The FTC guidance released February 1 is Mobile Privacy Disclosures: Building Trust Through Transparency: A Federal Trade Commission Staff Report. In Mobile Privacy Disclosures, the FTC as the primary federal regulator on privacy issues outlines its understanding of the state of the nation with respect to consumer information and mobile apps.
The report cites to studies that “57% of all app users have either uninstalled an app over concerns about having to share their personal information, or declined to install an app in the first place for similar reasons,” and that “in a 2011 survey of U.S. smartphone users, less than one-third of survey respondents reported feeling in control of their personal information on their mobile devices.” Mobile Privacy Disclosures, p.3. Indeed, the report set forth as a key theme arising from the agency’s workshops on this issue that “consumers do not know or understand current information collection and use practices occurring on mobile devices.” (p. 10)
To address what the agency sees as widespread confusion, Mobile Privacy Disclosures sets forth “best practice recommendations” for platforms, app developers, third parties such as ad networks and analytics companies, and app trade associations. While Reed Smith’s privacy team will review these recommendations in more detail, some key points include:
For App Platforms
A definite focus on pushing app platforms, as “gatekeepers to the app marketplace” (p. 11) to set and enforce privacy disclosure standards
That platforms should get “affirmative express consent” through “just-in-time disclosures” before giving apps access to sensitive personal information (p. 15)
That the app review process by platforms should be more transparent to users (p. 20)
For App Developers
The report also laments that “It is common for app developers to integrate third-party code to facilitate advertising or analytics within an app with little understanding of what information the third party is collecting and how it is being used. App developers should take responsibility for understanding the function of the code they are utilizing.” (p. 24)
For App Networks
“Ad networks and analytics providers should help app developers better understand how this code works and what it does.” (pp. 24)
“In addition, advertising networks should work with platforms to ensure implementation of an effective DNT [Do Not Track] system for mobile. (pp. 24-25)
App trade associations were urged to promote industry standards for consistent and effective communication of requirements.
Mobile Privacy Disclosures places a special emphasis on the privacy challenges raised by locational data. The report noted that “if the data falls in the wrong hands, the data can be misused and subject consumers to harms such as stalking or identity theft.” Mobile Privacy Disclosures, p.3.
Mobile Privacy Disclosures was released alongside the announcement that Path, Inc. agreed to settle charges that its social networking app violated the FTC Act and the Children’s Online Privacy Protection Act (COPPA). The FTC alleged that Path automatically collected users’ address book data from their mobile devices without disclosing that data collection.
The FTC also alleged that Path allowed children under the age of 13 to register for their services and did not adequately disclose the service’s data collection practices, did not notify parents of the information the service collected from children under the age of 13, and did not obtain verifiable parental consent. The FTC also highlighted a photo upload feature of the app that invited users, including children, to include geolocation information on the photo upload, as being especially problematic.
The settlement requires Path to pay a civil penalty of $800,000 and establish and implement a comprehensive privacy program. Path agreed to comply with COPPA by disclosing its data collection from children, notifying parents of such data collection, and obtaining verifiable parental consent. In addition, Path is prohibited from using any of the data it collected on children, and must delete that data within 10 days of the agreement.