• by Wendy Davis  @wendyndavis, July 14, 2016

Apps developed by Sega and Aetna's iTriage violated the industry's mobile privacy code, a watchdog administered by the Better Business Bureau said Thursday. Sega also may have violated the Children's Privacy Online Protection Act, according to the BBB's Online Accountability Unit.

Insurance giant Aetna's iTriage health app allegedly allowed third parties to collect a wealth of data from users -- including unique identifiers and precise location data. iTriage allegedly didn't adequately notify users about data collection and behavioral advertising, or obtain their opt-in consent before enabling the collection precise location data.

The self-regulatory group Digital Advertising Alliance's mobile privacy rules require app developers, ad networks, and other mobile ad companies to obtain consumers' explicit permission before gathering their geolocation information. The DAA also requires mobile app developers to notify consumers about data collection across apps, and about how to opt out of receiving behaviorally targeted ads.

iTriage agreed to revise its privacy notices, and to stop allowing third parties to collect "precise" location data, but is still allowing companies to collect "coarse" location data. Aetna also told the BBB that iTriage doesn't currently allow third parties to use any of the health-care-related data on the app.

The BBB's investigation separately revealed that Aetna has "imminent plans" to launch its own online behavioral advertising campaign -- presumably to retarget people who visit Aetna's online sites. The Online Accountability Unit's opinion, issued today, doesn't elaborate on Aetna's plans, other than to say the company will take "prophylactic steps ... to provide transparency and consumer control on the iTriage App and the Aetna website."

Sega, which developed the Sonic Runners game app (to be shut down later this month), allegedly allowed ad networks and other third-party ad companies to collect data that could be used for online behavioral advertising -- including persistent identifiers tied to Androids and iPhones. The app also allegedly collected information about users' precise locations.

The Online Accountability Unit said Sega violated the industry's code by failing to notify users about their ability to opt out of behavioral advertising, and failing to obtain people's opt-in consent before allowing third parties to collect location data.

The Sonic Runners app also allegedly allowed third parties to collect device information and location data from users who said they were under 13, according to the BBB.

The federal Children's Online Privacy Protection Act requires companies to obtain parental consent before collecting unique identifiers from users known to be under 13.

The Online Accountability Unit says Sega has revised the Sonic Runners app to prohibit third parties from collecting data for behavioral advertising purposes. Sega also reportedly said it will aim to "identify any historical COPPA violation(s) and take the appropriate steps needed to remedy any issues that are found," according to the BBB.