United States: Increased Scrutiny On Notice And Choice For Use Of AD Profiling, Especially Using Mobile Location Data

Are you an app publisher or do you advertise via mobile apps or obtain marketing data that originates from them? If so, you need to beware that regulators and consumer protection authorities are taking action against companies with regard to the notice and choice, or lack thereof, they are providing to consumers for the collection of their precise location data on mobile devices. The Digital Advertising Alliance (DAA) recently held a presentation (DAA Presentation) which highlighted what transparency and choice consumers should be provided in connection with the collection of such location data. Among the speakers was Jon Brescia, Director of Adjudications and Technology of the Advertising Self-Regulatory Council (ASRC) Online Interest-Based Advertising Accountability Program (OIBAAP), which enforces the DAA's self-regulatory principles. For one, the DAA requires that consumers be provided enhanced notice of location awareness for advertising purposes during the process of downloading the mobile application (pre-install), at the time the application is opened, or at the time such data is collected and in the application's settings or any privacy policy. Based on conversations we have had with the OIBAAP, and suggestions made during the DAA Presentation, enhanced notice can be provided ether in the precise location data permission box of the mobile application or in a pop-up that appears immediately before the permission box is displayed. This is consistent with the position taken by the Los Angeles city attorney in a lawsuit regarding a commercial mobile application discussed below. Companies should evaluate the adequacy of the notice and choice they are providing to consumers and supplement their practices where necessary to meet self-regulatory best practices and avoid becoming the subject of an enforcement action or a lawsuit.

Self-Regulatory Recommendations:

The DAA establishes and enforces privacy practices for digital advertising. The ASRC, administered by the Council of Better Business Bureaus, establishes the policies and procedures for advertising industry self-regulation, including the Online Interest-Based Advertising Accountability Program (OIBAAP), which bases its enforcement standards on the DAA's self-regulatory codes and principles (DAA Principles), which are enforceable against any publisher, advertiser or related intermediary. Further, the Network Advertising Initiative (NAI) sets forth self-regulatory codes that are enforceable against all NAI member companies (NAI Principles) (who must agree to uphold the NAI Principles in order to qualify for membership), which in turn require publishers and advertisers they work with to also comply with the NAI Principles.

The DAA Principles require notice be provided to consumers that their data regarding their usage activities may be collected by third parties over time and across services, and/or that their cross-device usage and/or precise location may be tracked, and that such data may be used for interest-based advertising (IBA), including for retargeting. Required notices include both notice in privacy policies and certain enhanced notice requirements. According to input we have received from the OIBAAP, privacy policies should have a jump link at the top directing consumers to where they can learn more about how they can exercise certain choices regarding IBA through the DAA/NAI opt-out programs, and include a statement that the company supports the self-regulatory principles. However, we recommend that privacy policies make clear that the company is not responsible for the effectiveness of, or compliance with, any third-parties' (e.g., DAA and NAI) opt-out programs or the accuracy of their statements regarding their programs. The DAA's self-regulatory program also requires companies to add an enhanced notice link in the footer or header of every website page with which IBA is associated that deep links to the section of the company's privacy policy where there is a description of and further link to an IBA opt-out opportunity. If a service tracks precise location for advertising, or otherwise shares precise location information with third parties, the OIBAAP expects that it include enhanced notice of that before asking for access to precise location. As explained above, this can be done by means of a pop-up before the location permission box of the two dominant mobile operating systems (OS) is presented on the mobile application or by customizing the permission box. The OIBAAP would prefer that the disclosure have a link to the more detailed disclosure and opt-out link in the privacy policy, although the DAA Principles do not expressly require this. Both of the dominant mobile OS provide instructions to users on how to use OS controls, which we suggest app publishers link to these in the location tracking section of their privacy notices. For mobile, the OIBAAP expects enhanced notice of IBA generally, of any cross-device tracking for IBA, and of any collection of precise location IBA or otherwise for third parties to be, at minimum, noted in the top half of the first page of the privacy policy, with a jump link to the fuller explanation and a link to the DAA opt-out page.

