Three popular app publishers have changed their privacy practices after the enforcement arm of the Better Business Bureau found they were out of compliance with accepted self-regulatory standards. The makers of Spinrilla, Top Free Games, and Bearbit Studios were found to be out of compliance with the Digital Advertising Alliance’s Self-Regulatory Principles.

“Today’s cases send a simple, direct message to mobile app developers and the advertising companies whose services support them: the Accountability Program is watching,” said Council of Better Business Bureaus VP and Accountability Program Director Genie Barton. “Our mission is to build trust between consumers and companies interacting on mobile devices, to the benefit of both,” she added.

Essentially, the published actions by the ASRC serve as both a warning and lesson for companies in the mobile space. The decision against Spinrilla focused on the company’s use of geolocation data without providing informed consent. The company makes a “top-rated audio app” that allows users to listen to digital mixtapes. Spinrilla had been allowing third parties to collect a user’s precise geolocation for use in behavioral advertising.

“The company was unaware of its responsibilities under the DAA principles,” an ASRC press release states. Since being contacted by ASRC, the company has “decided to rescind third-party permissions to collect precise location data” and has added transparency and notice within descriptions seen in the Google and Apple app stores, along with instructions for IBA opt out. 

The latter two decisions focused on poor data collection practices involving children’s data. Both developers publish several popular games aimed at children under the age of 13. In its investigation of both, the Accountability Program found that both allowed third parties to collect persistent identifiers used for advertising.

Under the DAA’s Sensitive Data Principle, collection and use of children’s data for interest-based advertising is prohibited. Both apps have now implemented “age gates” to flag users under the age of 13. Like Spinrilla, both have also implemented notice and opt-out instructions for IBA.

The ASRC was able to scan these apps through the pro bono work of Virginia security firm Kryptowire. According to a second ASRC press release, Kryptowire’s technology widens the scope of apps the Accountability Program can examine for self-regulatory compliance. 

Barton explained that the ASRC now has “access to sophisticated monitoring capabilities to detect violations." In a separate press release announcing its relationship with Kryptowire, Barton said, “The ever-expanding list of mobile apps available on the Internet presents an enormous challenge to regulators and self-regulators like us. We are delighted to have Kryptowire assist in our effort to protect consumer privacy on mobile devices, where it is arguably needed the most.”

Kryptowire CEO Angelos Stavrou said, “Being able to automatically analyze and understand what data mobile apps collect, how they protect it, and whom they share it with is crucial because mobile applications are becoming the preferred way of conducting business and targeting the consumer market." 

Barton sees these moves as both a warning and a call to action for companies that may not know they’re covered under the DAA principles. She also welcomes a dialogue with companies that have questions about their compliance obligations: “We advise any company grappling with implementation questions in these early days of mobile compliance—contact us for help, before we contact them with a formal inquiry.” 

photo credit: 09_2013_47 via photopin (license)