Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends
Posted in Consumer Privacy, News & Events, Social Media

FTC Releases Mobile Privacy Report and Announces Settlement with Mobile App Operator

Today the FTC released Mobile Privacy Disclosures: Building Trust Through Transparency, a report containing recommendations for the mobile industry.  The report encourages mobile app platforms to play a significant role in providing consumers with privacy-related information, devoting more pages to recommendations for platforms than it does for developers, ad networks, third-party service providers, and trade associations combined.  The Commission’s report was informed by a May 2012 workshop focusing on mobile app transparency and the public comments that followed.

With one key exception the FTC’s recommendations are generally in alignment with the California Attorney General’s recently released recommendations for the mobile industry, discussed in our recent blog post.  But in the Attorney General’s guidance, developers are tasked with primary responsibility for informing users about the data practices of apps.  The FTC report, on the other hand, recommends that platform providers take responsibility for providing certain privacy disclosures.

The FTC’s recommendations are intended to address the lack of consumer awareness and understanding of data collection and use practices, and the recommendations are meant to “accommodate dynamic, rapidly evolving technology and new business models.” Going forward, the privacy practices of all types of businesses engaged with mobile apps will be compared to the practices now endorsed by the FTC’ and California Attorney General.

FTC Concerns About Mobile Technologies

The report notes that mobile devices are more likely to be associated with one particular individual than are other technologies, and because mobile devices travel with individuals all day long, they “facilitate unprecedented amounts of data collection.”  This information may be shared with wireless providers, app developers, app platforms, device manufacturers, third-party service providers, and advertisers.  The Commission is concerned that consumers lack adequate information about what information is collected, how it is shared, and where they can turn for answers to their questions.  And if consumers are not educated about these issues, the report claims, the mobile marketplace may suffer due “to an erosion of trust.”

Recommendations for App Platforms

According to the Commission, platforms have considerable influence over app developers and can control how information is conveyed to consumers.  They are the “gatekeepers to the app marketplace.”  And because platforms benefit from the variety and functionality of apps appearing on their services, the FTC believes that platforms should take responsibility for informing consumers about certain data collection practices.  The report recommends that platforms take on the following obligations:

  • Provide understandable “just-in-time” disclosures before permitting apps to access sensitive data, including geolocation information, through application programming interfaces (APIs).
  • Obtain affirmative express consent from consumers before apps collect sensitive information, including photos, contacts, calendar entries, and audio or video content.
  • Develop privacy dashboards that inform users about the data collection and sharing practices of all the apps they have installed.
  • Develop privacy icons to readily convey key information about an app’s data collection and sharing practices.
  • Clearly disclose whether and how apps are reviewed prior to being made available in app stores.
  • Work with advertising networks to develop a Do-Not-Track mechanism that is easy to use; persistent, and effective; limits the collection of data, not just targeted advertising; and will allow users to make a universal decision to not be tracked.
  • Impose contractual privacy requirements on app developers, and enforce compliance with those requirements.

This last point – regarding the imposition of contractual obligations — raises important questions.  How far should platforms go in determining whether developers are living up to privacy promises?  Will the FTC hold platform providers liable if developers are not living up to those promises?  And will consumers be able to pursue platforms for failing to adequately oversee developers?  The report does make clear in a footnote that it is not imposing rules on participants in the mobile industry.  But platform providers may have good reason to fear that the recommendations could serve as the foundation for future enforcement actions.

Recommendations for App Developers

The FTC states that app developers play a ”critical role” in informing consumers about mobile privacy practices.  The report contains four recommendations for developers:

  • Make privacy policies available prior to download
  • Provide “just-in-time” disclosures when collecting sensitive information outside the platform’s API – developers may rely on the platform’s disclosures for collections occurring through the API.
  • Ensure that the data practices of ad networks and third-party service providers are transparently disclosed to users.
  • Participate in self-regulatory programs.

The self-regulatory programs, the FTC hopes, will provide guidance on how to create uniform privacy disclosures tailored to meet the requirements and specifications of mobile devices. In addition to these core four recommendations, the report also references the California Attorney General’s lengthier recommendations.

Recommendation for Ad Networks and Third-Party Service Providers

 The report expresses concern that app developers lack adequate information about how third parties deliver advertising and provide analytics services within apps.  And if developers do not clearly understand how those third-party practices occur, they cannot fully and accurately disclose information about those activities to consumers.  The FTC therefore recommends that ad networks and analytics providers help developers understand how analytics and advertising works within apps.

Recommendations for App Trade Associations

 To minimize confusion and allow meaningful comparisons of data practices, the FTC recommends that trade associations work to develop standardized privacy icons, badges, and/or short-form or layered privacy notices.  Trade associations are encouraged to collaborate with academics, privacy experts, and usability experts in designing these disclosure mechanisms.  Should trade associations or self-regulatory groups develop strong codes of conduct for privacy disclosures, like the one being developed in the NTIA multistakeholder process, “the FTC will view adherence to such codes favorably in connection with its law enforcement work.”

The report concludes by strongly encouraging the mobile industry to implement the above recommendations.  And the FTC indicates that it will continue its close monitoring of mobile privacy practices and developments.

The FTC also took the opportunity today to announce its settlement with Path, a social networking service, over allegations that its mobile app collected personal information without users’ knowledge and consent.  Path’s app allegedly automatically collected and stored personal information from users’ address books (e.g., names, addresses, contact numbers, email addresses, and usernames) even if they did not request that the app do so.  And the FTC claims that the app automatically collected this information even though the app’s privacy policy stated that it collected only certain information such as IP addresses, operating system and browser information, and site activity.  Path was also charged with violating the Children’s Online Privacy Protection Act Rule by collecting personal information from children under the age of 13 without parental consent.  Under the settlement, Path will pay an $800,000 fine and commit to establishing a comprehensive privacy program subject to independent privacy assessments over the next twenty years.  Path has deleted the information it collected unlawfully.

James Denvil, an Associate in Washington, contributed to this entry.