The DAA and OIBAAP expect that publishers and advertisers will only work with IBA vendors that accept and abide by the DAA's principles. In enforcing the DAA Principles, the OIBAAP independently seeks out noncompliance and brings enforcement actions against publishers, advertisers and their intermediaries. None of the DAA, ASRC or OIBAAP have the power to issue penalties, but the OIBAAP does publicly publish their findings and has in the past made referrals to the Federal Trade Commission (FTC) to investigate practices that might be deceptive or unfair under the FTC Act.

Self-Regulatory Authority Investigation:

On Jan. 28, 2019, the OIBAAP released a new decision resulting from consumer complaints filed with the Better Business Bureaus, which demonstrates the program's efforts to bring publishers into compliance with the DAA Principles, including by providing enhanced notices to consumers. The OIBAAP began investigating a publisher's privacy practices after receiving consumer complaints, and its inquiry determined that the publisher's "homepage allowed third-party advertising companies to collect data for targeted advertising but did not provide real-time, 'enhanced' notice to end users." Further the OIBAAP also found that "a third-party company was collecting precise location data through one of the publisher's mobile apps, raising a possible issue with the publisher's compliance with" the DAA's mobile guidelines. According to the OIBAAP, the publisher immediately committed to complying with the DAA Principles upon receiving the inquiry letter and worked to remedy the issues identified, by doing the following:

  • "Updat[ing] its website footer to provide enhanced notice to its website visitors.
  • Modif[ying] its privacy disclosures so users could receive enhanced notice when they visited its mobile apps' pages in the...app stores.
  • Updat[ing] the relevant mobile app to disable collection of precise location data by third-party advertisers, as the company never intended for this to occur and was unaware that this collection had been occurring."

These remediation commitments should guide companies in their IBA notice and choice practices.

The Weather Channel Lawsuit

Los Angeles City Attorney, Michael Feuer, recently brought a lawsuit against The Weather Channel (TWC) on behalf of the people of the state of California for serving geolocation-specific advertisements through its mobile application (app) without allegedly sufficient notice and consent. The People of the State of California v. TWC Product and Technology, LLC, Los Angeles Superior Court Case No. _ (filed Jan. 3, 2019) (complaint). The suit is being brought under California's Unfair Competition Law (the UCL) as an unfair and deceptive practice. California Business and Professions Code Sections 17200 et seq. The suit asserts that TWC "deceptively collected, shared and profited from the location information of millions of American consumers," using their data for practices such as targeted marketing and hedge fund analysis.

The city attorney's claim of insufficiency of transparency and choice is brought notwithstanding that the app's privacy policy and settings disclose that geolocation may be shared with third parties for commercial purposes and used for advertising. The complaint alleges that since the pop-up request for consent to track location (a requirement of the two dominant mobile OS) does not explain these uses, nor does the app's description in the app store, the privacy policy and settings disclosures are inadequate, because users would not have "any reason to believe that their location will be used for anything other than personalized local weather, data, alerts and forecasts. Users therefore have no reason to seek such information by combing through the app's lengthy 'Privacy Policy' and 'Privacy Settings' sections – buried in each of which are opaque discussions of TWC's potential transmission of geolocation data to third parties and use for additional commercial purposes. Indeed, on information and belief, the vast majority of users do not read those sections at all."

In other words, the theory of the case is that it is a deceptive and unfair practice under California law to rely on consent to enable location awareness generally and a disclosure of the advertising and other commercial uses of that data collection in the privacy policy, rather than to provide far more clear, conspicuous and proximate notice of the data practices. If successful, this case could move transparency and choice best practices to a legal baseline, and in doing so alter the way many website and mobile app publishers provide notice of things like interest-based and location-aware advertising. It could also open the litigation floodgates, since the UCL permits class actions by private plaintiffs.

