You searched for:
The Cookie Jar

Mobile – Advertising

Mobile advertising and marketing comes in various forms. One of the earliest methods was SMS marketing where marketing messages are sent in text messages. MMS marketing then followed enabling the inclusion of more sophisticated creative content (such as images and sound clips) in mobile marketing communications. The increase in speed of mobile networks has now enabled video clips to be sent to users’ mobiles. Finally, with the development of smartphones and internet access from mobile devices, the display and targeting of advertising on mobile optimised sites and apps has become a substantial and ever-growing part of the mobile advertising industry.

This article discusses a small selection of the complex legal and regulatory issues which can arise in the context of mobile advertising.

Promoters of the Small Screen

Sales promotions such as free prize draws and competitions are a common way for advertisers to increase consumer engagement. Under Rule 8.17 of the UK Code of Non-broadcast Advertising, Sales Promotion and Direct Marketing (the CAP Code), promoters are required to communicate to consumers all applicable significant conditions regarding a promotion (e.g. how to participate, start dates and closing dates etc). This of course presents somewhat of a technical challenge on a mobile due to the limited screen size.

Fortunately, the UK advertising rules acknowledge these kinds of practical difficulties. Under Rule 8.18 of the CAP Code, where there are significant space limitations, the advertiser is required to include as much information about the significant conditions as is practical. It must then direct consumers to an easily accessible alternative source (such as a website) where all the conditions of the promotion are prominently stated.

Another point to be aware of in the context of mobile promotions is the fact that running a random prize draw where consumers have to pay to enter may be deemed an illegal lottery and prohibited by the Gambling Act 2005. A common way to avoid this problem is to either structure the promotion as a skill-based competition (e.g. using a tiebreaker to select the winner) or by providing a free entry route. The important thing to note is that if entry to the promotion is via SMS, using a “premium-rate” number would not constitute free entry. Instead of a premium-rate number, promoters should provide any “text-back channel” at a standard network rate. Premium rate numbers are subject to regulation by PhonepayPlus and marketers should consult the PhonepayPlus Code of Practice for more guidance on the use of premium rate SMSs generally.

SMS Marketing

The practical limitations of mobile devices are also particularly significant when it comes to SMS marketing. Under the Privacy and Electronic Communications Regulations 2003 (the E-Privacy Regs) all “electronic mail” must, amongst other things, identify the sender and provide a valid “address” to which the recipient can send a request to opt-out.

The important point to note is that the E-Privacy Regs state specifically that “electronic mail” includes SMS. This means that each SMS needs to identify the sender and provide a valid opt-out address. However, when it comes to SMS marketing, compliance is less straightforward because a single SMS is only 160 characters. However, the ICO (the UK’s data protection regulator) has made it very clear that these types of practical limitations aren’t a sufficient excuse for non-compliance.

In practice, the obligation for the sender to identify itself in a marketing SMS isn’t particularly difficult. It just involves inserting the company name somewhere in the text. However, providing an “address” for opt-outs seems more difficult if you’re limited to 160 characters. This was especially the case because guidance from the ICO used to state that only a postal or email address would be compliant, the ICO’s concern being that “pay as you go” mobile phone users who don’t get an itemised bill might not have a permanent record of their opt-out message (i.e. if they wanted it as evidence to back up any complaint).

However, the ICO started to realise that people are far less likely to bother writing a formal letter or even sending an email and it’s far easier to text an opt-out to a short code number at the bottom of an SMS. Therefore, the current guidance from the ICO is that it’s now compliant to include a short code as a valid address provided using it doesn’t incur a premium-rate charge. An example of this could be: “2 STOP MSGS TXT STOP TO 99999”.

Bad Behaviour

Some people may think that the regulatory issues around online behavioural advertising stem from the setting of tracking “cookies” on users’ computers. This is partly true. However it’s important to be aware of certain other points in this area, particularly when it comes to mobile.

The origin of the regulatory issues around online behavioural advertising come from Regulation 6 of the E-Privacy Regs which states that “…a person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements… are met.”
The first point to note is that there’s no reference to “cookies”. The relevant activity is “storing or gaining access to information stored”. The second point to note is that there’s no reference to computers or even “devices”. All the regulation says is: “terminal equipment”. Therefore, targeted mobile advertising will be captured by Regulation 6 to the extent it involves the collection of any kind of data from mobile users, such as for example the user’s “UDID” or any other kind of unique identifier from the user’s mobile device.

Regulation 6 continues that “the requirements are that the.. user… (a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and (b) has given his or her consent.

There has been much debate between the ICO and the industry about how to interpret the above regulation. The discussions have included solutions such as pop-ups, drop-down banners and tick boxes, or even whether notice and consent can be implied from a user’s continued use of a website. This debate has generally focused on the use of cookies set by websites. However, a particularly interesting legal/regulatory challenge in this area is how to assess the application of these notification and consent rules in the context of mobile devices. It will be interesting to see what happens when/if the ICO starts to turn its eyes to the behavioural targeting of mobile advertising which, although currently nascent, is a rapidly developing proposition. The key issue is the different screen size and user experience as between a computer and mobile phone. All the debates about privacy policies, notices and consent may need to be re-contextualised in accordance with this different user experience.

It is also worth being aware of the advertising industry’s self-regulatory solution involving an icon used on ads together with an opt-out mechanism (details can be found here: Whilst this may have received criticism from the European data protection regulators for not complying with the E-Privacy Regs’ consent requirements referred to above, it has been specifically endorsed by the ASA in the UK through the addition of a new appendix in the CAP Code.

However, at the time of writing, the rules under the CAP Code do not currently apply to mobile phones or other handheld devices (such as e-readers and tablets). The ASA hasn’t provided any specific reasons for this, merely stating in its guidance that the carve out is due to “technical reasons”. The ASA has said, however, that the rules will be extended to mobile phones and other handheld devices in time. Due to the smaller size of adverts appearing on a mobile screen there are obvious difficulties with how any icon would be displayed and it will be interesting to see what solution the industry comes up with.


Advertising can be a complex regulatory minefield. When advertising enters the mobile domain the legal issues can become even more complex. This article covers only a small selection of the potential issues that can arise (namely, CAP Code compliance when running mobile promotions, SMS marketing issues, and online behavioural advertising).

However, in addition to these issues, it’s worth noting that there are specific regulatory requirements regarding the collection of geolocation data – for more details on this see our article on location data here. Another important point to note is that where mobile advertising is served from within a mobile app, the terms and conditions of the relevant platform operator (such as Apple’s iOS or Google’s Android) will also apply. Apps are another story altogether – have a look at our A-Z of Apps for a range of the legal issues that can apply.