All mobile app developers need to know that the federal government is stepping up its regulation of data privacy and truth-in-advertising for mobile apps. The Federal Trade Commission is now actively monitoring mobile applications’ compliance with data privacy and truth-in-advertising regulations, and the House Committee on Energy and Commerce is considering a new mobile device privacy bill.
This month, the FTC published Marketing Your Mobile App: Get It Right From the Start, a short guide that provides guidance to mobile app developers concerning deceptive claims and privacy requirements. More broadly, the FTC’s focus on mobile app developers sends a message that all such developers or distributors will be subject to investigation, irrespective of how small their company is. As far as the FTC is concerned, “once you start distributing your app, you have become an advertiser,” and you will be regulated as such. The guide stresses the importance of clear and conspicuous communication to users and instructs app developers to consider the legitimacy of their statements “from the perspective of average users, not just software engineers and app experts.” It goes on to caution against burying important information behind “dense blocks of legal mumbo jumbo” and “vague hyperlinks.”
This guide can be seen as part of the FTC’s current initiative to address concerns regarding the unique ability of mobile apps to access a user’s personal information (i.e., automatically capturing their precise geospatial location, phone number, contact lists, call logs, and other unique identifiers, stored on mobile devices). In February, the agency issued a report looking specifically at apps offered for children. The report, Mobile Apps for Kids: Current Privacy Disclosures are Disappointing, warned app stores, developers, and third-party service providers to be more transparent about the issues raised by such data collection, such as sharing with third parties, connections to social media, and targeted advertising.
Additionally, the FTC has already taken action to establish that data privacy and truth-in-advertising laws apply to mobile apps. Last August, an app developer was ordered to pay $50,000 to settle FTC charges that it violated the Children’s Online Privacy Protection Act (COPPA) by failing to require parental notice and consent before collecting and disclosing children’s personal information. The following month, the agency settled its first actions addressing health claims in the mobile application marketplace. The complaints were against AcneApp and Acne Pwner, both of which claimed to treat acne through lights emitted from the user’s smartphone. The cases ended in settlements for monetary damages and injunctive relief barring the companies from making health-related claims without the backing of “competent and reliable scientific evidence.”
In the new FTC Guide, the FTC recommends that developers:
• Tell the truth about what the app can do – both in marketing materials and within the app itself.
• Disclose key information clearly and conspicuously.
• Err on the side of caution, and implement meaningful privacy-protection policies from the start.
• Only collect the information that developers really want, and require affirmative consent before collecting sensitive information.
• Offer user -friendly choices. For example, use default settings that collect a limited amount of user information, and allow users to adjust settings for increased sharing and functionality.
• Protect kids’ privacy by requiring parental consent before their information is collected and shared.
• Incorporate security measures to protect user data, especially when collecting medical and financial information.
On September 12, a new bill – the Mobile Device Privacy Act – was referred to the House Committee on Energy and Commerce. The bill, introduced by Reps. Ed Markey (D -Mass.) and Diana DeGette (D –Colo.), requires merchants, mobile service providers, and manufacturers to disclose information about mobile tracking software to consumers and to obtain users’ express consent before the software is activated. Specifically, customers must be told that the software is installed, what type of data it is collecting, the identity of all persons to whom the data will be transmitted, how the data will be used, and how the user can limit collection and sharing. Disclosures must be clear and conspicuous, and consumers must be able to prohibit further collection and sharing at any time.
If passed, this law will also require all recipients of user information to establish and implement information security policies and procedures for data collection, retention, system monitoring, and destruction. Finally, the bill requires that companies file all agreements relating to the transmission of user information with the FTC and the Federal Communications Commission. In the bill’s current form, penalties will range from $1,000 to $3,000 per violation (i.e., per user affected). Hence, a single policy error could expose large vendors to liability well into the billions of dollars, and a similar misstep could put a startup out of business.
All mobile app developers – including large players and new entrants – should review their compliance with this new FTC guidance and their overall truth-in-advertising and data privacy policies. The FTC has made it clear that it will take enforcement actions against industry participants large and small. In particular, we believe those making health claims, targeting children, and transmitting user information to third parties will continue to face significant FTC scrutiny. In general, the more personal information that an app collects from individuals, the greater the need for significant privacy projections and disclosures.