WiFi Dreaming: App Publishers Amend Privacy Practices

Arlington, VA – October 24, 2019 – The Digital Advertising Accountability Program released the results of two reviews of popular mobile apps that allowed ad tech companies to collect device and behavioral data from their users without first meeting industry privacy standards. Both companies, WiFi Map LLC and Ipnos Software Inc., eagerly adopted the Accountability Program’s recommendations and came into compliance with the Digital Advertising Alliance’s Self-Regulatory Principles.

The BBB National Programs’ Accountability Program examines popular mobile apps for compliance with the DAA Principles, which chiefly focus on providing extra insight into and options about targeted online ads. In the course of its monitoring efforts, the consumer privacy program developed concerns with WiFi Map and Ipnos’s Relax Melodies.

“These app publishers obviously care a lot about their apps, and they want to do the right thing for their users. But in both cases, we noticed that some privacy issues had made it out of development and into production,” said Jon Brescia, VP of the Accountability Program. “Once we got in touch, both Ipnos and WiFi Map really demonstrated that they were highly responsible and user-focused, and they implemented all of our recommendations in record time.”

Don’t Doze on Data Privacy

Ipnos is a Canadian wellness app developer whose products focus on healthful activities like meditation, relaxation, and improving sleep. While examining Ipnos’s app, Relax Melodies, the Accountability Program found ad tech companies collecting unique IDs to facilitate ad targeting. But the app lacked up-front, or “enhanced,” notice of this fact, and its privacy disclosures didn’t explain how consumers could opt out of targeted ads. Consequently, the Accountability Program reached out to Ipnos with questions about its observations.

Once contacted, Ipnos acknowledged the Accountability Program’s test results and immediately committed to full compliance with the DAA Principles. The company updated its privacy policy to include an enhanced notice jump link and an opt-out tool, all accessible from the privacy links in its app store listings and app settings menus. Now, users of Ipnos’s apps have knowledge about targeted advertising that occurs as a result of their app usage.

Ipnos’s case demonstrates the global interoperability of the DAA Principles, expressed in this instance by a Canadian company—subject to Canadian privacy laws—adopting the best practices embodied in this code. This is further proof that the core concepts of transparency and choice can be applied to across national barriers, adapting to the new regulatory contours presented by each jurisdiction.

Maps & Legends

Today’s second case concerns the mobile hotspot crowdsourcing app WiFi Map, produced by a company of the same name. The Accountability Program discovered online ad companies collecting device IDs and extremely precise geospatial coordinates through the app. The app did the responsible thing and asked for users to provide consent for the collection of the location data, but the disclosure never mentioned that third parties might get the data for ad purposes. WiFi Map’s privacy disclosures also did not describe an easy-to-use mobile opt-tool, and the company did not provide any enhanced notice links for IBA or location data collection. After learning of these issues, WiFi Map quickly worked with the Accountability Program to remedy them by:

  • Updating its privacy policy to include an enhanced notice jump link that takes users to information about IBA
  • Updating its notices to provide consumer opt-out tools
  • Engineering a patch to its mobile app to provide users with robust up-front disclosures, specifically including ad partners’ use of location data for IBA
  • Adding a statement of adherence to the DAA Principles to its privacy policy

These changes more than eliminated the Accountability Program’s concerns and brought WiFi Map into full compliance with the DAA Principles.

If the Accountability Program’s 107 prior actions weren’t enough of an indication, today’s cases—the 14th so far this year—demonstrate that this privacy enforcer is always combing the internet for compliance concerns.

Companies would do well to review their privacy policies and practices—particularly around sensitive data like location—and to reach out to the Accountability Program before it contacts you.