First Party and Third Party Requirements – Mobile Apps

FIRST PARTY REQUIREMENTS FOR CROSS-APP DATA
(for mobile app providers)

Enhanced Notice (Clear, meaningful, and prominent real-time notice of collection or use of Cross-App Data)

• First Parties should provide a clear, meaningful, and prominent Enhanced Notice that links directly to a disclosure that:
  a) describes Cross-App Data collection and use practices,
  b) points to an easy-to-use Opt-Out Mechanism that meets DAAC specifications*
  or lists all Third Parties and links to their Opt-Out Mechanisms, and
  c) states adherence to the DAAC Principles.
• Enhanced Notice should be conspicuously displayed and provided:
  – before installation; or
  – as part of the download process; or
  – on first opening of an application; or
  – at the time Cross-App Data is first collected; AND, thereafter, a link to the disclosure should be provided in the app’s menu, settings section, or footer.

*An Opt-Out Mechanism that meets DAAC specifications include a link to the DAAC’s AppChoices tool youradchoices.ca/appchoices/, or an explanation of how to use the “Limit Ad Tracking” and “Opt Out of Ads Personalization” settings on iOS and Android, respectively.

THIRD PARTY REQUIREMENTS FOR CROSS-APP DATA
(For ad tech companies such as ad networks and data brokers)

Notice (Disclosure in privacy policy or accessible in app from which Third Party collects data)

• Usually found on Third Party’s own website, and accessible through any application from or through which it collects Cross-App Data,
• Describes Cross-App Data collection, use, and disclosure practices,
• Includes, or links to, an easy-to-use Opt-Out Mechanism, and
• States adherence to the DAAC Principles.

Enhanced Notice (Real-time notice of collection or use of Cross-App Data)

• A Third Party is responsible for providing Enhanced Notice when collecting or using Cross-App Data for IBA purposes on a First Party app. Where an ad is delivered using Cross-App Data, this is usually provided through “In-Ad Notice” – notice in or around an ad, typically using the AdChoices Icon and Text, that directs users to the Third Party’s disclosure of its IBA practices, and an Opt-Out Mechanism (see Third Party Requirements for Cross-App Data – Notice, above).
• Where Third Parties are collecting data for IBA purposes on a First Party’s app, Enhanced Notice is typically provided by the First Party (see First Party Requirements for Cross-App Data – Enhanced Notice, above). However, Third Parties should collaborate with First Parties to ensure the requirements are met.

Choice Mechanism (To exercise choice with respect to the collection and use of Cross-App Data)

• Opt-Out Mechanism must meet DAAC specifications and be included in, or linked to via First Party or Third Party Enhanced Notice.

FIRST PARTY REQUIREMENTS FOR PRECISE LOCATION DATA AND PERSONAL DIRECTORY DATA (PLD/PDD)
(For mobile app providers)

Notice (Disclosure in privacy policy or other similar location, accessible from First Party’s app)

• Found on First Party’s own website or accessible through any application from or through which PLD/PDD is collected or used for IBA purposes,
• Clearly describes First party’s practices relating to the collection and use of PLD/PDD for IBA purposes on its app, including collection and use of PLD/PDD by Third Parties via the First Party’s app,
• Includes instructions for accessing and using a tool to provide and withdraw consent for the collection and use of PLD/PDD, and
• States adherence to the DAAC Principles.

Enhanced Notice (Real-time notice of collection or use of PLD/PDD)

• Clear, meaningful and prominent notice provided as part of the download process, on first opening of an application, or at the time PLD/PDD is collected.
• Links to disclosure (First Party Notice) presented before an application is installed as part of the download process, on first opening of an application, or at the time PLD/PDD is collected AND in the applications settings or privacy policy.

Opt-Out Mechanism (To provide or withdraw consent to the collection or use of PLD/PDD)

• First Parties must obtain explicit consent to disclose PLD/PDD to Third Parties, and/or for Third Parties to collect and use PLD/PDD from or through First Party’s app, and provide a tool to withdraw such consent at any time.
• Tool to provide or withdraw consent should be easy to use.

THIRD PARTY REQUIREMENTS FOR PRECISE LOCATION DATA AND PERSONAL DIRECTORY DATA (PLD/PDD)
(For ad tech companies such as ad networks and data brokers)

Notice (Disclosure in privacy policy or other similar location)

• Found on Third Party’s own website in privacy policy or other similar location, and accessible through any app from or through which PLD/PDD is collected or used by the Third Party for IBA purposes,
• Clearly describes Third Party’s practices relating to the collection or disclosure of PLD/ PDD for IBA purposes,
• Include instructions for accessing and using a tool to provide and withdraw consent for the collection, use, and disclosure of PLD/PDD, and
• States adherence to the DAAC Principles.

Opt-Out Mechanism (To provide or withdraw consent re PLD/PDD)

• Third Party must obtain consent prior to collection, use, or disclosure of PLD/PDD, or ascertain that the First Party has obtained consent for Third Party’s data collection, use, and disclosure of PLD/PDD for IBA purposes.