The Federal Trade Commission has emphasized in the past that general privacy protections in the website space apply equally to mobile services, but a new FTC Staff Report released on Friday hones in on some privacy considerations unique to mobile technologies.

Also on Friday, the FTC announced a settlement with Path, Inc. This is the agency’s first public enforcement action against a mobile app addressing the collection and use of a mobile device user’s address book contacts.

FTC Settles With Path, Inc. Over Charges That Social Networking App Improperly Collected Personal Information From Mobile Address Books and Violated COPPA

Path provides a social network service that allows users to keep journals of special life moments, including written thoughts, photos, the user’s geolocation and music, and to share those journals with up to 150 friends in their network. In version 2.0 of its iOS app, Path offered an “Add Friends” feature that would allow users to locate friends on the service through Facebook, through e-mail or SMS, or through the user’s mobile device address book (or contacts) list.

The FTC alleged that Path automatically collected and stored personal information from the user’s address book even if the user did not select the “find friends from your contacts” option. For each contact in the user’s address book, the Path app collected first and last names, addresses, phone numbers, e-mail addresses, Facebook and Twitter usernames, and dates of birth. This data collection occurred when a user first launched version 2.0 of the app and each time a user signed back into his/her account. The FTC focused on two aspects of consumer deception. First, the FTC believed that the Path app’s user interface was misleading because it implied that address book data would be accessed only if the user selected the “find friends from your contacts” option. Second, the FTC found that Path’s posted privacy policy misled consumers by disclosing that the app automatically collected only user information such as IP address, browser type, etc., but failed to disclose that the app also automatically collected address book information.

The settlement included a commitment to increase privacy safeguards and payment of an $800,000 fine. The regulators focused on the fact that the design of the application was deceptive in that users were made to believe that unless they elected to share address book contacts, the contacts would not be shared. However, legal authority for the fine was based in Path’s violation of the Children's Online Privacy Protection Act (COPPA). Early in the history of Path, the company collected personal information from about 3,000 users who were not yet 13, without their parents' consent, and permitted children to post personal information publicly on the Path social network service.

The FTC has indicated in past statements that it hoped Congress would pass legislation that would actually convey authority to the FTC to issue civil penalties for online privacy violations, but Congress has yet to act. Until then, the FTC will look to violations of other laws, such as COPPA, for authority to issue such fines.

Like the Facebook, Google, and MySpace settlements before, the Path settlement also requires the company to establish a comprehensive privacy program and to obtain independent privacy assessments every other year for the next 20 years.

As mobile apps continue to grow their user bases through invitation and other viral-marketing features, it is imperative that care is taken to conspicuously disclose data collection and use practices and to consider where or when more affirmative forms of user consent might be warranted (for example, where users may include children under the age of 13). The FTC's press release on the Path settlement can be found here.

'Mobile Privacy Disclosures: Building Trust through Transparency,' FTC Staff Report, February 2013

The FTC’s Mobile Privacy Report observes that mobile technology may raise unique privacy concerns. Enormous amounts of personal data are collected and transmitted by smartphones and tablets. And, to a greater extent than other technologies, mobile devices (and the data they collect) can be tied or connected in some manner to a specific individual. Mobile data is also collected by a diverse set of ecosystem players—for example, operating systems, application developers and advertising networks—and the relatively small screen size of mobile devices makes it more challenging to provide robust, detailed disclosures. Indeed, a May 2012 FTC panel on mobile privacy and associated industry comments point to a lack of consumer awareness and understanding about the data collection and use practices occurring on mobile devices.

The FTC’s Mobile Privacy Report offers suggestions on how industry can improve the current state of affairs.  The FTC’s recommendations generally align with those of the California Attorney General, whose January 2012 report on mobile privacy encouraged app developers, platform providers, ad networks, mobile carriers and operating system developers to increase transparency, limit the collection and retention of data, provide meaningful choice to consumers, and improve data security. See our previous coverage of the California AG report here.

FTC’s Advice for Mobile Platforms

The Report notes that mobile platforms, such as those by Apple, Google, Amazon, Microsoft and BlackBerry, serve as the gatekeepers to the app marketplace and, therefore, are potentially in a position to effectuate change with respect to mobile privacy disclosures. The Report recommends that mobile platforms implement or consider:

  • Providing “just-in-time” disclosures (at the point of collection) and obtaining affirmative express consent before allowing apps to access sensitive information, such as geolocation, and other content that consumers may consider sensitive, such as contacts, photos, calendar entries or videos.
  • Developing a privacy “dashboard” to allow consumers to review the types of data accessed by the apps they have already downloaded.
  • Developing icons to depict the transmission of user data.
  • Promote app developer best practices through education, oversight, monitoring and enforcement.
  • Consider developing a Do Not Track (DNT) mechanism, which would allow consumers to prevent tracking by ad networks through their mobile apps.

FTC’s Advice for Mobile App Developers

The Report recommends that mobile app developers:

  • Post a privacy policy and make the policy available through the platform’s app store so that consumers may review the terms before downloading the application.
  • Provide just-in-time disclosures and obtain affirmative express consent when collecting sensitive information outside the platform’s API, such as financial, health, or children’s data, or when the app shares sensitive data with third parties. The FTC notes that app developers “should” be able to rely on platform-level disclosures (for example, that geolocation data will be collected by the app through APIs) and “need not repeat the same disclosure and consent process.” However, if the app then shares the geolocation data with a third party, it should provide a just-in-time disclosure and obtain affirmative consent from the user.
  • Improve coordination and communication with third parties that provide services for the apps, such as ad networks or analytics companies, to understand each third party’s data collection practices and be able to accurately disclose such practices to consumers. The FTC specifically notes that ad networks and other third parties that provide services for apps should affirmatively assist app developers to understand the technologies used to facilitate activities like advertising or analytics—so that app developers can in turn make more complete and accurate disclosures to their users.
  • Participate in self-regulatory programs, trade associations and industry organizations that may develop guidance on how to implement uniform, short-form privacy disclosures.

FTC’s Advice for App Developer Trade Associations, Academics and Privacy Researchers

The Report notes that trade associations and industry participants can play a role in standardizing processes, and recommends that they:

  • Develop short-form disclosures for app developers.
  • Promote standardized app developer privacy policies that will allow consumers to compare privacy practices across apps.
  • Educate app developers on privacy issues.

The Report’s recommendations were intended to provide a flexible framework that will accommodate further developments in technology and innovation. The FTC strongly encourages companies to implement the recommendations in the Report and notes that it will continue to closely monitor developments in the mobile space. The text of the Report can be found here.

Concurrently with releasing this Report, the FTC also released guidance on implementing security for mobile applications. This guidance, although fairly high-level, demonstrates the FTC’s continuing focus on prodding industry to adopt data protection and security measures that are appropriate for the type of data collected and processed by the apps, and minimizing the collection and storage of consumer data generally.