As the summer winds down and students begin a new school year, enforcement in the mobile ad space may ramp up. App developers will want to pay close attention as those who will do the enforcing will be paying particular attention to how users’ geolocation and personal directory data is used in mobile apps.
September 1st marks the beginning of the Council of Better Business Bureau’s (CBBB) Online Interest-Based Advertising Accountability Program’s (Accountability Program) enforcement of the Digital Advertising Alliance’s Self-Regulatory Principles for companies collecting interest-based data across sites or apps. And with a rapidly growing mobile space, one currently worth $31.9 billion, this is no small endeavor.
What will enforcement mean? Well, first off, the process is complaint-driven. Member companies of the Direct Marketing Association would put their membership at risk, but since the DAA principles are enforced industry-wide, other businesses out of compliance would choose whether or not to work with the Accountability Program to ensure compliance or risk being referred to a relevant regulatory agency and have such a decision publicly posted on the Advertising Self-Regulatory Council website.
“The world of app developers is a huge and diverse world,” said CBBB’s Accountability Program Vice President and Director Genie Barton, and so the challenges for monitoring and enforcement will be complex. She noted, however, that the Accountability Program will be "especially vigilant" to ensure businesses "live up to their heightened responsibilities" in this growing field.
Really, according to Barton, there’s a two-pronged challenge in the mobile space: One involves the technical aspects of app development, while the other requires a broad shift in the cultural mindset of app developers. “It’s not a world that has grown up with the concept of privacy by design, so getting people to think about what they’re doing and how they impact the privacy of their users is a huge challenge. Then getting them to engineer transparency and choice into what they’re building is an even bigger challenge,” she pointed out.
A veteran of enforcing the ad ecosystem on the desktop environment, Barton said the stakes are ratcheted up in the mobile ad space because mobile is inherently more personal. Plus, smaller screen sizes and countless and varying mobile apps living in an otherwise cookie-less environment pose new technical challenges for developers attempting to be transparent and providing ways for users to express choice. Barton said it’s essential that app developers let consumers see what’s going on with their data and that they have a choice about it.
Of course, one of the unique characteristics of the mobile environment is geolocation. Barton said the BBB will certainly pay close attention to the geolocation practices of apps, but a bigger focus will be placed on what apps are doing with user directory data—including contacts, calendar data, photos and videos. Most phones already provide users with a means for controlling how their location is shared, but the same cannot be said of users’ directory data. Barton also said, in general, users may not be as aware of how susceptible their contact lists, calendar appointments, videos and photos are to sharing without their consent.
App developers must provide users with notice, Barton said, and the choice to opt out of sharing their geolocation and directory data prior to transferring any of that data. Yet, she admits, to do so, app developers and engineers will likely have to be innovative because different mobile operating systems offer different levels of granularity for engineering notice and choice. So, for example, an app may need to use certain directory data so that users can share photos among friends, and since some operating systems may not provide the level of granularity for developers to explain why the use of such data is necessary, companies must look for effective ways to inform their users without interrupting their service’s functionality.
Barton said businesses should then ask themselves: Do I collect precise geolocation data? Or do I collect user-generated data like photos, contacts, calendar information or videos? If yes, enhanced notice is required before any collection commences. Plus, consumers must make affirmative consent and clearly know how to withdraw that consent down the road.
Companies must build in a functionality for being transparent about what data they are collecting and with whom they share it, Barton noted, adding, “Unless it’s obvious to the user, then it’s incumbent on the developer to make sure the individual knows about” what data is being collected and shared.
Barton was also careful to point out that the CBBB is not out there just to take action against the bad actors. She said the CBBB is willing and able to help companies and app developers understand what is required of them. “We are open to any company to call or email us with questions or problems,” she said, adding, “If they call us before we write to them, then there will not be a public action.”
“I’m hoping with our enforcement that we will be nudging companies to find innovative ways to explain what they’re doing,” Barton explained. “We have never started with the gray areas,” she said about the agency’s enforcement activity. “We start with the most obvious things."
So, are you in compliance? If not, you should contact Genie Barton and the CBBB.
If you want to comment on this post, you need to login.