NAI and DAA Self-Regulatory Principles Are Latest Effort to Address Mobile Privacy Concerns

Recent Happenings in APRM August 2013 FDA Proposes New Food Safety Rules Requiring Importers to Verify Compliance of Foreign Suppliers and Establishing Third-Party Accreditation Standards The Ninth Circuit Court of Appeals Finds That The Use of College Football Player's Likeness in a Video Game is Not Protected by the First Amendment as a Matter of Law NAI and DAA Self-Regulatory Principles Are Latest Effort to Address Mobile Privacy Concerns NHTSA Expands Early Warning Reporting and Recall Management Requirements FDA Issues Definition for 'Gluten-Free' on Food Labels

Concern over mobile privacy has increased due to the near-ubiquity of mobile technology in our everyday lives. The fact that mobile devices are almost always on, usually in users' hands or pockets, and often contain an individual's personal information including location, address books, and even financial or medical data, means that unprecedented amounts of data collection can occur—often with users unaware. Additionally, Congress and regulators are realizing that these current privacy issues are just the tip of the iceberg: As the data economy becomes ever more connected, privacy issues will increase in both number and complexity.  

As such, in mid-2012, the FTC hosted "In Short: Advertising & Privacy Disclosures in a Digital World," a public workshop that brought privacy experts from industry, government, and consumer advocacy groups together to discuss the challenges this new technology brings to advertising and privacy disclosures. A few months later, the Agency published a follow-up guide titled "Marketing Your Mobile App: Get It Right from the Start." In February of this year, the FTC showed its continued commitment to addressing mobile's distinctive privacy issues by publishing a staff report, "Mobile Privacy Disclosures: Building Trust Through Transparency," and a guide, "Mobile App Developers: Start with Security." It also announced two settlements regarding privacy in the mobile sphere—one with an app developer which, the FTC charged, collected personal information without user consent or knowledge, the second with a handset manufacturer whose security practices may have created security vulnerabilities that put sensitive information of millions of customers at risk. With these and other actions, the FTC has signaled its increasing attention to mobile privacy issues and intent to remain focused on these issues.

Other governmental entities are providing guidance to the mobile digital economy. Just a few weeks ago, the National Telecommunications and Information Administration (NTIA), part of the U.S. Commerce Department, released a privacy code of conduct titled "Short Form Notice Code of Conduct to Promote Transparency in Mobile App Practices" and earlier this year California Attorney General Kamala D. Harris issued "Privacy on the Go: Recommendations for the Mobile Ecosystem." The concerns also extend beyond our borders: In October 2012, the Office of the Privacy Commission of Canada issued a report titled "Seizing Opportunity: Good Privacy Practices for Developing Mobile Apps" and in February 2013, the EU Article 20 Data Protection Working Party issued an Opinion on Apps on Smart Devices.

With all this governmental interest and guidance, it is no surprise that industry has issued its own self-regulatory principles for mobile ad personal data collection and use. The Digital Advertising Alliance (DAA), which represents media and marketing trade associations, issued guidance entitled "Application of Self-Regulatory Principles to the Mobile Environment," and the Network Advertising Initiative (NAI), which represents online advertising companies, issued its "Mobile Application Code." They jointly released their codes on July 24, 2013 signaling cooperation across both associations. These initiatives follow the January 2012 publication of Privacy Policy Guidelines for Mobile Apps by the Mobile Marketing Association. All three associations are hoping to provide mobile advertising privacy "rules of the road" that are, in the eyes of regulators and legislators, sufficient to protect consumer privacy. In other words, these self-regulatory efforts are an effort to establish that business takes consumer privacy seriously and more rigid laws are not necessary. 

The two latest entrants to the dialogue, the DAA and the NAI, have focused on the same broad principles laid out in many other guidance documents—including transparency, appropriate notice, consumer choice through opt-outs, and consumer consent. In addition, these new principles address important issues facing online advertisers including cross-app data, precise location data, personally identifiable-data, and sensitive data.

The real question, though, in whether these latest self-regulatory efforts will succeed is whether, and how, their principles are implemented. The industry associations have offered broad guidelines without too many specifics for technical implementation; this approach can leave great room for industry to create innovative technological solutions but could also make compliance harder to quantify and more difficult to achieve. As technology develops even more sophisticated mechanisms for data collection and customized advertising, the privacy complexities will only mount.

The NAI and DAA have acknowledged some of the challenges facing their efforts. In the introduction to the NAI Code, the NAI "recognizes that the mobile advertising ecosystem is still in its infancy and is rapidly developing new technologies and business models… As a result, the NAI acknowledges that maintaining an effective Mobile Application Code may require, at least initially, regular iterations… [and] additional guidance documents related to individual requirements." Similarly, the DAA concedes that the DAA Principles themselves have limitations. In the Overview, the DAA states that "it may not be feasible to comply with the Self-Regulatory Principles on the mobile Web in the same manner as in a desktop computer environment" and stated that, "[f]rom time to time, the DAA may provide guidance on implementation practices." It is clear that these self-regulatory organizations are well aware of the challenges mobile privacy presents; the question is whether they can, on their own, provide solutions that are satisfactory to governing bodies such that new regulations and laws are not needed.