OIBAAP – Accountability Program

August 2017


Opt-Out Too Complicated

The Online Interest Based Advertising Accountability Program (OIBAAP) cited Adbrain for failing to provide an easy-to-use mobile opt-out mechanism. Adbrain’s Opt-Out page required users to enter the “device ID” of a device to be opted-out, but failed to specify which ID they meant, or provide instructions on how to find it (The ID to be entered was the iOS ID for Advertisers [IDFA] or Android Advertising ID [AAID]).

In response, Adbrain updated its Opt-Out page to link to instructions for finding an IDFA/AAID. While the OIBAAP appreciated this effort, it felt the mechanism still fell short of a consumer-friendly opt-out. Adbrain committed to further modifying and simplifying its opt-out solution. The OIBAAP considers the matter provisionally closed, pending Adbrain’s promised updates.

The OIBAAP also cited Adbrain for the following website failures:
• Failed to present an “enhanced notice link” on all pages where data collection took place (neither the ‘Opt-Out’ nor ‘Cookie Policy’ links led to the required IBA disclosures)
• Failed to state adherence to DAA principles in its privacy notice

To address the issues raised, Adbrain has added an “AdChoices” link (with logo) to its website footer that links directly to an updated section of its Cookie Policy that indicates the presence of third-party IBA, as well as updated its privacy notice to include a statement of adherence to the DAA principles. The OIBAAP considers these matters resolved.
https://www.bbb.org/globalassets/local-bbbs/council-113/media/behaviorial-advertising/adbrain-decision.pdf
jbho: Note that Adbrain got points for creativity, but it appears they were dinged for going overboard when they should have been using a simpler opt-out solution. Here the OIBAAP specifically called out the DAA’s AppChoices:

“(Adbrain’s solution) stands in stark contrast with the many consumer-friendly offerings found throughout the industry. For example, the Accountability Program pointed to commonly employed choice mechanisms such as the DAA’s AppChoices one-button ‘on’ and ‘off’ switch for IBA or the device-level ‘Opt-out of interest-based advertising’ and ‘Limit Ad Tracking’ settings available on the Android and iOS operating systems.” (emphasis added)

The OIBAAP stated this most recent action brings its total to 80 public actions taken.


DAA Compliance Obligations Can’t Be Shifted

The Online Interest Based Advertising Accountability Program (OIBAAP) cited Exponential (Tribal Fusion) for failing to ensure websites on which it served ads, or websites from which it collected data, adhered to DAA principles. Exponential argued it contractually required its clients comply with all applicable laws, provided guidance and training on complying with laws, as well as performed random spot-checks of publisher sites. The OIBAAP felt that, although commendable, Exponential’s measures fell short since
• Contracts did not explicitly bind clients to DAA principles
• Training materials were only provided to clients in the EU
• Training materials were only provided to publishers, and not to sites where it collected data
• Training materials only covered compliance with EU laws, and not DAA principles

As a result, Exponential updated its contracts to require clients to comply with DAA principles. Exponential also updated its training to inform clients of the mutual responsibilities under the DAA principles – training blessed by the OIBAAP. The OIBAAP considers the matter provisionally closed, pending rollout of the updated contract terms & training.
https://www.bbb.org/globalassets/local-bbbs/council-113/media/behaviorial-advertising/exponential-decision.pdf
jbho: a reminder that DAA obligations apply to first and third parties alike.

 

January 2017

Decisions 69, 70, and 71

The OIBAAP issued decisions against three more companies for alleged violations of the Self-Regulatory Principles for Online Behavioral Advertising. Highlights include:

AAA of Northern California, Nevada and Utah

• failed to present sufficient opt-out links in its privacy policy
• linked only to an Adobe opt-out web page
• failed to state adherence to DAA principles in its privacy notice

In response, AAA implemented an “Ad Preference” link, separate from its privacy policy, in its website footer that directs users to a page that addresses third-party IBA on its website, including a link to http://www.aboutads.info/choices. AAA has also added a statement of adherence to the DAA principles to its privacy policy. The Online Interest-Based Advertising Accountability Program (OIBAAP) commended AAA on its cooperation and considers the matter closed.

Anheuser-Busch

• failed to present an “enhanced notice link” on all pages where data collection took place
• failed to state adherence to DAA principles in its privacy notice

In response, Anheuser-Busch implemented an enhanced notice link (AdChoices icon), separate from its privacy policy, in its website footer that directs users to the section of its privacy policy that addresses third-party IBA on its website, including a link to http://www.aboutads.info/choices. Anheuser-Busch has also added a statement of adherence to the DAA principles to its privacy policy. The Program commended Anheuser-Busch on its cooperation and considers the matter closed.
Wayfair

• failed to present an “enhanced notice link” on all pages where data collection took place

In response, Wayfair implemented an “Interest-Based Ads” link, separate from its privacy policy, in its website footer (and footers of all websites it owns) that directs users to a page that addresses third-party IBA on its website, including a link to http://www.aboutads.info/choices. The Program commended Wayfair on its cooperation and considers the matter closed.
http://www.asrcreviews.org/accountability-program-takes-action-on-consumer-complaints/
jbho: A reminder to make sure your footers are complete and your privacy policies are up to date.

