WHAT DO WE MEAN BY THIRD- PARTY DATA COLLECTION?

– Analytics Providers

– Ad Networks

– Creative Optimization

– Exchanges

– Social Sharing Widgets

– Platforms: SSPs, DSPs

– Data Aggregators

REGULATORY BACKGROUND • FTC Act: prohibits deceptive and unfair

practices

• Special attention to health, financial, precise location, children’s data, and “user files” such as contacts, calendars

• Amended COPPA: • Expanded definition of PII to include persistent

identifiers used for targeted marketing

• Covers third-party data collection

• Strict liability for first party; “actual knowledge” for third party

REGULATORY BACKGROUND (CONT’D)

• Specialized requirements for regulated entities:

– Gramm-Leach-Bliley, HIPAA

• States: “Little” FTC Acts, privacy-specific statutes like Cal OPPA, common law

– Cal AB370: amending Cal OPPA to require companies to state whether they honor DNT signals

CURRENT SELF-REGULATORY LANDSCAPE FOR DESKTOP

– Digital Advertising Alliance (DAA) Principles for OBA

– DAA Multi-Site Principles

– Network Advertising Initiative (NAI) Code of Conduct for Interest-Based Advertising

DAA OBA PRINCIPLES

• Covers the entire ecosystem, including technology providers, advertisers, and website publishers

• “Enhanced” notice of third-party data collection

• Link to choice mechanism

– Tip: Look at messaging regarding choice to make clear what covers (and what doesn’t cover).

• In-ad notice

NAI INTEREST-BASED ADVERTISING CODE OF CONDUCT

• Only binding on NAI member companies but may affect your data

collection and use practices if working with NAI member

companies

• Notice and choice must be provided where members collect data

for Interest-Based Advertising

• Limits on merger of non-PII collected across sites/apps with PII

• Member companies required to: (1) describe technologies used for

data collection; (2) disclose data retention periods; (3) disclose

health-related interest segments.

CURRENT SELF-REGULATORY LANDSCAPE FOR MOBILE

– What rules?

• DAA Principles for Mobile

• DAA Multi-Site Principles

• NAI Mobile Code

• NTIA Mobile Transparency

– What covers?

• Cross-App Data

• Precise Location

• Personal Directory Data

DAA MOBILE PRINCIPLES

• Principles apply only to the extent third parties are collecting data from your apps, and only to the extent they are “affirmatively authorized” to do so

• Cross-App Data”: “data collected from a particular device regarding application use over time and across” non-affiliated applications.

• Notice: As part of download, when opened for first time, or when cross-app data is first collected; or by the third party, in or around ads

• Indicate adherence to principles

• Opt out only required for interest-based advertising; activities such as ad delivery, frequency capping, and analytics do not require choice.

DAA MOBILE PRINCIPLES (CON’T)

• Precise Location Data: “data obtained from a device about the physical location of the device that is sufficiently precise to locate a specific individual or device” – Does not include zip code, city name, or general geographic

information derived from an IP address. – Give notice and obtain “consent” for transfer/third-party

collection (can be obtained through device settings).

• Personal Directory Data: “calendar, address book, phone/text log, or photo/video data created by a consumer that is stored on or accessed through a particular device”

• Do not authorize third-party collection without “authorization.”

NAI MOBILE APPLICATION CODE

• Categories of data and definitions nearly identical to the DAA’s mobile principles: Cross-App Data, Precise Location Data, and Personal Directory Data, but NAI Code imposes some additional requirements:

– Always provide notice on own site and require apps to provide notice in app stores

– Disclosure of technologies used, data retention policies, health-related targeting

– Limits on use of PII

– Opt out must be reasonably easy to use

NTIA MOBILE TRANSPARENCY CODE

• Code “adopted” for testing

• Governs short-form notices only; long-form notices are encouraged but not required

• Disclose types of data collected, data sharing (including ad networks, data brokers, analytics providers, and social networks)

• Short-form disclosure not required where collection or sharing is to “maintain, improve or analyze the functioning of the app,” for frequency capping, etc.

NTIA MOBILE TRANSPARENCY CODE (CON’T)

• Categories of data that the app does not collect: Principles allow to list in smaller text, or to say “do not collect” the categories of data, but must show all (Biggest point of contention in the group)

• Encourages UI experimentation, within prescribed boundaries

• Speaks to disclosure obligations only, not underlying data collection and use practices

BENEFITS OF THIRD-PARTY DATA COLLECTION

• Consumers – Customized content – More relevant online experience – Less repetitive ads

• Publishers – Better understanding of how sites/apps are used – Allow users to bring friends to your site – Monetize sites and apps with non-endemic advertising

opportunities

• Advertisers – Bring users back – Help drive traffic to your site – Help select the right creative

RISKS OF THIRD-PARTY DATA COLLECTION

– Consumer Trust

– Enforcement Actions • Section 5

• COPPA

• State AGs

– Lawsuits

– Reputation: bad press and media inquiries

QUESTIONS TO ASK YOUR THIRD-PARTY PROVIDERS

• How is data collected?

• Who has access to the data collected?

• How long is data retained?

• Are you a member of the NAI, DAA, other industry organizations with formal compliance procedures?

• What does the privacy policy say?

• What consumer choice tools does the company offer (Opt-Out, Preferences Manager, DNT)?

• Do you enable access to third party data sets?

ALLOCATING RESPONSIBILITY

• Retailers/Publishers:

– Notice

– Link to opt out

– Due diligence

• Third parties:

– Notice

– Functioning opt out

– COPPA compliance

– Limits on certain data

OTHER TECHNOLOGIES

• What?

– Flash Cookies, E-tags, “Super Cookies”

– HTML5 Local Storage

– Device Identification

– Mobile identifiers

• Questions

– How does it work with other technologies?

– Is it persistent? Is it visible? Is it controllable?

QUESTIONS TO ASK WHEN YOU GET BACK TO THE OFFICE

• What companies are collecting data on my company’s sites or through my company’s apps?

• What technologies are they using?

• What data they are collecting?

– PII – Precise Location – Health-related Data

• Are those companies sharing the data they get through my app/site or combining it with data obtained on unaffiliated sites or apps?

• Is the data collection by third parties on my site/app consistent with current notices and permissions?

• Is my company ready for the new mobile rules?

FTC RESOURCES

• 2012 Privacy Report: http://www.ftc.gov/os/2012/03/120326privacyreport.pdf

• 2013 Mobile Privacy Disclosures Report: http://www.ftc.gov/os/2013/02/130201mobileprivacyreport.pdf

• Amended COPPA Rule: http://www.ftc.gov/os/fedreg/2013/01/130117coppa.pdf

• COPPA FAQs: http://www.business.ftc.gov/documents/Complying-with-COPPA-Frequently-Asked-Questions

SELF-REG RESOURCES

• DAA OBA Principles: http://www.aboutads.info/resource/download/seven-principles-07-01-09.pdf

• DAA Multi-Site Data Principles: http://www.aboutads.info/resource/download/Multi-Site-Data-Principles.pdf

• DAA Mobile Principles: http://www.aboutads.info/DAA_Mobile_Guidance.pdf

• NAI Interest-Based Advertising Code: http://www.networkadvertising.org/2013_Principles.pdf

• NAI Mobile Application Code: http://www.networkadvertising.org/mobile/NAI_Mobile_Application_Code.pdf

• NTIA Final Mobile Transparency Code: http://www.ntia.doc.gov/files/ntia/publications/july_25_code_draft.pdf