Director of Product Policy | TRUSTe
Advertising in mobile, like desktop, is growing as app developers look for ways to monetize their apps and brands look for innovative ways to engage their customers across multiple screens. Additionally, ad networks and other data collectors continue to look for effective ways to collect data about consumer interests to provide more relevant advertising. Traditionally, interest data has been collected using cookie-based technologies that enable data to be collected over a period of time, and track a consumer’s preferences including their privacy preferences.
Now ad networks and other data collectors are using other types of device identifiers to collect data and provide relevant advertising for both desktop and mobile. These device identifiers help collect information about the attributes of a specific device, and therefore presumably the consumer’s related preferences, over time. Identifying a specific device through its attributes, previously known as “device fingerprinting,” is typically done without the consumer’s knowledge. The inherent nature of device recognition technology brings with it heightened privacy concerns. Among those concerns is whether consumer preferences, including privacy preferences, will be persisted and honored for that device.
To help alleviate these concerns, as more companies are using device recognition technologies for data collection, there is an increased need for companies to adhere to recommended best practices when implementing device recognition technologies. These best practices will a company, whether it is an ad network, app developer, publisher, or other data collector, adopt and implement device recognition technologies in a way that respects consumer privacy, and reduces risk to their brand reputation
Privacy Best Practices for the Collection of Data through Device Recognition Technology
- Provide clear and conspicuous notice.
- Provide access to a mechanism where consumers can express their privacy preferences.
- Clearly communicate what a preference is and what it means to consumers. For example, if a consumer opts-out of receiving targeted advertising, explain to the consumer that they will still see ads, but no longer see targeted ads.
- Apply the consumer’s preferences to a device encompassing both apps and web where technically feasible. Privacy management tools should be intuitive, reliable, and easy-to-use. If the consumer needs to take additional steps to apply their preference across the whole device, the consumer needs to be provided with conspicuous notice and instruction on how to set these preferences.
- Preferences are persistent and shall be honored until the consumer expresses a new preference.
- Make privacy management tools easily accessible for a consumer to change their preference at any time.
- Recognize a consumer’s expressed preference, including those preferences indicated through any industry recognized standardized choice platform or browser preference management tools. It should be honored and persisted across devices/platforms.
- The mechanism for recognizing the consumer’s preference needs to be deterministic to persist the preference, and this also applies in the case where device identifiers are generated using statistical algorithms.
- Communicate the consumer’s preferences to your partners.
- Honor the consumer’s privacy preference by communicating preferences to all partners involved in using data collected through device recognition technology to ensure the consumer’s preference is persistent.
- Collect only the data you need.
- Limit data collection to what is reasonably useful to fulfill the purpose for which it was collected.
- Review contractual obligations associated with partner’s use of data collected through device recognition technologies.
- Restrict how your partners use the data that they receive from you. For example, partners should not be able to use the data to make decisions that may have an adverse effect on the consumer such as determining credit eligibility or targeting advertising to children under the age of 13.
- Assess your data retention policy. Determine how long data persists and if it is archived and retained beyond its usefulness and is no longer needed to fulfill your business purposes or meet legal requirements. How long you retain collected data may also be dependent upon the type of data collected. For example, if statistical identifiers are used to recognize a device, the shelf life of the data’s usefulness is short since device attributes change frequently. In this case a short retention period of 180 days should be sufficient versus a 13-month retention period associated with deterministic identifiers.
- Review security practices including how data is transmitted and stored.
- Take commercially reasonable measures to protect the data you collect. Those measures should be appropriate for the size of your business and the level of sensitivity data collected and stored. If sensitive data such as precise geo-location information is being collected, that should be transmitted and stored using encryption technologies such as SSL.
- Be accountable for your practices.