The Federal Trade Commission and the California Attorney General have recently published reports focused on mobile privacy. The FTC’s “Mobile Privacy Disclosures” staff report, released on February 1, 2013, followed the California AG’s “Privacy on the Go” report issued in January 2013.

Both reports make recommendations on mobile privacy disclosures to three different audiences: providers of mobile app marketplaces, mobile app developers, and mobile advertising networks. For companies that offer mobile apps as part of their consumer products and services (or permit another company to license their brand name(s) for a mobile app), the reports’ most important recommendations are those concerning a mobile app’s design.

Privacy Considerations When Designing a Mobile App

The California AG report takes a very practical approach to designing a mobile app that ensures users are informed about how their privacy may be affected. The AG recommends starting with a comprehensive analysis that identifies each piece of data collected by the app that contains personally identifiable information (including unique device identified, mobile phone number, and geolocation) and, for each piece, considers the following questions:

• Is the data type necessary for the app’s basic function?
• Is the data type necessary for business reasons?
• How will the data be used?
• Will the data be stored on the device?
• If the data will be stored in servers, how long will it be retained?
• Will the data be shared with third parties (including advertising networks and analytics companies)?
• How will such third parties use the data?
• Within the company, who will have access to the data?
• Will the app access other parts of the mobile device?  If so, can users control such access by modifying permissions?

This information will make it possible to write an accurate and transparent privacy policy, and to evaluate when it may be necessary to provide the “just-in-time” notices discussed below.

The California AG and the FTC recommend that an app’s privacy policy be available to the consumer before the app is downloaded (i.e., via a link in the mobile app marketplace). In addition, the privacy policy should be readily accessible from within the app and optimized for the mobile screen.

Both reports indicate that if an app will collect, use, or share sensitive information, concise “just-in-time” disclosures about such collection, use, or sharing should be provided to the consumer. These disclosures are intended to supplement an app’s overall privacy policy and should always be consistent with that policy. Both reports recommend that such disclosures be provided when the app is accessing information or functionalities such as text messages, call logs, and contacts, or the mobile device’s camera, dialer, or microphone.

Further, if an app uses personally identifiable information in a way that would surprise the consumer, a “just-in-time” disclosure should also be given. For example, a consumer would likely expect an ATM locator app to use his or her location to identify nearby ATMs. But the same consumer may be surprised that an ATM locator app is also using his or her location to identify discounts at nearby retailers, and consequently should receive a “just-in-time” disclosure about such use.

A “just-in-time” disclosure is intended to serve as a decision point for consumers. This means that it should give consumers the immediate opportunity to decide whether to allow their information to be collected, used, or shared by the app in a particular way, before such collection, use, or sharing occurs. If the data is necessary to the app’s basic function, the disclosure should also allow the consumer to discontinue the app’s use.

Other Mobile Privacy Considerations

The FTC and the California AG both recommend that mobile app marketplaces make it easy for consumers to view an app’s privacy policy before downloading the app, develop icons that allow consumers to easily identify an app’s privacy practices, and confirm that an app functions consistently with its privacy policy. Additionally, mobile app marketplaces should allow consumers to easily report an app that is not complying with its privacy policy.

Finally, both reports address concerns regarding mobile advertising networks. The FTC recommends that such networks develop a mechanism consumers could use to prevent network tracking of their use of apps. The California AG specifies that mobile advertising networks should avoid delivering ads outside the context of the app and use enhanced measures to obtain prior consent from users before accessing personal information.

Why This Matters

Any company that has a mobile app tied to its brand, products, or services is affected by these concerns. The company must know how data is used within new or existing mobile apps and then ensure that its privacy policy accurately reflects that usage. Privacy is a serious matter for financial services, so we recommend against delegating the data inventory and privacy policy review to third parties or relying upon representations from the mobile app developer without double-checking how the app works.

Ballard Spahr attorneys regularly advise financial institutions and other companies on developing financial services in the mobile channel to ensure compliance with consumer financial services laws, as well as related data security and privacy laws. The firm's Consumer Financial Services Group is nationally recognized for its guidance in structuring and documenting new consumer financial services products as well as its experience with the full range of federal and state consumer credit laws.

Members of the Consumer Financial Services Group who are also part of the Privacy and Data Security Group focus on financial privacy by design—evaluating new products and services and communications channels to ensure that financial institutions are meeting their privacy and data security obligations.

For more information, please contact Mercedes Kelley Tunstall at 202.661.2221 or tunstallm@ballardspahr.com, or Amy S. Mushahwar at 202.661.7644 or mushahwara@ballardspahr.com.