Self-regulation is all the rage. With our governments almost constitutionally incapable of reacting fast enough to changing technology, we are left to police ourselves. Mobile developers and operators are told by regulators, day after day, that if you don’t clean up your act as a group, the regulators are coming and you don’t want them. So we run around as an industry and try to come up with rules for ourselves. And you need to pay attention to each one of them.
Today I am going to look at the newest piece of self-regulation. It is the Digital Advertising Alliance’s Application of Self-Regulatory Principles to the Mobile Environment.
A First Word – Duty of Care
These self-regulations are an attempt to fairly apply old established law to a rapidly changing landscape. Self-regulations are a statement by at least a portion of your industry of what they think. Having been through a few of these efforts myself, it hardly ever represents the complete feelings of all the participants. No coalition ever has 100% agreement.
Let’s say you are one of those companies, or voices, that didn’t agree with how far the self-regulation went. Your own efforts do it differently, it gets you into trouble and you find yourself at the receiving end of a lawsuit. You may find yourself on the losing end of that struggle. The self-regulation that you opposed has set the standard of reasonable care in your space. Failure to comply could violate your duty of care. That will be the argument. In other words, it doesn’t do you any good to swim differently than the other salmon going upstream.
So, let’s look at this self-regulation in just a little more detail.
Mobile Privacy, Digital Advertising Alliance July 2013
The Digital Advertising Alliance (DAA) is a grouping of advertising and marketing groups brought together to provide self-regulatory solutions. In 2009 they issued their Self-Regulatory Principles for Online Behavioral Advertising Principles. In July they released their thoughts on the mobile marketplace and how their previous principles apply to the mobile environment.
The Mobile Principles do a good job at defining most of the terms that are associated with handling data on the mobile device. Because the DAA is US based organization, it is useful to note that as a fundamental principle, their guidance is based on the idea that data collection, sharing and use is all about commercial benefit. The principles put no restrictions on data collection and use where the use is not directed back towards the person who provided the data. The principles call this market research and includes aggregated data.
I have a conceptual problem with the idea that de-identification and aggregate usage are exceptions to customer acceptable use. If you are sharing and using de-identified data rise above the minimal “reasonable steps” language. My personal feeling is that your de-identification should be on par with the steps taken in the health care field.
The Mobile Principles do a pretty good job as well calling out specific areas of data (or information, if you will) that you need to protect. Personal Directory Data, Personally Identifiable Information and Precise Location Data form the core. Pay particular attention to the Location Data definition as it punts on the issue of platform specifics.
Let’s look at how the DAA defines third parties. I am not so sure it is ever really clear when another provider has full control over a widget on your webpage. The mobile principles all it out though. So if a widget or video player (using their language) is used to provide content and from the consumer’s perspective they are directly interacting with that provider, they are no longer a third party. They are a first party. My personal feeling is this doesn’t really do the consumer any good and places a small burden on them. I don’t think we should be designing to the absolute lowest denominator. Mobile user’s propensity to engage with content makes this problematic as they may not make the intellectual leap about who is collecting what data from them.
The DAA believes in transparency. It wouldn’t be a section heading if they didn’t, right? Transparency for the DAA includes “clear, meaningful and prominent notice.” Third parties also fall under this requirement, mainly because of their use of data collection and use across multiple apps and first parties.
Notice around data collection, sharing and use should be provided before the application is installed, as part of the download/install process, first time application is opened, or when data is collected. Here is where the duty of care may come and bite you. Doesn’t it make sense that given that these four points in time are very specific that you should use these as fence posts? Why yes, it does. So now that you know the fence posts are there, I think it would be advisable to putting signs there.
Notices regarding data collection and use, most notable cross app data, should be contained within the applications settings, as well as any other location where settings are available.
What is not Transparent
What is not transparent is hiding. The Mobile Principles specifically say that the “requirement … to provide clear, meaningful, and prominent notice would not be satisfied by providing notice hidden in lengthy terms and conditions.”
Self-Regulation as a Concept – Lessons to be Learned
Old laws apply to new spaces. I have said that more than a few times here. The problem isn’t that we need new laws, the problem is the application of the laws. Their interpretation, if you will. This is where regulations come into play. The problem with governmental regulations is that, while faster than laws, they are still slower than the pace of technology. That’s where self-regulation comes into play.
Be careful though with what you sign up for. Self-regulation does have one problem. You have a group of entities with divergent needs. Getting agreement is sometimes problematic on it’s face. Once out there, though, you will be held to them. So, what is the lesson to be learned? Participate in the trade groups, pay attention to the trade groups and read. If you aren’t covered by the DAA’s principles, it is not too much of a leap to say that you may still be held to that standard as well.