Who: European Interactive Digital Advertising Alliance (“EDAA“) and the Interactive Advertising Bureau Europe (“IAB Europe“)
Where: EU
When: 1 March 2016
Law stated as at: 11 March 2016
What happened:
At the first ever EDAA Summit in Brussels on 1 March 2016, the EDAA and the IAB Europe launched the new “Mobile Principles”, finally extending the EASA Best Practice Recommendation on Online Behavioural Advertising (“OBA“) to the mobile space.
A bit of background…
In April 2011, IAB Europe and its members adopted the IAB Europe Framework for Online Behavioural Advertising (the “Framework“).
The EASA Best Practice Recommendation subsequently built on that Framework, allowing self-regulatory organisations in Europe to incorporate the key principles into their existing national advertising codes. The EU self-regulatory programme on OBA is administered by the EDAA. In the UK, its principles have been incorporated into Appendix 3 of the CAP Code.
Recognising the consumer trend away from the desktop environment to the mobile space, IAB Europe has created a set of recommendations on how the principles should be applied to the use of OBA on mobile devices. Those recommendations are set out in an addendum to the Framework (the “Addendum“).
What are the principles and who do they apply to?
The Framework is based upon seven key principles: notice, user choice, data security, sensitive segmentation, education, compliance and enforcement, and review.
The Addendum makes it clear that OBA delivered via mobile web browsers is fully covered by the Framework. Browser data is collected and processed in the same way, irrespective of the device used. Therefore, it is recommended that, in that context, the relevant mobile stakeholders follow the Framework to the same extent as in the desktop environment.
However, it also recognises that OBA on mobile devices involves the use of technologies other than cookies. Therefore, the scope of the Framework is extended to cover the collection and use of:
- “Cross-App Data” – data collected from a particular device regarding web viewing behaviours or mobile app use over time and across mobile apps;
- “Location Data” – data which is obtained from a device about the physical location of the device that is sufficiently specific to locate a specific individual or device, but does not include registration details, or general geographic information derived from an IP address; and
- “Personal Device Data” – calendar, address book, phone/text log, or any other data that is not created by or through the app provider or third party and that is stored on, or accessed through, a particular device or mobile app.
The Addendum explains that third parties should provide enhanced notice of the collection of Cross-App Data, Location Data and Personal Device Data for the purposes of online or mobile advertising based on user preferences or interests. If they do not do so, the app provider should provide adequate notice of any arrangements with third parties for the collection of those types of data.
The Addendum’s obligations will be relevant for a number of mobile stakeholders operating in the mobile advertising ecosystem; including networks, ad tech companies, data aggregators, Demand Side Platforms and Supply Side Platforms, as well as app providers. Each may have different roles and responsibilities under the Framework.
Why this matters:
The extension of the Framework’s principles to the mobile advertising industry reflects the essential tool that mobile advertising has become, and the need to retain a user’s respect when processing data for the purpose of service relevant advertisements.
Practices covered by the Framework and the new Addendum are also likely to be covered by a number of laws and regulations. In particular, data protection and privacy laws may apply where data collected or processed relates to an identified or identifiable individual. There have been significant developments in that area recently:
- agreement has been reached on the new General Data Protection Regulation (see our summary of the top 10 things adtech businesses need to know);
- the Information Commissioner’s Office (the “ICO“) is consulting on a revised privacy notices code of practice (see our update here);
- the ICO has also issued new guidance on the use of Wi-Fi location analytics (see our update here); and
- the ICO very recently published a blog post on issues it has found with mobile applications and privacy.
Compliance with the Framework and the Addendum does not guarantee compliance with those laws and regulations, but it may help.
As Nick Stringer, Chair of the EDAA Board, has said: “Whilst EU legislators have been discussing new data protection laws, advertising businesses and industry have been implementing practical ways to give users greater transparency and control over behavioural or interest based advertising“.
It is certainly a time of great change in the adtech world. We will keep you posted as and when further guidance and information becomes available.