The Online Interest-Based Advertising Accountability Program issued its 90th decision in a case involving Vdopia, Inc.’s Chocolate, a mobile video ad exchange and mobile SDK mediation platform.
Routine monitoring of a popular dating app revealed that Chocolate was collecting user data (including device identifiers and precise geolocation data) for interest-based advertising (IBA) without satisfying the transparency and control requirements set forth in the Digital Advertising Alliance’s (DAA) Self-Regulatory Principles. The transgressions appeared both in the mobile format and on the company’s own website, the Accountability Program found.
As Chocolate is a third party as defined in the Mobile Guidance of the DAA Principles, it is subject to an enhanced notice requirement for cross-app data. First and third parties share responsibility for providing enhanced IBA notice, with each independently responsible for ensuring that notice is provided to the customer. Third parties must also give users a choice with respect to their collection and use of cross-app data for IBA. The collection and use of precise location data triggers additional notice and consent requirements under the DAA Principles, but none of these requirements were met, the self-regulatory body said.
In addition to reviewing Chocolate’s mobile compliance, the Accountability Program assessed the company’s compliance with the desktop-based Online Behavioral Advertising (OBA) Principles. That evaluation found the company lacked a statement of adherence to the Principles as well as an opt-out mechanism with a life span of five years or longer. Chocolate also failed to provide consumers with a clear description of the IBA data collection practices that were conducted on its website.
Upon receipt of the Accountability Program’s inquiry letter, Chocolate “immediately” conducted a thorough review of its IBA practices and took “clear and decisive action” to achieve compliance with all the Self-Regulatory Principles, according to the decision.
With respect to the Mobile Guidance, Chocolate updated its privacy disclosures to include a statement of adherence to the DAA Principles, amended its contractual documents to bind its partners in the digital ad chain to provide enhanced notice to users, and provided consumers with instructions on how to opt out of its IBA by accessing device-level opt-out settings.
As for geolocation data, Chocolate added language to its privacy disclosures about the collection and an explanation of how users can withdraw consent.
To achieve compliance with the OBA Principles, Chocolate made several tweaks to its website by (1) adding a statement of adherence, (2) updating its opt-out mechanism to ensure it persists for five years and (3) providing a description of third-party IBA activity taking place on the site and including a link to the DAA’s WebChoices page.
Why it matters: The decision is the first under the Accountability Program’s latest enforcement initiative that focuses on video advertising. The decision demonstrates the flexibility and agility that distinguish self-regulation, the Accountability Program noted. “Self-regulation can keep pace with the evolving mobile ads market, adapting general privacy principles to meet novel and complex ad implementations,” Jon Brescia, director of Adjudications and Technology for the Accountability Program, said in a statement. “Today’s decision is proof of that.”