Frequent readers of this blog may have noticed a significant increase in federal and state regulatory scrutiny over privacy and data security concerning mobile applications over the last year. This has included FTC enforcement actions against mobile applications such as W3 Innovation and, more recently, the action against Path discussed below and a variety of actions by California AG Kamala Harris, including warnings to mobile app developers to post privacy policies, a lawsuit against Delta Airlines for failing to heed that warning, and the release of best practice recommendations to mobile app developers and others in the mobile industry to protect consumer privacy. We also have seen developments concerning mobile security, including NIST’s Guidelines on Hardware-Rooted Security in Mobile Devices and the introduction of the Mobile Application Privacy Protection Act by Representative Hank Johnson.
Now the FTC has joined the fray with its best practice guidelines for the mobile industry which represents the last major action for FTC Chairman Jon Liebowitz, who will be leaving the Commission on February 15. The Staff Report: Mobile Privacy Disclosures – Building Trust Through Transparency is a follow-up to an FTC conference in May 2012 concerning advertising and privacy disclosures in the digital world. While the Mobile Privacy Report is not binding law, it provides important recommendations to various players in the mobile marketplace, including operators of mobile platforms, such as Amazon, Apple, Blackberry, Google and Microsoft, app developers, advertising networks, analytics companies and app developer trade associations. The recommendations focus on ensuring that consumers are provided with “timely, easy-to-understand disclosures” concerning the data that is collected and how it is used by the various players in the app ecosystem.
According to FTC senior attorney Lesley Fair, the top five takeaways from the Report are:
- Disclosures to app users must be clear, provided “ just-in-time” and before apps collect sensitive information, such as geo-location, photos, calendar entries, or the recording of audio or video content, they should obtain affirmative express consent from users;
- Platforms must play a critical role in improving mobile privacy disclosures;
- ADo-Not-Track mechanism would allow mobile users to decide whether they can be tracked by ad networks and others as they navigate among different mobile apps;
- Various players in the mobile industry must do a better job of educating consumers about how information is collected, used and shared; and
- Consumers need to have the benefits of short-form disclosures and standardized privacy policies that will allow user to “comparison shop” among apps.
The Report makes clear the FTC’s belief that platform providers are key players in ensuring consumer privacy as they “are gatekeepers to the app marketplace and possess the greatest ability to effectuate change with respect to improving mobile privacy disclosures.”
The FTC also suggests that app developers consider participating in self-regulatory programs, trade associations and industry organizations for guidance on how to implement short-form privacy policies. As for advertising networks and other third parties, the FTC recommends that these parties communicate with app developers to ensure that consumers are provided with truthful disclosures concerning behavioral advertising and to work with mobile platforms on implementing a Do-Not-Track mechanism.
Along with the Staff Report, the FTC also announced a significant settlement with Path, a social network app. The FTC claimed that Path collected personal information from users’ address books without notice and consent andviolated the Children’s Online Privacy Protection Act (COPPA) by collecting personal information from 3000 children under 13 without parental consent. According to Chairman Liebowitz, the deception involving kids in this case was a red-flag to the FTC and influenced its focus on this investigation, enforcement proceeding and ultimate settlement. Path agreed to pay an $800,000 fine to settle the charges that violated COPPA, a reasonable settlement considering it could have been on the hook for up to $48 million, based upon COPPA’s statutory damages of up to $16,000 for each violation.
The Path settlement, along with the staff Report and all of the other developments in the mobile space, demonstrates how mobile privacy has become a significant focus for regulators. All companies in the mobile application space should consider these developments in connection with existing and new mobile applications.