October 18, 2018
The Digital Advertising Alliance (“DAA”) is a non-profit organization formed and governed by several leading advertising and marketing trade associations. It has enacted and employs several privacy-related self-regulatory principles (the “DAA Principles”) applicable to digital advertising data collection and use. The DAA Principles cover entities engaged in Internet-based advertising and seek to provide consumers with transparency and choice and, in some instances, require the express consent of the consumer. The DAA Principles apply to multi-site data and cross-application data gathered from desktops and mobile applications. The DAA operates in association with the Digital Marketing Association (“DMA”), the Council of Better Business Bureaus (“CBBB”) and the CBBB’s Advertising Self-Regulatory Council, in seeking to cooperatively ensure accountability and enforcement of the DAA Principles through the CBBB’s Online Interest-Based Advertising Accountability Program (the “Accountability Program”). Consumers and businesses are free to report any practices or advertisements that may violate the DAA Principles to the DMA or the CBBB. The CBBB coordinates the investigation of all complaints and reports on cases.
Do the DAA Principles Require that Consumers Provide Express Consent Prior to Data Collection and Use?
The DAA Principles distill all involved parties into either a visitor, a first party (i.e., a website operator,) a third party (i.e., unaffiliated entities, such as advertising networks and data companies) or a service provider (such as an Internet access provider or search engine). Any first party that allows third parties to collect visitors’ web browsing data or transfers such data to third parties for the purpose of serving visitors with tailored ads on non-affiliate websites, must provide such visitors with both notice and enhanced notice as prescribed by the DAA Principles. Specifically, a first party must provide notice – i.e., its website must include a disclosure that describes the Internet-based advertising taking place. That disclosure, in turn, must contain either a link to an industry-developed consumer choice page (such as www.aboutads.info/choices) or it must list every third party that conducts Internet-based advertising on the website.
The DAA Principles which provide “Mobile Guidance” are applicable to data collection through mobile applications for use in Internet-based advertising and have been adapted from the desktop-oriented principles. The same core requirements apply, namely, notice, enhanced notice and consumer choice. For mobile apps, the required enhanced notice link relating to consumer choice obligates a first party to provide a link to the third party’s opt-out mechanism. It must be provided prior to download (in the app store), during download, on the first opening of the app or at the time the cross-app data is first collected.
There are heightened obligations on first parties when it comes to the collection of precise location data through mobile apps. In addition to the notice and enhanced notice requirements prescribed by the DAA Principles (as set forth above), first parties must also obtain express consent from the user prior to collection and use of such data for Internet-based advertising. Express consent should be obtained by means of a consent tool which is easy to use, and which should apply to both the app and the device for which the consent is to be obtained. Moreover, the first party must also allow the mobile app user to withdraw her/his consent to the collection of precise location data at any time.
The CBBB recently reported on a consumer complaint concerning the website and mobile app of Finish Line, Inc., an athletic shoes retailer. In order to resolve some of the compliance issues that were raised in that matter, Finish Line developed a pop-up dialogue box that was presented to users when they first opened the Finish Line app — providing up-front notification, the required disclosures and addressing the concerns presented by the Accountability Program.
Proceed with Caution, Make Sure that You Obtain Express Consent
We have previously blogged about Vermont’s recent Data Broker Law, the first in the country to impose a regulatory scheme for data brokers who collect data points on consumers and sell that information to service providers. We have also blogged about consumer privacy, consumer protection laws, and various regulatory matters affecting this sector. In addition, as detailed herein, it is important that companies become familiar with the self-regulatory obligations imposed by Internet marketing trade associations.
If you are interested in learning more about this topic or ensuring that your business is compliant with digital advertising self-regulatory schemes and state and federal consumer protection statutes, please e-mail us at email@example.com or call us at (212) 246-0900.
The material contained herein is provided for information purposes only and is not legal advice, nor is it a substitute for obtaining legal advice from an attorney. Each situation is unique, and you should not act or rely on any information contained herein without seeking the advice of an experienced attorney.
Related Blog Posts:
Comparing the California Consumer Privacy Act and the EU’s General Data Protection Regulation
 First parties must also disclose their adherence to the DAA Principles on their respective websites.