The suit seeks civil penalties of up to $2,500 for each violation of the UCL. In these cases, a judge determines the number of violations and the amount of the penalties based on the AG's recommendations, but the number of incidents could be calculated broadly based on number of users and data uses, in which case the potential penalties could be enormous. This case reflects a growing trend of increased sensitivity by consumers, lawmakers, regulators and consumer protection authorities regarding the ways companies collect, use and share consumer data, and what transparency and choice they provide data subjects. It also demonstrates that even without specific privacy legislation such as that recently passed by California (see our prior posts here and here), state and local prosecutors, and in many states private plaintiffs, may be able to challenge commercially commonplace data practices under state unfair and deceptive practices acts and other consumer protection laws of general application.

Although we do not necessarily agree with the city attorney that a failure by TWC to provide more specific particularity around its geolocation practices constituted deceptive or unfair practices, considering the position the city attorney has taken, we recommend that companies consider adopting some kind of enhanced notice. For instance, as suggested by the Los Angeles city attorney, the description of the app in the app store could explain that the app is ad-supported and uses the user's location to send location-relevant ads. Consistent with the recent DAA/ASRC/OIBAAP recommendations, there should be enhanced in-app notice as part of the app download and onboarding process, such as use of a pop-up or push notification. Publishers may even be able to provide a customized location permission request alert. One of the dominant OS allows apps to provide a custom text known as a purpose string or usage description string for display in the system's permission request alert. While many apps in the United States lack custom language around location in the permission request, we have seen a higher level of particularity within these requests in the EU. For example, many EU app disclosures state that location will be used for "geographically relevant ads." This is not surprising, since EU law, unlike U.S. law, specifically requires explicit consent to collection and particular uses of geolocation data. Here, TWC did use a custom permission request alert, which stated, "Allow 'The Weather' to access your location? You'll get personalized local weather data, alerts and forecasts." If that notice had included "and location-relevant ads," that might have been enough for the company to avoid the claims of inadequate notice and choice.

It is significant to note that this is not the first case of this kind. The FTC and other states have brought similar actions against companies for deceptive business practices around disclosures of location tracking practices. Prior cases, however, have involved publishers providing an opt-out from GPS location tracking while continuing to track location using other methods such as Wi-Fi tower proximity, and not explaining to users that the opt-out really did not stop location tracking, just merely one form of it. Those cases are markedly different from the Weather Channel case, which is really about enhanced notice. We will monitor this case and report on how it progresses.

State and Federal Guidance:

The California attorney general issued guidance in 2013 on recommendations for mobile app privacy notice and practices – "Privacy on the Go." The FTC published similar guidance also in 2013 – "Mobile Privacy Disclosures, Building Trust Through Transparency." The guidance provided by the California attorney general recommends providing a notice that location data will be collected, and an option to allow or prevent the practice. Similarly, the FTC recommends providing a "just-in-time disclosure to consumers and obtain their affirmative express consent before allowing apps to access sensitive content like geolocation." While both are mere recommendations and not regulatory requirements, companies should review their website and mobile app privacy practices and notices and take these recommendations into consideration in deciding whether they need to provide more enhanced notice or greater data subject control.

While TWC appeared to be following the recommendations from the California attorney general and the FTC regarding mobile app privacy and providing notice of location tracking practices, the Los Angeles city attorney is seeking a level of transparency beyond even what the attorney general and FTC have suggested as best practices. Interestingly, in December, a major social media platform was fined under a similar action in Italy. The fine was not brought by the Italian Data Protection Authorities, but instead was issued by the Italian Competition Authority (ICA). The ICA found the social media platform to be in violation of Articles 21 and 22 of the Italian Consumer Code for misleading consumers about how their data will be used for commercial purposes. Accordingly, there appears to be a worldwide trend of applying consumer protection laws of general application to data practices. The standards for measuring deception and unfairness when it comes to transparency and choice may be evolving.

Takeaway

Enhanced transparency and choice are necessary to meet self-regulatory requirements and will help avoid potential unfair practice claims. Companies should evaluate the ways they give notice of data practices, especially those that might arguably be unexpected by data subjects, and consider when and how to give enhanced notice and choice. For more information, contact the authors.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Similar Articles
Relevancy Powered by MondaqAI
 
In association with
Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions