On February 1, the FTC announced that it is requiring a social networking application company to pay $800,000 and make certain compliance enhancements to resolve allegations that the firm (i) misled and deceived users by automatically collecting and storing personal information from users’ mobile device address books even if the users had not selected that option and despite claims that the application collected only certain non-personal user information, and (ii) violated the Children’s Online Privacy Protection Act Rule by collecting personal information from approximately 3,000 children under the age of 13 without first getting parents’ consent. Pursuant to the consent decree, in addition to the monetary penalty, the company must establish a comprehensive privacy program, and obtain independent privacy assessments every other year for the next 20 years.
Concurrently, the FTC released a staff report that provides disclosure policy and other guidance to mobile platforms, application developers, advertising networks and analytics companies, and application developer trade associations. For example, the report urges platforms to (i) provide just-in-time disclosures to consumers and obtain affirmative express consent before allowing applications to access sensitive content like geolocation; (ii) consider providing just-in-time disclosures and obtaining affirmative express consent for other content that consumers may find sensitive; and (iii) consider developing icons to depict the transmission of user data. With regard to application developers, the report recommends, for example, that developers (i) provide just-in-time disclosures and obtain affirmative express consent before collecting and sharing sensitive information; and (ii) improve coordination and communication with advertising networks and other third parties that provide services for applications. During a call announcing the report, the FTC explained that the report is intended to influence industry standards, and that the Commission staff will reference the report for future policymaking. The FTC also noted that the National Telecommunications and Information Agency is developing a code of conduct on mobile application transparency, and, if strong privacy codes are developed, the FTC will view adherence to such codes favorably in connection with its law enforcement work.