Factual’s commitment to privacy, transparency, and consumer control

A guide to understanding how Factual responsibly sources and uses data, while also adhering to regulations such as GDPR and CCPA

Factual’s products are powered by location data that is sourced and used responsibly. We are committed to protecting the privacy of consumers and upholding the trust that our partners place in us. We work hard to ensure we’re receiving only the best, highest-quality location data that is collected with needed consumer consent. We also have robust policies and practices in place to make sure that location data is used responsibly within our products.

Factual’s commitment to responsibly sourced data is best explained within three buckets: data collection, data storage, and data usage.

See below to find out more detail specifically on the steps we have taken for GDPR and CCPA.

Industry Organizations

 

Factual’s participation in more than a dozen industry committees and working groups affords us worldwide visibility into the latest legislative, regulatory, and industry developments regarding privacy issues.

Factual is a member of the Network Advertising Initiative (NAI), and we adhere to codes of conduct and principles laid out by both the NAI and the Digital Advertising Alliance (DAA). We work closely with these industry organizations and others, including the Mobile Marketing Association (MMA), the Interactive Advertising Bureau (IAB) US, IAB UK, and IAB Europe, to both understand and help architect industry best practices regarding privacy and data protection.

We are a founding member of the MMA Location Privacy Alliance, an organization which is working to shape self-regulatory guidelines that will address the inappropriate use of location data in sensitive situations, as well as a location data consent framework that offers consumers transparency, informed consent, and ongoing control of their choices.

Factual's Approach to Privacy

Factual’s products are powered by location data that is sourced and used responsibly. We are committed to protecting the privacy of consumers and upholding the trust that our partners place in us. We work hard to ensure we’re receiving only the best, highest-quality location data that is collected with needed consumer consent. We also have robust policies and practices in place to make sure that location data is used responsibly within our products. Factual’s commitment to responsibly sourced data is best explained within three buckets: data collection, data storage, and data usage.

Data Collection

As the industry continues to embrace the need for increased transparency, consumer control and the responsible collection of data, it’s important that apps and publishers have a reasonable motivation for accessing and collecting location data that is ultimately beneficial to the consumer. Factual specifically seeks partners who gather location data responsibly, within apps where sharing location data makes sense to the user. 

Factual requires that our data suppliers share with us only location data provided with necessary consumer notice and consent. Partners are prohibited from sharing data with Factual if the user has not provided this required consent. We regularly engage in conversations with our partners about our data and data practices, and we conduct privacy audits among the companies that supply location data for Factual products.

Audit Program

We are in frequent communication with our data suppliers regarding privacy, and we know they want to uphold their compliance obligations. We also believe that consumers deserve notice and choice about data collection and usage, and that we should help ensure that is taking place. In order to help ensure that our data suppliers are upholding their obligations and honoring the strict contracts we’ve both agreed to, we are building a global audit program under the principle: “trust but verify.”

This audit program is a key component of our GDPR compliance work, and serves as a basis for our compliance strategy worldwide. When auditing our European data suppliers, we examined their own GDPR compliance programs, including any implementation of a consent management platform or the IAB’s Transparency & Consent Framework, and assessed whether proper, transparent notice and consent is being given and gathered at the point of collection in accordance with GDPR. 

We are now expanding this program to encompass suppliers around the world, including those in the United States, where our audit standards are informed by the California Consumer Privacy Act, Network Advertising Initiative Code of Conduct, and Digital Advertising Alliance Self-Regulatory Principles. This is all part of our commitment to responsible data sourcing.

Publisher Guidelines

While developing our robust GDPR-compliance program, we implemented a rigorous data supplier auditing program. In auditing 100+ app location collection and consent screens, we came to understand what works, what doesn’t, and what needs to be communicated to a user in order to ensure they are adequately informed about the collection and usage of their location data. 

Based on our learnings, Factual has developed a set of best practices for app publishers requesting location permissions from users, designed to apply globally. We have a more specific set of recommendations for collecting consent under the GDPR that we apply for countries in the EU.

Best Practices for Data Collection on Mobile Apps

At initial app launch, a consent screen should appear that communicates the following information:

  • The purposes for the data collection and processing should be conveyed clearly, succinctly, and transparently to the consumer
  • Notice that the app shares location data with third parties, sometimes called “trusted partners”
  • A link to the app’s privacy policy and and text indicating that more information is available within the policy about data being collected and shared, as well as more information about the third parties with which data will be shared
  • An explicit option to provide or refuse consent
  • Consent buttons that are not designed to compel the consumer to give consent (i.e: the “Yes” button should not be green and huge and the “No” button tiny and grey – these are sometimes called “dark patterns”)

If location sharing permissions are granted, an additional screen should appear that conveys the following information:

  • In iOS (which allows for text in the location permission screen):
    • Text should describe the purposes for the location collection and those purposes should be clear and transparent if data is being shared with third parties
    • Sometimes, we see apps that frame location collection as only for “improving the app,” which is not very transparent and not recommended
  • In Android: 
    • Android only allows for a Yes/No pop-up, additional text cannot be added
    • “Dark patterns” in button design should be avoided

Consumer Control + Opt-Out

It’s easy for consumers to opt-out of the collection, use, and transfer of their location data for targeted advertising by Factual or other companies integrated within the DAA’s AppChoices app. We can also provide access to or delete individual device information for verified consumers upon request, in jurisdictions where this is required by law.

