Mobile Marketing Association Releases Final Version of Mobile Application Privacy Policy Framework

Posted on February 1, 2012 by Kevin Khurana

After introducing a draft of its Mobile Application Privacy Policy Framework (“Framework”) in mid-October for public comment, the Mobile Marketing Association ("MMA") recently released the final version of the Framework.  

The Framework provides a general starting point that application developers can refer to when drafting their application privacy policies. The Framework includes model language to address the following questions and topics regarding the application’s and developer’s privacy practices:

 

What information does the Application obtain and how is it used?

  • The MMA bifurcates this section into “User Provided Information” (e.g., information provided during registration) and “Automatically Collected Information” (e.g., mobile device’s unique device ID and the IP address of the mobile device).

 Does the Application collect precise real time location information of the device?

  • This section is applicable to companies that collect “precise, real-time locational information.” Developers that collect such information should indicate how such information is used and, if applicable, opt-out options. Even if such information is not collected, the MMA recommends including a statement to that effect.

 Do third parties see and/or have access to information obtained by the Application?

  • This section will be unique to the developer and application. In addition to disclosing to whom and in what circumstances information is disclosed to third parties, the MMA states that, generally, developers reserve the right to transfer information in the event of a sale of the application. 

 Automatic Data Collection and Advertising

  • This section is intended to address applications that are ad supported. The MMA provides model language to address situations where a third party ad network obtains data for the purpose of ad targeting. 

 Where are my opt-out rights?

  • This section will be unique to the developer, the application and the ad network utilized by the application, if applicable. The MMA provides an example that gives the user the following opt-out options: (a) opting out from all information collected by uninstalling the application; (b) opting out from the use of information for serving targeted ads; and (c) opting out from locational data collection.  

 Data Retention Policy, Managing Your Information

  • This section is intended to communicate how long the developer will retain User Provided Data (the MMA has included “for as long as you use the Application and for a reasonable time thereafter.”) and allow users to contact the developer directly with notice to delete such data. 

Children

  • This section is intended to address compliance with the Children’s Online Privacy Protection Act.   Even if the developer doesn’t need to comply with the act because the act is not applicable to the application, the MMA recommends including language that states the developer doesn’t knowingly solicit information or market to children under the age of 13. 

 Security

  • This section is intended to provide an overview to the user of the developer’s security procedures and will be unique to the developer. The MMA has stated that “developers should ensure that their security procedures are reasonable.”

 Changes

  • This section is intended to afford developers the flexibility to modify their privacy policy. The MMA notes that material changes to privacy practices generally require a user’s prior consent.

 Your Consent

  • This section is intended to capture the user’s consent to have his/her data processed, collected and disclosed as set forth in the privacy policy. The MMA’s proposed language also geographically limits where activities related to data collected from users may occur to the United States.

 Contact Us

  • This section is meant to provide email access to the developers of the application should a user have privacy questions or concerns.

While the Framework is not meant to set forth rigid parameters for developers to operate within, they do provide valuable guidelines that will assist most developers, with the help of their lawyers, to create a mobile application privacy policy that users will understand. However, it should be noted that the developers mustn’t simply rely on the language provided by the MMA; they must still draft a privacy policy to address their unique, application-specific privacy practices. Inaccurate or deceptive privacy policies are subject to actions by the Federal Trade Commission, state attorneys general and other regulators. 
Tags: , , , , , , , , ,

Consumer Advocacy Groups Request Federal Trade Commission Action To Stop Perceived "Threat" From Mobile Marketing

Posted on January 20, 2009 by Proskauer Rose LLP

In a year when behavioral advertising was already expected to be at the top of the hot button privacy issues list, on January 13, 2008, the Center for Digital Democracy (“CDT”) and U.S. Public Interest Research Group (“US PIRG”) filed a document with the Federal Trade Commission (“FTC”) urging the FTC to investigate online mobile marketing practices, to take new actions to stop mobile marketing activities that “abuse consumer rights,” and to recommend new federal legislation and enhanced enforcement power for the FTC in this area. The document expands on the groups’ concerns about online behavioral advertising generally – the delivery of ads tailored to consumers’ interests based on browsing habits and/or consumer demographics – to the mobile space. In doing so the groups cite the potential for even greater consumer harm because of the additional possibility of location-based targeting linked to a cell phone or other mobile device that is typically tied to a single consumer who uses it for multiple applications, including voice, video and data.      

