Training materials were only provided to clients in the EU
• Training materials were only provided to publishers, and not to sites where it collected data
• Training materials only covered compliance with EU laws, and not DAA principles

As a result, Exponential updated its contracts to require clients to comply with DAA principles. Exponential also updated its training to inform clients of the mutual responsibilities under the DAA principles – training blessed by the OIBAAP. The OIBAAP considers the matter provisionally closed, pending rollout of the updated contract terms & training.
https://www.bbb.org/globalassets/local-bbbs/council-113/media/behaviorial-advertising/exponential-decision.pdf
jbho: a reminder that DAA obligations apply to first and third parties alike.

January 2017

Decisions 69, 70, and 71

The OIBAAP issued decisions against three more companies for alleged violations of the Self-Regulatory Principles for Online Behavioral Advertising. Highlights include:

AAA of Northern California, Nevada and Utah

• failed to present sufficient opt-out links in its privacy policy
• linked only to an Adobe opt-out web page
• failed to state adherence to DAA principles in its privacy notice

In response, AAA implemented an “Ad Preference” link, separate from its privacy policy, in its website footer that directs users to a page that addresses third-party IBA on its website, including a link to http://www.aboutads.info/choices. AAA has also added a statement of adherence to the DAA principles to its privacy policy. The Online Interest-Based Advertising Accountability Program (OIBAAP) commended AAA on its cooperation and considers the matter closed.

Anheuser-Busch

• failed to present an “enhanced notice link” on all pages where data collection took place
• failed to state adherence to DAA principles in its privacy notice

In response, Anheuser-Busch implemented an enhanced notice link (AdChoices icon), separate from its privacy policy, in its website footer that directs users to the section of its privacy policy that addresses third-party IBA on its website, including a link to http://www.aboutads.info/choices. Anheuser-Busch has also added a statement of adherence to the DAA principles to its privacy policy. The Program commended Anheuser-Busch on its cooperation and considers the matter closed.
Wayfair

• failed to present an “enhanced notice link” on all pages where data collection took place

In response, Wayfair implemented an “Interest-Based Ads” link, separate from its privacy policy, in its website footer (and footers of all websites it owns) that directs users to a page that addresses third-party IBA on its website, including a link to http://www.aboutads.info/choices. The Program commended Wayfair on its cooperation and considers the matter closed.
http://www.asrcreviews.org/accountability-program-takes-action-on-consumer-complaints/
jbho: A reminder to make sure your footers are complete and your privacy policies are up to date.

September 2016

BBB Behavioral Ad Program Cites Dropbox, Harte Hanks, and Panasonic

The Better Business Bureau issued decisions against three companies for alleged violations of the Self-Regulatory Principles for Online Behavioral Advertising. Highlights include:

Dropbox

  • failed to present an “enhanced notice link” on all pages where data collection took place
  • failed to disclose third-party data collection in its privacy notice
  • failed to present opt-out links, either directly to the third parties or to an industry-developed consumer choice mechanism
  • failed to state adherence to DAA principles in its privacy notice

In response, Dropbox implemented a “Cookies” link, distinct from the ‘Privacy & Terms’ link, on all Dropbox website pages. The link directs users to a page that includes an IBA disclosure describing third-party data collection on the website, as well as a statement of adherence to the DAA principles. The Online Interest-Based Advertising Accountability Program (OIBAAP) considers the matter closed.

Harte Hanks

  • failed to present an “enhanced notice link” on all pages where data collection took place
  • failed to disclose third-party data collection in its privacy notice
  • failed to state adherence to DAA principles in its privacy notice

In response, Harte Hanks committed to implementing a “Cookies & Advertising” link, distinct from the ‘Privacy & Terms’ link, on all Harte Hanks website pages. The link will direct users to a page that includes an IBA disclosure describing third-party data collection on the website, as well as a statement of adherence to the DAA principles. The OIBAAP will leave the matter open, pending implementation of the promised changes.

Panasonic

  • failed to present an “enhanced notice link” on all pages where data collection took place
  • failed to disclose the totality of third-party data collection in its privacy notice
    • Panasonic did explain its use of Google and Adobe’s services with links to those companies’ opt outs. However, this listing only pertained to the analytic functions performed by these companies
  • failed to present all opt-out links, either directly to the third parties or to an industry-developed consumer choice mechanism
    • the section mentioned above did not contain opt-out mechanisms for other companies
  • failed to state adherence to DAA principles in its privacy notice

In response, Panasonic implemented an “Interest-based ad disclosure” link, distinct from the ‘Privacy’ link, on all Panasonic website pages. The link directs users to a page that includes an IBA disclosure describing third-party data collection on the website, as well as a link to the DAA Consumer Choice Page (www.aboutads.info/choices), and a statement of adherence to the DAA principles. The Online Interest-Based Advertising Accountability Program (OIBAAP) considers the matter closed.
http://www.asrcreviews.org/privacy-watchdog-sniffs-out-websites-compliance-violations/
jbho: by my count, this brings the number of actions taken by the OIBAAP to 71.

July 2016

Two More AppMakers Allegedly Violate Industry’s Mobile Privacy Code

Mobile app makers iTriage (Aetna) and Sega allegedly inappropriately collected app-data for Interest Based Advertising (IBA) The Digital Advertising Association (DAA) Online Interest-Based Advertising Accountability Program (OIBAAP) investigations revealed:

Aetna’s iTriage (healthcare app)

  • Collected, and allowed third parties to collect Device IDs & Precise Location Data without providing notice
  • Failed to provide enhanced notice in its privacy policy
  • Failed to provide opt-out information in its privacy policy
  • Failed to state adherence to DAA principles in its privacy policy
  • Failed to provide IBAs disclosures either during download or upon first opening the app
  • Failed to provide links to the privacy policy in the app
  • Failed to provide links to the privacy policy on the App Store (there was a link on Google Play)
  • Failed to clarify whether sensitive health information would be used for IBA

The App did request – through permission tools – that the user grant the app access to the user’s identity, calendar, location, photo and media files, and Wi-Fi connection information. However, the permission tools were silent as to any transfer to third parties or whether data would be used for IBA.

In response, iTriage agreed to add IBA disclosures in the app stores, in the app, and in its privacy policy. It also agreed to add an “Interest Based Ads” link to the footer of website pages where data for IBA is collected by third parties. Finally, iTirage also agreed to cease collection of precise location information and collect only ‘course’ location information (iTriage clarified it did not collection sensitive health or personal directory information for IBA purposes). The OIBAAP considers the matter tentatively closed, but retained jurisdiction while iTriage completes the promised updates.

Sega’s Sonic Runner (game app)

  • Collected, and allowed third parties to collect Device IDs & Precise Location Data without providing notice
  • Collected the above information on children o continued to collect irrespective of data entered during the ‘age gate’ at app open
  • Failed to provide enhanced notice in its privacy policy
  • Failed to provide opt-out information in its privacy policy
  • Failed to state adherence to DAA principles in its privacy policy
  • Failed to provide IBAs disclosures either during download or upon first opening the app
  • Failed to provide links to the privacy policy in the app

In response, Sega pulled the app from the app store, notified users of the compliance issue, and forced updates to a fixed version of the app. Additionally, Sega agreed to add a privacy policy to the app that calls out IBA disclosures, adherence to DAA principles, and how to opt-out. The OIBAAP considers the matter closed.
These are the 67th and 68th public actions taken by the Accountability Program.
http://www.asrcreviews.org/inquiry-reveals-flaws-in-popular-mobile-apps-privacy-notices/
jbho: A reminder that industry standards do have teeth. If a company doesn’t cooperate, they could be referred to the FTC. 

And the BBB appears to be watching closely. Remember they recently announced they hired tech company Kryptowire to help the inspect websites & apps for compliance with DAA principles. http://www.asrcreviews.org/accountability-program-announces-work-with-kryptowire/

Leave a Reply