Advertising Accountability Program inquiries prompt new privacy regulations

The Online Interest-Based Advertising Accountability Program, which is responsible for implementing the “self-regulatory” Principles of the Digital Advertising Alliance, has published the outcome of two inquiries referencing advertising technology companies, Kiip and VRTCAL. In compliance with the Accountability Program’s guidelines, Kiip and VRTCAL were asked to update their privacy and opt-out settings, to establish a more secure and transparent experience for consumers.

“Making opt-out tools easy to use and ensuring they are clearly described are essential components of the DAA Principles,” said Jon Brescia, accountability program director of adjudications and technology. “We are pleased to see that Kiip and VRTCAL have taken this philosophy to heart.”

To reinforce the DAA’s Principles and confirm advertising companies are meeting requirements, the Accountability Program regularly “tests mobile apps for compliance”. During a recent analysis of an undisclosed popular dating app, it became evident that VRTCAL was collecting sensitive data for IBA, including specific user location. After further reviewing VRTCAL’s data acquisition methods and privacy policies, the Accountability Program found that the company did not fulfill DAA requirements.

According to the Accountability Program’s release, “VRTCAL immediately indicated its strong support for consumer privacy and self-regulation and worked diligently to come into compliance fully with the DAA Principles.”

To amend the inquiry, VRTCAL added instructions to its privacy policy and disclosures explaining how to opt-out of sharing personal information, made its disclosures of its IBA business practices more transparent, and “revised its contracts to require that its partners get consumer consent before collecting precise location data through apps for IBA.”

The second company to receive an inquiry letter from the Accountability Program was Kiip, a mobile advertising company. Through a routine test, it was discovered that Kiip was regularly collecting data from an undisclosed exercise app.

“While similar in content to VRTCAL, the Kiip case is a continuation of the Accountability Program’s enforcement of the Cross-Device Guidance. These rules outline the industry standards for privacy when tech companies collect data across multiple devices associated with a single user, such as a laptop, smartphone, and tablet,” stated the release.

To abide by the DAA’s regulations, Kiip modified its private policy to better explain to consumers that the company has the right to collect and distribute the user’s information across multiple devices. Kiip also included clearer instructions on how to opt-out of multiple devices used to power its cross-device IBA, while clarifying how to opt-out of data sharing for mobile IBA. Kiip also updated its private policy and contract to better explain how it acquires precise location data.

“Kiip appreciated the fact that privacy policy changes are prospective, creating an engineering solution to put this into practice. Kiip now ties each unique ID to a privacy policy version to ensure that it will always apply the relevant data collection and use policies,” concluded the release.