Moving Beyond the Cookie – Privacy Best Practices for Using Device Recognition Technologies

Advertising in mobile, like desktop, is growing as app developers look for ways to monetize their apps and brands look for innovative ways to engage their customers across multiple screens. Additionally, ad networks and other data collectors continue to look for effective ways to collect data about consumer interests to provide more relevant advertising. Traditionally, interest data has been collected using cookie-based technologies that enable data to be collected over a period of time, and track a consumer’s preferences including their privacy preferences.

Now ad networks and other data collectors are using other types of device identifiers to collect data and provide relevant advertising for both desktop and mobile. These device identifiers help collect information about the attributes of a specific device, and therefore presumably the consumer’s related preferences, over time. Identifying a specific device through its attributes, previously known as “device fingerprinting,” is typically done without the consumer’s knowledge. The inherent nature of device recognition technology brings with it heightened privacy concerns. Among those concerns is whether consumer preferences, including privacy preferences, will be persisted and honored for that device.

To help alleviate these concerns, as more companies are using device recognition technologies for data collection, there is an increased need for companies to adhere to recommended best practices when implementing device recognition technologies. These best practices will a company, whether it is an ad network, app developer, publisher, or other data collector, adopt and implement device recognition technologies in a way that respects consumer privacy, and reduces risk to their brand reputation

Privacy Best Practices for the Collection of Data through Device Recognition Technology

1. Provide clear and conspicuous notice.
   • Disclose in your privacy policy that device recognition technologies are used to collect data about the consumer’s device. Explain to consumers how that data will be used (e.g. to provide behaviorally targeted ads, what controls the consumer has over how that data is used, and how long the data is retained).
   • Provide enhanced notice, such as in ad notice that is available outside of the privacy policy. Self-regulatory guidance, such as the DAA’s Self-Regulatory Principles for Online Behavioral Advertising, outlines how companies can deliver this notice.
   • Make the privacy policy and enhanced notice easily accessible – clearly label and identify this information to make it easy for consumers to find.
2. Provide access to a mechanism where consumers can express their privacy preferences.
   • Clearly communicate what a preference is and what it means to consumers. For example, if a consumer opts-out of receiving targeted advertising, explain to the consumer that they will still see ads, but no longer see targeted ads.
   • Apply the consumer’s preferences to a device encompassing both apps and web where technically feasible. Privacy management tools should be intuitive, reliable, and easy-to-use. If the consumer needs to take additional steps to apply their preference across the whole device, the consumer needs to be provided with conspicuous notice and instruction on how to set these preferences.
3. Preferences are persistent and shall be honored until the consumer expresses a new preference.
   • Make privacy management tools easily accessible for a consumer to change their preference at any time.
   • Recognize a consumer’s expressed preference, including those preferences indicated through any industry recognized standardized choice platform or browser preference management tools. It should be honored and persisted across devices/platforms.
   • The mechanism for recognizing the consumer’s preference needs to be deterministic to persist the preference, and this also applies in the case where device identifiers are generated using statistical algorithms.
4. Communicate the consumer’s preferences to your partners.
   • Honor the consumer’s privacy preference by communicating preferences to all partners involved in using data collected through device recognition technology to ensure the consumer’s preference is persistent.
5. Collect only the data you need.
   • Limit data collection to what is reasonably useful to fulfill the purpose for which it was collected.
6. Only use collected data for the purposes stated in your privacy policy or other privacy notices such as an in-ad notice.
   • Provide the consumer with clear and conspicuous notice and request consent if the data will be used for a new purpose that is not stated in your privacy policy or other privacy notice.
7. Review contractual obligations associated with partner’s use of data collected through device recognition technologies.
   • Restrict how your partners use the data that they receive from you. For example, partners should not be able to use the data to make decisions that may have an adverse effect on the consumer such as determining credit eligibility or targeting advertising to children under the age of 13.
8. Review retention policies and disclose how long data is retained in your privacy policy.
   • Assess your data retention policy. Determine how long data persists and if it is archived and retained beyond its usefulness and is no longer needed to fulfill your business purposes or meet legal requirements. How long you retain collected data may also be dependent upon the type of data collected. For example, if statistical identifiers are used to recognize a device, the shelf life of the data’s usefulness is short since device attributes change frequently. In this case a short retention period of 180 days should be sufficient versus a 13-month retention period associated with deterministic identifiers.
   • Include information in your privacy policy on how long your company retains the information it collects.
9. Review security practices including how data is transmitted and stored.
   • Take commercially reasonable measures to protect the data you collect. Those measures should be appropriate for the size of your business and the level of sensitivity data collected and stored. If sensitive data such as precise geo-location information is being collected, that should be transmitted and stored using encryption technologies such as SSL.
10. Be accountable for your practices.
    • Say what you do and do what you say. Review your privacy policy annually to ensure that it is up-to-date and accurately reflects your current data collection practices. When designing new products and services that involve new collection of data or new uses of data that you have collected, review your privacy policy and practices around data collection during this design phase. Through this process, you can ensure any new data collection and use practices are accurately disclosed, and if necessary consumers are provided notice and choice.