Data Storage

Storage and Data Transfer

Storing and transferring data in a secure manner is an important aspect of Factual’s privacy practices. Factual uses a variety of physical, managerial, and technical safeguards to preserve the integrity and security of all stored data. We encrypt data in transit and generally encrypt data at rest as well. Factual also has a number of information security policies that govern internal processes around data storage and use.

Factual takes steps to protect the data we process on behalf of our partners. Factual employs multiple DLP practices and solutions including establishing logged and indexed data access auditing, alerts for excessive data transfers, firewall, VPN, and VPC software. Factual also often conducts risk assessments of processing and storage operations that involve partner data and information.

Employee Access and Use

Practices regarding employee access and use of data are a core component of Factual’s information security and privacy-focused approach to data storage. Factual upholds a framework wherein employees are granted the minimum level of access required to perform their duties. Factual imposes industry standard written confidentiality obligations on our employees and contractors. Both our privacy and information security teams also provide internal trainings on managing data responsibly and in accordance with legal and contractual requirements.

Data Usage

Privacy by Design

Since our founding, Factual has incorporated deep respect for privacy and data security into our policies and practices. Our products are designed with privacy in mind and our business has been built around compliance, security, and respecting data rights. Our product and privacy teams work closely together throughout the product development lifecycle to incorporate privacy into our products at the earliest stages.

All of the location data that powers Factual’s products is pseudonymized, meaning it is connected to a device and is not connected back to individual identities. Factual does not collect or store traditional personally identifiable information (PII), such as names, phone numbers, social security numbers, or email addresses, to build our products.

Policies

Minimum Thresholds

Factual has minimum thresholds in place for the provision of our products. These thresholds are designed to prevent the use of our services to advertise to small populations of devices. In keeping with our approach to “privacy-by-design,” these thresholds are implemented on both policy and technical levels.

Sensitive Places

Factual employs a strict policy designed to prevent the use of our services around sensitive locations. We are members of the DAA and NAI and consult these groups’ self-regulatory principles on sensitive places and follow their guidelines, as well as applicable laws and regulations such as the GDPR.

We do not segment or persistently identify users on the basis of inferences about certain characteristics such as sensitive health conditions, religion, sexual preference, immigration status, or status as active duty military personnel. Examples of sensitive places include specialty physicians offices, religious centers, domestic violence shelters, military locations, and LGBTQ centers, among others.

Privacy Review

Even when policies are consistently applied to protect privacy, questions about risk may arise. When this happens, a single perspective or viewpoint is often not enough to determine the right course of action. That’s why our privacy team leads reviews of specific deals and customer requests through an established, documented review process to make determinations about data protection and risk. Our internal committee includes stakeholders from many different parts of the organization so we can understand multiple perspectives on data use. This helps mitigate against bias and groupthink around privacy and risk determinations.

Regulatory Guidelines

GDPR

On May 25, 2018, the General Data Protection Regulation (GDPR) went into effect, requiring businesses to take very specific steps to protect the personal data of individuals located in the European Union (EU). In April 2018 and prior to GDPR going into effect, Factual paused the collection of mobile device data that powered our Audience Targeting, Measurement and Insights products in Europe. At the time, Factual determined that historical data sourcing methods industry-wide were not yet aligned to meet the criteria outlined within the GDPR. We took a conservative, responsible approach, in line with how we have always operated as a business worldwide. We have always operated by protecting consumer privacy at the forefront of our products and technology.

Throughout 2018 and 2019, Factual completed our implementation of systems and processes to reintroduce these products under the GDPR. We are now working with a select group of data suppliers, having vetted their compliance systems and processes to verify suppliers are providing data with needed consents from consumers. Factual is building a scalable, responsibly sourced pool of available data in order to provide our device data-based product suite in Europe in accordance with our privacy-focused approach. 

We require that data provided to us is collected with GDPR-compliant consent, and we are actively auditing the compliance practices of our data suppliers, both before they are approved to send us data and on an ongoing basis, to help ensure that our standards for responsible data collection are being met. We are prepared to fulfill data subject rights requests, including access and deletion, for verified data subjects. Factual is very supportive of the principles of transparency and consumer control that data subject rights promote.

In implementing our robust GDPR-compliance program, Factual is setting a new standard for responsible location data companies across Europe and beyond.

CCPA

On June 28, 2018, California passed the California Consumer Privacy Act of 2018 (CCPA), which will become effective on January 1, 2020. The CCPA as currently enacted will increase California residents’ rights of access to and control over their personal information. Factual will also provide access, deletion, and opt-out of sale capabilities to verified consumers across the United States.

Factual has already taken significant steps to prepare for the CCPA, and has started implementing a robust compliance plan. Among other steps, our implementation plan involves preparing to receive and respond to disclosure and deletion requests from verified consumers, and enhancing access to Factual’s existing mechanism for consumers to opt-out of Factual’s disclosures of personal information for our products. We view the CCPA as an opportunity to further enhance our commitment to privacy in our products, services, and partnerships.