Today the FTC released Mobile Privacy Disclosures: Building Trust Through Transparency, a report containing recommendations for the mobile industry. The report encourages mobile app platforms to play a significant role in providing consumers with privacy-related information, devoting more pages to recommendations for platforms than it does for developers, ad networks, third-party service providers, and trade associations combined. The Commission’s report was informed by a May 2012 workshop focusing on mobile app transparency and the public comments that followed.
With one key exception the FTC’s recommendations are generally in alignment with the California Attorney General’s recently released recommendations for the mobile industry, discussed in our recent blog post. But in the Attorney General’s guidance, developers are tasked with primary responsibility for informing users about the data practices of apps. The FTC report, on the other hand, recommends that platform providers take responsibility for providing certain privacy disclosures.
The FTC’s recommendations are intended to address the lack of consumer awareness and understanding of data collection and use practices, and the recommendations are meant to “accommodate dynamic, rapidly evolving technology and new business models.” Going forward, the privacy practices of all types of businesses engaged with mobile apps will be compared to the practices now endorsed by the FTC’ and California Attorney General.
FTC Concerns About Mobile Technologies
The report notes that mobile devices are more likely to be associated with one particular individual than are other technologies, and because mobile devices travel with individuals all day long, they “facilitate unprecedented amounts of data collection.” This information may be shared with wireless providers, app developers, app platforms, device manufacturers, third-party service providers, and advertisers. The Commission is concerned that consumers lack adequate information about what information is collected, how it is shared, and where they can turn for answers to their questions. And if consumers are not educated about these issues, the report claims, the mobile marketplace may suffer due “to an erosion of trust.”
Recommendations for App Platforms
According to the Commission, platforms have considerable influence over app developers and can control how information is conveyed to consumers. They are the “gatekeepers to the app marketplace.” And because platforms benefit from the variety and functionality of apps appearing on their services, the FTC believes that platforms should take responsibility for informing consumers about certain data collection practices. The report recommends that platforms take on the following obligations:
- Provide understandable “just-in-time” disclosures before permitting apps to access sensitive data, including geolocation information, through application programming interfaces (APIs).
- Obtain affirmative express consent from consumers before apps collect sensitive information, including photos, contacts, calendar entries, and audio or video content.
- Develop privacy dashboards that inform users about the data collection and sharing practices of all the apps they have installed.
- Develop privacy icons to readily convey key information about an app’s data collection and sharing practices.
- Clearly disclose whether and how apps are reviewed prior to being made available in app stores.
- Work with advertising networks to develop a Do-Not-Track mechanism that is easy to use; persistent, and effective; limits the collection of data, not just targeted advertising; and will allow users to make a universal decision to not be tracked.
- Impose contractual privacy requirements on app developers, and enforce compliance with those requirements.
This last point – regarding the imposition of contractual obligations — raises important questions. How far should platforms go in determining whether developers are living up to privacy promises? Will the FTC hold platform providers liable if developers are not living up to those promises? And will consumers be able to pursue platforms for failing to adequately oversee developers? The report does make clear in a footnote that it is not imposing rules on participants in the mobile industry. But platform providers may have good reason to fear that the recommendations could serve as the foundation for future enforcement actions.
Recommendations for App Developers
The FTC states that app developers play a ”critical role” in informing consumers about mobile privacy practices. The report contains four recommendations for developers:
- Make privacy policies available prior to download
- Provide “just-in-time” disclosures when collecting sensitive information outside the platform’s API – developers may rely on the platform’s disclosures for collections occurring through the API.
- Ensure that the data practices of ad networks and third-party service providers are transparently disclosed to users.
- Participate in self-regulatory programs.
The self-regulatory programs, the FTC hopes, will provide guidance on how to create uniform privacy disclosures tailored to meet the requirements and specifications of mobile devices. In addition to these core four recommendations, the report also references the California Attorney General’s lengthier recommendations.
Recommendation for Ad Networks and Third-Party Service Providers
The report expresses concern that app developers lack adequate information about how third parties deliver advertising and provide analytics services within apps. And if developers do not clearly understand how those third-party practices occur, they cannot fully and accurately disclose information about those activities to consumers. The FTC therefore recommends that ad networks and analytics providers help developers understand how analytics and advertising works within apps.
Recommendations for App Trade Associations
To minimize confusion and allow meaningful comparisons of data practices, the FTC recommends that trade associations work to develop standardized privacy icons, badges, and/or short-form or layered privacy notices. Trade associations are encouraged to collaborate with academics, privacy experts, and usability experts in designing these disclosure mechanisms. Should trade associations or self-regulatory groups develop strong codes of conduct for privacy disclosures, like the one being developed in the NTIA multistakeholder process, “the FTC will view adherence to such codes favorably in connection with its law enforcement work.”
The report concludes by strongly encouraging the mobile industry to implement the above recommendations. And the FTC indicates that it will continue its close monitoring of mobile privacy practices and developments.
James Denvil, an Associate in Washington, contributed to this entry.