The FTC guidance released February 1 is Mobile Privacy Disclosures: Building Trust Through Transparency: A Federal Trade Commission Staff Report. In Mobile Privacy Disclosures, the FTC as the primary federal regulator on privacy issues outlines its understanding of the state of the nation with respect to consumer information and mobile apps.
The report cites to studies that “57% of all app users have either uninstalled an app over concerns about having to share their personal information, or declined to install an app in the first place for similar reasons,” and that “in a 2011 survey of U.S. smartphone users, less than one-third of survey respondents reported feeling in control of their personal information on their mobile devices.” Mobile Privacy Disclosures, p.3. Indeed, the report set forth as a key theme arising from the agency’s workshops on this issue that “consumers do not know or understand current information collection and use practices occurring on mobile devices.” (p. 10)
To address what the agency sees as widespread confusion, Mobile Privacy Disclosures sets forth “best practice recommendations” for platforms, app developers, third parties such as ad networks and analytics companies, and app trade associations. While Reed Smith’s privacy team will review these recommendations in more detail, some key points include:
For App Platforms
-
A definite focus on pushing app platforms, as “gatekeepers to the app marketplace” (p. 11) to set and enforce privacy disclosure standards
-
That platforms should get “affirmative express consent” through “just-in-time disclosures” before giving apps access to sensitive personal information (p. 15)
-
That the app review process by platforms should be more transparent to users (p. 20)
For App Developers
-
That app developers “should have a privacy policy and make that policy available through the platform’s app store” (p. 22), but that “app-level disclosures [should] not repeat the platform-level disclosures” (p. 23)
-
The report also laments that “It is common for app developers to integrate third-party code to facilitate advertising or analytics within an app with little understanding of what information the third party is collecting and how it is being used. App developers should take responsibility for understanding the function of the code they are utilizing.” (p. 24)
For App Networks
-
“Ad networks and analytics providers should help app developers better understand how this code works and what it does.” (pp. 24)
-
“In addition, advertising networks should work with platforms to ensure implementation of an effective DNT [Do Not Track] system for mobile. (pp. 24-25)
App trade associations were urged to promote industry standards for consistent and effective communication of requirements.
Mobile Privacy Disclosures places a special emphasis on the privacy challenges raised by locational data. The report noted that “if the data falls in the wrong hands, the data can be misused and subject consumers to harms such as stalking or identity theft.” Mobile Privacy Disclosures, p.3.
Mobile Privacy Disclosures was released alongside the announcement that Path, Inc. agreed to settle charges that its social networking app violated the FTC Act and the Children’s Online Privacy Protection Act (COPPA). The FTC alleged that Path automatically collected users’ address book data from their mobile devices without disclosing that data collection.
The FTC also alleged that Path allowed children under the age of 13 to register for their services and did not adequately disclose the service’s data collection practices, did not notify parents of the information the service collected from children under the age of 13, and did not obtain verifiable parental consent. The FTC also highlighted a photo upload feature of the app that invited users, including children, to include geolocation information on the photo upload, as being especially problematic.
The settlement prohibits Path from making misrepresentations about its data collection practices. In an injunctive provision that requires Path to clearly and conspicuously disclose its data collection from mobile devices, the FTC states that categories of information accessed or collected from a user’s mobile device must be disclosed separate from any “privacy policy,” “terms of use,” “blog,” “statement of values,” or similar document. In addition, Path must obtain a user’s affirmative express consent to access or collect such information. The notice and consent must occur prior to data collection. The FTC does not specify whether such disclosure and consent must occur prior to download at the platform level, or if disclosure once the app is downloaded is sufficient. What is clear is that burying the disclosure in a privacy policy, even in a short form in-app policy, will not pass muster.
The settlement requires Path to pay a civil penalty of $800,000 and establish and implement a comprehensive privacy program. Path agreed to comply with COPPA by disclosing its data collection from children, notifying parents of such data collection, and obtaining verifiable parental consent. In addition, Path is prohibited from using any of the data it collected on children, and must delete that data within 10 days of the agreement.