In urging FTC action, the groups’ lengthy 52-page submission focuses primarily on media reports and the marketing literature of a large number of mobile marketing companies that tout the behavioral marketing capabilities of mobile technology.  The document also acknowledges the widespread consumer benefits mobile behavioral advertising offers, including making “rich media, free offers, personalization capabilities, and discounts” more broadly available. Despite its extensive cataloguing of the vast potential for effective targeted mobile marketing, the document is short on specifics as to how these practices currently harm or are likely to harm consumer privacy or constitute unfair or deceptive trade practices under Section 5 of the FTC Act. The group includes very limited specific allegations – against only Bango Analytics, Marchex and AdMob – that relate primarily to insufficient consumer notice.              

 The advocacy groups’ filing follows the FTC’s late 2007 release of draft self-regulatory principles for online behavioral advertising discussed previously at this blog here. At that time, the FTC recognized the benefit to consumers of receiving advertising more tailored to consumers’ interests and the role advertising dollars play in supporting new, innovative and free content. During 2008, the FTC accepted comments on its draft principles and is expected to issue final guidelines in the coming months. Also during 2008, state legislatures and Congress also became involved in the behavioral advertising debate as covered in this blog here and here. Meanwhile, also on January 13, 2009, the American Association of Advertising Agencies, Association of National Advertisers, Direct Marketing Association and Interactive Advertising Bureau jointly announced plans to develop enhanced self-regulatory industry guidelines for online behavioral advertising.

 

The CDT and U.S. PIRG filing will undoubtedly stir further debate as to whether the current regime consisting of (a) the forthcoming FTC self-regulatory online behavioral marketing principles, (b) case by case enforcement of unfair or deceptive trade practices under existing FTC authority, and (c) industry self-regulatory standards such as those adopted by the CTIA, and Mobile Marketing Association and expected from other industry groups, is sufficient to protect consumers in the vibrant, competitive marketplace of mobile communications where transparency and choice can be a selling point. We will continue to update our readers on these issues as the year unfolds.
Tags: , , , , , , , , , , , , , , , , , , , , , ,

One Reputable Retailer Takes a $7M Hit On Text Messages

Posted on October 31, 2008 by Kristen J. Mathews

On September 10, 2008, Timberland Company, an outdoor clothing and shoe merchant, along with co-defendant ad agencies GSI Commerce Inc. (“GSI”) and AirIt2Me Inc. (“AirIt2Me”), settled charges brought under the Telephone Consumer Protection Act (“TCPA”) arising from unsolicited text messages advertising Timberland’s holiday sale.  Pursuant to the settlement, Timberland must employ best practices in future marketing, and must pay $7 million into a fund for distribution to the class.  Prior to any future mobile marketing campaign, GSI agreed to circulate to its marketing personnel a copy of the Mobile Marketing Association’s Consumer Best Practices guidelines, and to establish meaningful training and compliance checks in connection with those guidelines. Additionally, the defendants must pay class counsel a maximum amount of $1,750,000.  The settlement has been agreed to by all parties, but is still subject to final approval by the court.
 

The event underlying the action was a mobile marketing campaign.  The plaintiffs alleged that Timberland contracted with AirIt2Me and GSI for the promotion of a holiday sale in 2005.  As a part of the promotion, Timberland, by and through these agents, allegedly sent thousands of unsolicited SMS text messages to potential customers' cell phones.  Two recipients of the text message initiated a class action alleging violation of the TCPA, which prohibits unsolicited voice and text calls to cell phones, using an auto-dialing system, unless the recipient has given prior consent.  The statute also prohibits companies from initiating telephone solicitations to individuals on the national Do-Not-Call list, unless the individual has given prior express consent or has an established business relationship with the company.


