Skip to content

It looks like we may have content for your preferred language. Would you like to view this page in English?

DAA Releases Mobile Privacy Guidelines

The Digital Advertising Alliance (DAA), a self-regulatory group comprised of advertising and media companies, released mobile privacy guidelines which supplement the DAA's Self-Regulatory Principles for Online Behavioral Advertising ("OBA Principles") and Multi-Site Data ("MSD Principles"). In the future, the DAA intends to release a consolidated set of Self-Regulatory Principles that integrates the mobile guidelines with the OBA Principles and MSD Principles, resulting in one uniform set of Principles. The Network Advertising Initiative, coordinating with the DAA, also released mobile guidelines on the same day, which are directed to third-party advertising companies.

The DAA's mobile guidelines, called Application of Self-Regulatory Principles to the Mobile Environment, apply to the mobile app and mobile web site environments and establish notice ("transparency") and consent ("control") requirements and options for Cross-App Data, Precise Location Data, and Personal Directory Data. Cross-App Data is "data collected from a particular device regarding application use over time and across non-Affiliate applications." Personal Directory Data includes calendar, address book, phone/text log, or photo/video data created by a consumer that is stored on or accessed through a particular device. Precise Location Data is data obtained from a device about the physical location of the device that is sufficiently precise to locate a specific individual or device. Precise Location Data may include data obtained from cell tower or Wi-Fi triangulation techniques, or latitude-longitude coordinates obtained through GPS technology, if such data is sufficiently precise to locate a specific individual or device. Precise Location Data does not include five-digit ZIP code, city name, general geographic information whether derived from an IP address or other sources, or information that does not necessarily reflect the actual location of a device such as information entered by a user or a billing address associated with an account.

The guidelines enumerate the responsibilities for First Parties (typically, the owner of the mobile app or the operator of a mobile web site, and their Affiliates) and Third Parties (such as ad networks and analytics companies) with respect to each of these kinds of data.

The notice and consent provisions do not apply:

(a) For operations and system management purposes, including:
    (i) intellectual property protection; 
    (ii) compliance, public purpose and consumer safety; 
    (iii) authentication, verification, fraud prevention and security; 
    (iv) billing or product or service fulfillment, including improving customer experience or ensuring a high quality of service; or 
    (v) Reporting or Delivery;

(b) For Market Research or Product Development; or

(c) Where the data has or will within a reasonable period of time from collection go through a De-Identification Process.

The guidelines also state that Cross-App Data, Precise Location Data, and Personal Directory Data should not be collected, used, or transferred for employment, insurance or credit eligibility, or health care treatment. Furthermore, except for operations or system management purposes, a Third Party should not collect and use Cross-App Data or Personal Directory Data containing financial account numbers, Social Security numbers, pharmaceutical prescriptions or medical records about a specific individual without consent.

Regarding data security, the guidelines state that entities should maintain appropriate physical, electronic, and administrative safeguards to protect Multi-Site Data, Cross-App Data, Precise Location Data, and Personal Directory Data.

The new guidelines should remind all entities in the mobile environment of the importance of cataloguing who is collecting data, what types of data are collected, and how data is used and shared, and developers of mobile apps and other mobile initiatives should consult these and other mobile privacy guidelines at the beginning of the development process.
This client alert is a publication of Loeb & Loeb LLP and is intended to provide information on recent legal developments. This client alert does not create or continue an attorney client relationship nor should it be construed as legal advice or an opinion on specific situations.

Circular 230 Disclosure: To assure compliance with Treasury Department rules governing tax practice, we inform you that any advice (including in any attachment) (1) was not written and is not intended to be used, and cannot be used, for the purpose of avoiding any federal tax penalty that may be imposed on the taxpayer, and (2) may not be used in connection with promoting, marketing or recommending to another person any transaction or matter addressed herein.