what do we mean by third- · nai mobile application code •categories of data and definitions...
TRANSCRIPT
WHAT DO WE MEAN BY THIRD- PARTY DATA COLLECTION?
– Analytics Providers
– Ad Networks
– Creative Optimization
– Exchanges
– Social Sharing Widgets
– Platforms: SSPs, DSPs
– Data Aggregators
REGULATORY BACKGROUND • FTC Act: prohibits deceptive and unfair
practices
• Special attention to health, financial, precise location, children’s data, and “user files” such as contacts, calendars
• Amended COPPA: • Expanded definition of PII to include persistent
identifiers used for targeted marketing
• Covers third-party data collection
• Strict liability for first party; “actual knowledge” for third party
REGULATORY BACKGROUND (CONT’D)
• Specialized requirements for regulated entities:
– Gramm-Leach-Bliley, HIPAA
• States: “Little” FTC Acts, privacy-specific statutes like Cal OPPA, common law
– Cal AB370: amending Cal OPPA to require companies to state whether they honor DNT signals
CURRENT SELF-REGULATORY LANDSCAPE FOR DESKTOP
– Digital Advertising Alliance (DAA) Principles for OBA
– DAA Multi-Site Principles
– Network Advertising Initiative (NAI) Code of Conduct for Interest-Based Advertising
DAA OBA PRINCIPLES
• Covers the entire ecosystem, including technology providers, advertisers, and website publishers
• “Enhanced” notice of third-party data collection
• Link to choice mechanism
– Tip: Look at messaging regarding choice to make clear what covers (and what doesn’t cover).
• In-ad notice
NAI INTEREST-BASED ADVERTISING CODE OF CONDUCT
• Only binding on NAI member companies but may affect your data
collection and use practices if working with NAI member
companies
• Notice and choice must be provided where members collect data
for Interest-Based Advertising
• Limits on merger of non-PII collected across sites/apps with PII
• Member companies required to: (1) describe technologies used for
data collection; (2) disclose data retention periods; (3) disclose
health-related interest segments.
CURRENT SELF-REGULATORY LANDSCAPE FOR MOBILE
– What rules?
• DAA Principles for Mobile
• DAA Multi-Site Principles
• NAI Mobile Code
• NTIA Mobile Transparency
– What covers?
• Cross-App Data
• Precise Location
• Personal Directory Data
DAA MOBILE PRINCIPLES
• Principles apply only to the extent third parties are collecting data from your apps, and only to the extent they are “affirmatively authorized” to do so
• Cross-App Data”: “data collected from a particular device regarding application use over time and across” non-affiliated applications.
• Notice: As part of download, when opened for first time, or when cross-app data is first collected; or by the third party, in or around ads
• Indicate adherence to principles
• Opt out only required for interest-based advertising; activities such as ad delivery, frequency capping, and analytics do not require choice.
DAA MOBILE PRINCIPLES (CON’T)
• Precise Location Data: “data obtained from a device about the physical location of the device that is sufficiently precise to locate a specific individual or device” – Does not include zip code, city name, or general geographic
information derived from an IP address. – Give notice and obtain “consent” for transfer/third-party
collection (can be obtained through device settings).
• Personal Directory Data: “calendar, address book, phone/text log, or photo/video data created by a consumer that is stored on or accessed through a particular device”
• Do not authorize third-party collection without “authorization.”
NAI MOBILE APPLICATION CODE
• Categories of data and definitions nearly identical to the DAA’s mobile principles: Cross-App Data, Precise Location Data, and Personal Directory Data, but NAI Code imposes some additional requirements:
– Always provide notice on own site and require apps to provide notice in app stores
– Disclosure of technologies used, data retention policies, health-related targeting
– Limits on use of PII
– Opt out must be reasonably easy to use
NTIA MOBILE TRANSPARENCY CODE
• Code “adopted” for testing
• Governs short-form notices only; long-form notices are encouraged but not required
• Disclose types of data collected, data sharing (including ad networks, data brokers, analytics providers, and social networks)
• Short-form disclosure not required where collection or sharing is to “maintain, improve or analyze the functioning of the app,” for frequency capping, etc.
NTIA MOBILE TRANSPARENCY CODE (CON’T)
• Categories of data that the app does not collect: Principles allow to list in smaller text, or to say “do not collect” the categories of data, but must show all (Biggest point of contention in the group)
• Encourages UI experimentation, within prescribed boundaries
• Speaks to disclosure obligations only, not underlying data collection and use practices
BENEFITS OF THIRD-PARTY DATA COLLECTION
• Consumers – Customized content – More relevant online experience – Less repetitive ads
• Publishers – Better understanding of how sites/apps are used – Allow users to bring friends to your site – Monetize sites and apps with non-endemic advertising
opportunities
• Advertisers – Bring users back – Help drive traffic to your site – Help select the right creative
RISKS OF THIRD-PARTY DATA COLLECTION
– Consumer Trust
– Enforcement Actions • Section 5
• COPPA
• State AGs
– Lawsuits
– Reputation: bad press and media inquiries
QUESTIONS TO ASK YOUR THIRD-PARTY PROVIDERS
• How is data collected?
• Who has access to the data collected?
• How long is data retained?
• Are you a member of the NAI, DAA, other industry organizations with formal compliance procedures?
• What does the privacy policy say?
• What consumer choice tools does the company offer (Opt-Out, Preferences Manager, DNT)?
• Do you enable access to third party data sets?
ALLOCATING RESPONSIBILITY
• Retailers/Publishers:
– Notice
– Link to opt out
– Due diligence
• Third parties:
– Notice
– Functioning opt out
– COPPA compliance
– Limits on certain data
OTHER TECHNOLOGIES
• What?
– Flash Cookies, E-tags, “Super Cookies”
– HTML5 Local Storage
– Device Identification
– Mobile identifiers
• Questions
– How does it work with other technologies?
– Is it persistent? Is it visible? Is it controllable?
QUESTIONS TO ASK WHEN YOU GET BACK TO THE OFFICE
• What companies are collecting data on my company’s sites or through my company’s apps?
• What technologies are they using?
• What data they are collecting?
– PII – Precise Location – Health-related Data
• Are those companies sharing the data they get through my app/site or combining it with data obtained on unaffiliated sites or apps?
• Is the data collection by third parties on my site/app consistent with current notices and permissions?
• Is my company ready for the new mobile rules?
FTC RESOURCES
• 2012 Privacy Report: http://www.ftc.gov/os/2012/03/120326privacyreport.pdf
• 2013 Mobile Privacy Disclosures Report: http://www.ftc.gov/os/2013/02/130201mobileprivacyreport.pdf
• Amended COPPA Rule: http://www.ftc.gov/os/fedreg/2013/01/130117coppa.pdf
• COPPA FAQs: http://www.business.ftc.gov/documents/Complying-with-COPPA-Frequently-Asked-Questions
SELF-REG RESOURCES
• DAA OBA Principles: http://www.aboutads.info/resource/download/seven-principles-07-01-09.pdf
• DAA Multi-Site Data Principles: http://www.aboutads.info/resource/download/Multi-Site-Data-Principles.pdf
• DAA Mobile Principles: http://www.aboutads.info/DAA_Mobile_Guidance.pdf
• NAI Interest-Based Advertising Code: http://www.networkadvertising.org/2013_Principles.pdf
• NAI Mobile Application Code: http://www.networkadvertising.org/mobile/NAI_Mobile_Application_Code.pdf
• NTIA Final Mobile Transparency Code: http://www.ntia.doc.gov/files/ntia/publications/july_25_code_draft.pdf