Mobile security firm Lookout has issued guidelines to help mobile ad providers and app developers standardize privacy practices for app-based mobile ads.  According to Lookout Chief Technology Officer Kevin Mahaffey, the guidelines are intended to provide guidance about what constitutes “acceptable behavior” in the mobile ad ecosystem, and to “fix this problem before it gets so big that it needs regulation.” 

Lookout’s guidelines are built on well-recognized privacy principles such as transparency, individual control, reasonable limits on data collection and retention, and security, but the guidelines also break new ground in that they focus primarily on the obligations of ad providers — i.e., ad networks, ad exchanges, and mobile ad mediation layers that manage ad delivery across a number of different ad networks. Other industry guidelines issued to date have been primarily geared toward app developers (including the EFF’s Mobile User Privacy Bill of Rights, CDT/FPF’s Best Practices for Mobile App Developers, and MMA’s Mobile Application Privacy Policy Framework) or directed at specific practices (such as the CTIA’s Best Practices and Guidelines for Location-Based Services). 

Among other things, Lookout’s guidelines suggest that ad providers should:

  • provide guidance to app developers around the privacy implications of their capabilities, preferably in a privacy policy template or other format that app developers can easily integrate into their apps;
  • work toward a cross-provider, persistent opt-out mechanism for both mobile web and mobile app advertising;
  • gain consent and provide attribution for ads delivered outside the context of an individual app, including opt-in consent for ads that modify browser or home-screen settings or that incorporate touch-to-call capability;
  • avoid collecting device identifiers that are tied to mobile subscriber IDs unless necessary to provide a service or feature;
  • gain user consent before accessing personal information like name, phone number, e-mail address, contacts, browser history, or fine-grained location information.

These new industry guidelines are part of a broader movement to develop best practices for privacy in mobile space.  The National Telecommunications & Information Administration will hold its first privacy multistakeholder meeting tomorrow to begin developing a code of conduct for mobile app transparency.  The California Attorney General’s Office and the California Office of Privacy Protection are also convening an advisory group to develop best practices for mobile privacy generally and mobile privacy policies in particular.