Any company engaging in a mobile marketing campaign should utilize a strategy that meets its business objectives, but also takes the appropriate steps to protect itself from potential liability under the applicable laws.  In the case of text messages, a company must obtain an “opt-in” to send messages to a mobile device.  This settlement illustrates the high pay-outs that can result from legal actions.  Violations of the TCPA can result in statutory damages of $500 per violation (i.e., for each individual text message).


When undertaking these types of campaigns, companies must comply with both the TCPA and the Controlling the Assault of Non-Solicited Pornography and Marketing Act (“CAN-SPAM”), as well as the various state laws that apply to mobile promotional messaging.  All of these laws require companies to obtain express consent from individuals before sending promotional messages to their wireless devices.  In addition to these statutes, both the Mobile Marketing Association and the Wireless Association have best practice guidelines to provide companies with guidance in crafting marketing policies.  Companies should review their mobile marketing policies to ensure they are compliant, and should distribute these policies to all applicable employees and agents.  In addition, when utilizing any third-party agent to facilitate mobile marketing campaigns, a company should require that the agent is complying fully with the applicable laws and regulations.  Any contracts with third-parties should include warranties and indemnification as to these requirements.
Tags: , , , , ,

Emerging Standards For Mobile Marketing

Posted on June 10, 2008 by Kristen J. Mathews
Many B2C companies are beginning to explore marketing to consumers’ wireless devices using text messaging (“SMS,” or “short message service”) and MMS messaging (“Multi-media Messaging Service”). They may even target their promotions based on where the recipient is physically located using the wireless device’s GPS technology. They also may target their promotions to teens and tweens. What legal issues should companies be aware of as they navigate through this relatively new area?
This question is very timely, as mobile marketing has received a lot of attention from regulators and industry organizations in the last few months.

Statutes. Statutorily, we have two federal laws that apply to mobile messaging: the Telephone Consumer Protection Act (the “TCPA”) and the Controlling the Assault of Non-Solicited Pornography and Marketing Act (the “CAN-SPAM Act”). Each of these laws apply to mobile promotional messaging, depending on the technology used to send the messages. We also have a host of state laws that apply, either expressly or implicitly, to mobile promotional messaging. In summary, the laws require that companies obtain express consent from individuals before sending promotional messages to their wireless devices. In some cases, specific consent language is required.

Mobile Marketing Association Guidelines. In addition to statutes, we also have various industry standards that apply to text messaging campaigns. The Mobile Marketing Association (MMA), for example, has a set of Consumer Best Practices Guidelines for mobile marketing, which is incorporated by reference into the carrier agreements under which short codes are issued by carriers to companies that want to launch text messaging campaigns. These best practices provide, among other things, requirements for consumer notices, consent and opt-out rights.
 
Wireless Association Standards for Location-based Marketing. The CTIA (The Wireless Association) recently issued a set of best practices that provide for, among other things, consumer notice and consent for location-based marketing, and consumer choice for sharing of location information with third parties. These guidelines also address retention and security of location-based information, abuse reporting and public self-certification of compliance with the best practices. (Self-certification, in itself, presents its own set of legal issues.)
 
Federal Trade Commission. Just this past May, the Federal Trade Commission (FTC) hosted a public town hall meeting, “Beyond Voice: Mapping the Mobile Marketplace.” Topics discussed included the evolution and future of mobile marketing, location-based marketing, consumer disclosures and consents, the challenges of small PDA screens for consumer notifications, teen and tween-targeted campaigns, parental controls and security issues with respect to data stored on mobile devices. Also in May, two consumer advocacy groups (the Center for Digital Democracy and the U.S. Public Interest Research Group) announced their plan to file a complaint with the FTC, asking it to examine behavioral advertising via mobile devices and to promulgate special rules regulating mobile marketing to children and teens.
 
It is reasonable to anticipate that the FTC will ultimately issue either guidelines or rules which apply to mobile marketing campaigns, in an attempt to set forth uniform requirements for mobile marketing. Until then, companies must navigate and synthesize the various sources of applicable laws and standards, and derive an approach that meets their business objective while avoiding backlash from the media, the industry, the wireless carriers and consumers.
Tags: , , , , , , ,