Continuing its efforts to have app and website operators provide users with enhanced notice about third-party data collection, the Digital Advertising Alliance (DAA) Online Accountability Program recently issued a pair of new decisions.
The first case involved Dine Brands Global, the owner and operator of The International House of Pancakes (IHOP) and Applebee’s. As part of its regular monitoring activities, the Accountability Program visited the restaurants’ websites and observed “a number” of third-party interest-based advertising (IBA) entities known to be collecting data about visitors.
Pursuant to the DAA Self-Regulatory Principles for Online Behavioral Advertising (Principles), all first parties authorizing third parties to engage in IBA on their websites must provide consumers with meaningful notice and choice in the form of enhanced notice.
As the IHOP and Applebee’s sites both lacked the required notice, the Accountability Program reached out to Dine Brands.
In response, the company provided a complete review indicating its compliance with the Principles and also committed to adding an enhanced notice link labeled “Your Advertising Choices” to both the IHOP and Applebee’s websites. When consumers click on this link, it will direct them to updated privacy policy sections, which include a disclosure about third-party IBA on the site and a link to DAA informational pages.
Dine Brands also promised to ensure that an enhanced notice link would be available on other company websites that authorize third-party data collection for IBA.
In the second case, the Accountability Program similarly discovered third parties that collect cross-app data likely for IBA on the Lose It! site—an exercise and weight loss app published by Massachusetts-based FitNow—which also failed to provide enhanced notice for consumers.
One of the third parties also appeared to be collecting location data, the self-regulatory body said.
FitNow took a number of steps to achieve compliance with the Principles, beginning with updated privacy disclosures that featured a jump link to the section in its privacy policy that describes third-party IBA, with a link to instructions about how to opt out of mobile IBA utilizing device-level settings, and a statement of adherence to the Principles.
As for the location data issue, FitNow found that the data was collected for a purpose related to the app’s functionality. To ensure that no accidental exfiltration of such data could occur, the company included a patch to its mobile app that disabled the collection of location data entirely.
To read the Dine Brands Global decision, click here.
To read the FitNow decision, click here.
Why it matters: These decisions continue a “long line” of enforcement actions by the DAA against apps and website publishers for failing to provide users with enhanced notice about third-party data collection. Companies engaged in IBA should take note of these developments and reassess their compliance program to ensure that their data handling and advertising practices are in line with the expansive self-regulatory framework that governs this space. Companies should keep in mind the requirements of the various accountability programs to ensure that enhanced notice and functional opt-outs are provided and, in many circumstances, that consumer consent, where required, has been obtained.
These latest cases emphasize that the DAA’s principles impose notice requirements not only on third parties but also on first parties. Namely, first-party websites that allow third-party data collection (e.g., when third-party ads are shown) must provide a “clear, meaningful and prominent link” on each “Web page where data is collected for OBA.” The link is meant to “take[] information formerly buried in the privacy policy … and make[] it easily accessible to the consumer.” This “enhanced noticed link” should contain a disclosure that “either points to an industry-developed Web page such as the DAA’s Consumer Choice Page (www.aboutads.info/choices) or individually lists all of the third parties engaged in OBA on its website and provides links to each of the respective choice mechanisms.”
Websites and mobile apps that are uncertain as to whether they comply (or need to comply) with the DAA’s enhanced notice requirements should as a first step perform an audit of third-party tracking occurring on their sites and apps—whether by doing an inventory of tags placed on their site/app or by reviewing third-party contracts (or, preferably, both). Third parties, in turn, should increasingly expect to be held to an “enhanced notice” standard regardless, given the gaps in first-party compliance that are likely to occur.