September 2016

BBB Behavioral Ad Program Cites Dropbox, Harte Hanks, and Panasonic

The Better Business Bureau issued decisions against three companies for alleged violations of the Self-Regulatory Principles for Online Behavioral Advertising. Highlights include:

Dropbox

  • failed to present an “enhanced notice link” on all pages where data collection took place
  • failed to disclose third-party data collection in its privacy notice
  • failed to present opt-out links, either directly to the third parties or to an industry-developed consumer choice mechanism
  • failed to state adherence to DAA principles in its privacy notice

In response, Dropbox implemented a “Cookies” link, distinct from the ‘Privacy & Terms’ link, on all Dropbox website pages. The link directs users to a page that includes an IBA disclosure describing third-party data collection on the website, as well as a statement of adherence to the DAA principles. The Online Interest-Based Advertising Accountability Program (OIBAAP) considers the matter closed.

Harte Hanks

  • failed to present an “enhanced notice link” on all pages where data collection took place
  • failed to disclose third-party data collection in its privacy notice
  • failed to state adherence to DAA principles in its privacy notice

In response, Harte Hanks committed to implementing a “Cookies & Advertising” link, distinct from the ‘Privacy & Terms’ link, on all Harte Hanks website pages. The link will direct users to a page that includes an IBA disclosure describing third-party data collection on the website, as well as a statement of adherence to the DAA principles. The OIBAAP will leave the matter open, pending implementation of the promised changes.

Panasonic

  • failed to present an “enhanced notice link” on all pages where data collection took place
  • failed to disclose the totality of third-party data collection in its privacy notice
    • Panasonic did explain its use of Google and Adobe’s services with links to those companies’ opt outs. However, this listing only pertained to the analytic functions performed by these companies
  • failed to present all opt-out links, either directly to the third parties or to an industry-developed consumer choice mechanism
    • the section mentioned above did not contain opt-out mechanisms for other companies
  • failed to state adherence to DAA principles in its privacy notice

In response, Panasonic implemented an “Interest-based ad disclosure” link, distinct from the ‘Privacy’ link, on all Panasonic website pages. The link directs users to a page that includes an IBA disclosure describing third-party data collection on the website, as well as a link to the DAA Consumer Choice Page (www.aboutads.info/choices), and a statement of adherence to the DAA principles. The Online Interest-Based Advertising Accountability Program (OIBAAP) considers the matter closed.
http://www.asrcreviews.org/privacy-watchdog-sniffs-out-websites-compliance-violations/
jbho: by my count, this brings the number of actions taken by the OIBAAP to 71.

July 2016

Two More AppMakers Allegedly Violate Industry’s Mobile Privacy Code

Mobile app makers iTriage (Aetna) and Sega allegedly inappropriately collected app-data for Interest Based Advertising (IBA) The Digital Advertising Association (DAA) Online Interest-Based Advertising Accountability Program (OIBAAP) investigations revealed:

Aetna’s iTriage (healthcare app)

  • Collected, and allowed third parties to collect Device IDs & Precise Location Data without providing notice
  • Failed to provide enhanced notice in its privacy policy
  • Failed to provide opt-out information in its privacy policy
  • Failed to state adherence to DAA principles in its privacy policy
  • Failed to provide IBAs disclosures either during download or upon first opening the app
  • Failed to provide links to the privacy policy in the app
  • Failed to provide links to the privacy policy on the App Store (there was a link on Google Play)
  • Failed to clarify whether sensitive health information would be used for IBA

The App did request – through permission tools – that the user grant the app access to the user’s identity, calendar, location, photo and media files, and Wi-Fi connection information. However, the permission tools were silent as to any transfer to third parties or whether data would be used for IBA.

In response, iTriage agreed to add IBA disclosures in the app stores, in the app, and in its privacy policy. It also agreed to add an “Interest Based Ads” link to the footer of website pages where data for IBA is collected by third parties. Finally, iTirage also agreed to cease collection of precise location information and collect only ‘course’ location information (iTriage clarified it did not collection sensitive health or personal directory information for IBA purposes). The OIBAAP considers the matter tentatively closed, but retained jurisdiction while iTriage completes the promised updates.

Sega’s Sonic Runner (game app)

  • Collected, and allowed third parties to collect Device IDs & Precise Location Data without providing notice
  • Collected the above information on children o continued to collect irrespective of data entered during the ‘age gate’ at app open
  • Failed to provide enhanced notice in its privacy policy
  • Failed to provide opt-out information in its privacy policy
  • Failed to state adherence to DAA principles in its privacy policy
  • Failed to provide IBAs disclosures either during download or upon first opening the app
  • Failed to provide links to the privacy policy in the app

In response, Sega pulled the app from the app store, notified users of the compliance issue, and forced updates to a fixed version of the app. Additionally, Sega agreed to add a privacy policy to the app that calls out IBA disclosures, adherence to DAA principles, and how to opt-out. The OIBAAP considers the matter closed.
These are the 67th and 68th public actions taken by the Accountability Program.
http://www.asrcreviews.org/inquiry-reveals-flaws-in-popular-mobile-apps-privacy-notices/
jbho: A reminder that industry standards do have teeth. If a company doesn’t cooperate, they could be referred to the FTC. 

And the BBB appears to be watching closely. Remember they recently announced they hired tech company Kryptowire to help the inspect websites & apps for compliance with DAA principles. http://www.asrcreviews.org/accountability-program-announces-work-with-kryptowire/

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s