On February 1, the FTC issued Mobile Privacy Disclosures, Building Trust Through Transparency: A Federal Trade Commission Staff Report, which recommends best practices regarding mobile privacy for key stakeholders in the mobile space. The report represents an effort to reconcile the “staggering” growth of the consumer market for mobile devices with the “unique privacy challenges” posed by such devices, including geolocation capabilities, limited screen space for privacy disclosures, and the vast array of different entities (mobile carriers, mobile operating system providers, app developers, etc.) that collect end-user data from mobile devices.
Drawing primarily on the FTC’s recent activities in three key areas of mobile privacy pertaining to enforcement, outreach, and policy initiatives, and the major talking points from an FTC-sponsored May 2012 mobile privacy panel, the report offers a number of suggestions for bolstering mobile transparency directed to (1) mobile platforms, (2) app developers, (3) advertising networks, and (4) app developer trade associations.
Mobile Platforms Given Special Notice
The FTC singled out mobile platforms, noting that their unique “gatekeeper” status and control over the availability of mobile apps gives them “the greatest ability to effectuate change” to improve the current state of mobile privacy disclosures. Indeed, the list of suggested best practices aimed at mobile platforms is the longest and most detailed of the report. Among the specific recommendations:
-
Provide timely privacy disclosures to consumers and obtain their explicit consent before allowing apps to access and collect certain sensitive data and content;
-
Consider developing and implementing a visual “dashboard” that displays for consumers the types of data accessed and collected by apps;
-
Consider designing, testing, and implementing intuitive and simple icons to depict certain app privacy practices;
-
Implement and enforce contractual obligations for, and promote best practices and educational information to, app developers that address mobile privacy;
-
Consider providing consumers with clear disclosures about the extent of prerelease review and post-release compliance checks that platforms undertake for apps that can be downloaded from the platform; and
-
Consider offering a Do Not Track (“DNT”) feature for mobile devices that gives end users the option to prevent and/or control tracking by third parties such as ad networks.
App Developers Warned About Privacy Violations
The FTC put app developers on notice that they remain an integral part of the equation, and that enforcement actions will continue against app developers for privacy violations in the mobile space. To underscore this point, the report cites the settlement reached in the FTC's recent enforcement action against the Path Social Networking App marketed by Path, Inc. On January 31, one day before the release of the report, the FTC and Path settled charges alleging deceptive data collection practices and illegal collection of data from children under the age of 13 in violation of the Children’s Online Privacy Protection Act. Path agreed to establish a comprehensive privacy program and obtain an independent privacy assessment annually for 20 years and paid a fine of $800,000.
FTC recommendations for app developers include the following:
-
Have a privacy policy that is readily available through the mobile platform’s app store;
-
Provide timely privacy disclosures to consumers and obtain explicit consent before collecting and sharing sensitive data, to the extent such disclosures and consent have not already been addressed by the platform;
-
Improve coordination and communication with third parties such as ad networks, analytics companies, and other service providers for apps in order for app developers to better provide accurate privacy disclosures to mobile device consumers; and
-
Consider participating in self-regulatory programs, trade associations, and industry organizations, which can be valuable sources of guidance on adequate privacy disclosures.
Advertising Networks Asked to Play Active Role
The FTC recommends an active role for advertising networks and other third-party service providers for apps, including:
-
Communication and coordination with app developers so that the developers can provide accurate privacy disclosures to consumers; and
-
Cooperation with platforms to ensure effective implementation of DNT for mobile devices.
App Developer Trade Associations May Play Self-Regulatory Role
Perhaps looking to the self-regulatory structure adopted by the advertising industry for behavioral advertising (e.g., www.iab.net), the FTC recommends that trade associations of app developers:
-
Develop standardized mobile privacy tools, such as icons and “badges” that depict or disclose certain app privacy practices, and short-form privacy policies; and
-
Educate app developers on mobile privacy issues.
Best Practices: The FTC concludes by noting that the report's recommendations are not rules, but industry best practices “intended to be sufficiently flexible to accommodate further innovation and change.” All stakeholders in the mobile industry are strongly encouraged to be aware of the FTC’s heightened scrutiny of privacy issues in the mobile space, align their practices with the report’s recommendations, and carefully consider how evolution of their business model will continue to impact mobile privacy concerns. At the same time, many compelling questions remain, including the content of mobile privacy policies, the feasibility of developing standard icons for mobile apps' privacy practices, achieving compliance by the industry, and risk allocation among the key stakeholders.
Stay tuned!
