The Digital Advertising Alliance (DAA) recently announced that self-regulatory enforcement of its cross-device guidance will begin in February 2017. Accordingly, companies that engage in cross-device tracking and targeting—including website and mobile app publishers that allow third parties to collect information for purposes of delivering ads to the same consumer across multiple devices—should ensure that they comply with the DAA’s guidance. Failure to do so could result in an Accountability Program enforcement action beginning on February 1, 2017.
The DAA’s cross-device guidance, titled “Application of the DAA Principles of Transparency and Control to Data Used Across Devices,” was originally published in November 2015, on the same day that the Federal Trade Commission (FTC) held a workshop on the topic. The DAA’s guidance outlines how its existing self-regulatory principles—which historically have applied to the collection and use of information on a particular browser or device—will now apply to the collection and use of information from the same user across multiple browsers or devices. In a nutshell, the DAA’s cross-device guidance requires that companies:
- disclose the fact that data collected from a particular browser or device may be used on another computer or device, in a manner consistent with the DAA’s existing Self-Regulatory Principles for Online Behavioral Advertising, Multi-Site Data Principles, and Application of Self-Regulatory Principles to the Mobile Environment (“Mobile Guidance”) (collectively, the “Principles”); and
- ensure that the choice made by consumers under the existing Principles (e.g., the consumer choice mechanism or “opt-out”) prevents data collected from a particular browser or device, on which the choice is exercised, from being used on another computer or device (and vice versa) or transferred to an unaffiliated third party for such purposes.
In practical terms, this requires both first parties (e.g., websites and mobile apps) and third parties (e.g., advertising technology companies) to disclose cross-device tracking practices in their privacy policies, as well as provide “enhanced notice” of such practices through clear, meaningful, and prominent links outside of the privacy policy. Such “enhanced notice” may be provided by: (a) displaying the DAA’s “Advertising Options” icon in or around ads delivered using cross-device tracking technology; (b) adding a clear and conspicuous link titled “Ad Choices” on webpages where information is collected or used for cross-device tracking purposes; and/or (c) including a link to relevant cross-device tracking disclosures from the mobile app stores and app settings menu. The DAA’s cross-device guidance also requires that the opt-out choices made available to consumers for interest-based advertising (such as through the DAA Consumer Choice Page or DAA App Choices tool) must also stop cross-device targeting on the device from which the consumer opted out.
The DAA’s announcement comes on the heels of several enforcement actions against mobile app developers for alleged failures to comply with the DAA’s Mobile Guidance. The upcoming enforcement deadline on February 1, 2017, therefore serves as yet another reminder that companies should think broadly about how they comply with privacy best practices for online advertising in various contexts and across platforms and devices.