FTC and California Attorney General Issue Reports on Mobile Privacy

by Ballard Spahr LLP

The Federal Trade Commission and the California Attorney General have recently published reports focused on mobile privacy. The FTC’s “Mobile Privacy Disclosures” staff report, released on February 1, 2013, followed the California AG’s “Privacy on the Go” report issued in January 2013.

Both reports make recommendations on mobile privacy disclosures to three different audiences: providers of mobile app marketplaces, mobile app developers, and mobile advertising networks. For companies that offer mobile apps as part of their consumer products and services (or permit another company to license their brand name(s) for a mobile app), the reports’ most important recommendations are those concerning a mobile app’s design.

Privacy Considerations When Designing a Mobile App

The California AG report takes a very practical approach to designing a mobile app that ensures users are informed about how their privacy may be affected. The AG recommends starting with a comprehensive analysis that identifies each piece of data collected by the app that contains personally identifiable information (including unique device identified, mobile phone number, and geolocation) and, for each piece, considers the following questions:

  • Is the data type necessary for the app’s basic function?
  • Is the data type necessary for business reasons?
  • How will the data be used?
  • Will the data be stored on the device?
  • If the data will be stored in servers, how long will it be retained?
  • Will the data be shared with third parties (including advertising networks and analytics companies)?
  • How will such third parties use the data?
  • Within the company, who will have access to the data?
  • Will the app access other parts of the mobile device?  If so, can users control such access by modifying permissions?

This information will make it possible to write an accurate and transparent privacy policy, and to evaluate when it may be necessary to provide the “just-in-time” notices discussed below.

The California AG and the FTC recommend that an app’s privacy policy be available to the consumer before the app is downloaded (i.e., via a link in the mobile app marketplace). In addition, the privacy policy should be readily accessible from within the app and optimized for the mobile screen.

Both reports indicate that if an app will collect, use, or share sensitive information, concise “just-in-time” disclosures about such collection, use, or sharing should be provided to the consumer. These disclosures are intended to supplement an app’s overall privacy policy and should always be consistent with that policy. Both reports recommend that such disclosures be provided when the app is accessing information or functionalities such as text messages, call logs, and contacts, or the mobile device’s camera, dialer, or microphone.

Further, if an app uses personally identifiable information in a way that would surprise the consumer, a “just-in-time” disclosure should also be given. For example, a consumer would likely expect an ATM locator app to use his or her location to identify nearby ATMs. But the same consumer may be surprised that an ATM locator app is also using his or her location to identify discounts at nearby retailers, and consequently should receive a “just-in-time” disclosure about such use.

A “just-in-time” disclosure is intended to serve as a decision point for consumers. This means that it should give consumers the immediate opportunity to decide whether to allow their information to be collected, used, or shared by the app in a particular way, before such collection, use, or sharing occurs. If the data is necessary to the app’s basic function, the disclosure should also allow the consumer to discontinue the app’s use.

Other Mobile Privacy Considerations

The FTC and the California AG both recommend that mobile app marketplaces make it easy for consumers to view an app’s privacy policy before downloading the app, develop icons that allow consumers to easily identify an app’s privacy practices, and confirm that an app functions consistently with its privacy policy. Additionally, mobile app marketplaces should allow consumers to easily report an app that is not complying with its privacy policy.

Finally, both reports address concerns regarding mobile advertising networks. The FTC recommends that such networks develop a mechanism consumers could use to prevent network tracking of their use of apps. The California AG specifies that mobile advertising networks should avoid delivering ads outside the context of the app and use enhanced measures to obtain prior consent from users before accessing personal information.

Why This Matters

Any company that has a mobile app tied to its brand, products, or services is affected by these concerns. The company must know how data is used within new or existing mobile apps and then ensure that its privacy policy accurately reflects that usage. Privacy is a serious matter for financial services, so we recommend against delegating the data inventory and privacy policy review to third parties or relying upon representations from the mobile app developer without double-checking how the app works.

Ballard Spahr attorneys regularly advise financial institutions and other companies on developing financial services in the mobile channel to ensure compliance with consumer financial services laws, as well as related data security and privacy laws. The firm's Consumer Financial Services Group is nationally recognized for its guidance in structuring and documenting new consumer financial services products as well as its experience with the full range of federal and state consumer credit laws.

Members of the Consumer Financial Services Group who are also part of the Privacy and Data Security Group focus on financial privacy by design—evaluating new products and services and communications channels to ensure that financial institutions are meeting their privacy and data security obligations.

For more information, please contact Mercedes Kelley Tunstall at 202.661.2221 or tunstallm@ballardspahr.com, or Amy S. Mushahwar at 202.661.7644 or mushahwara@ballardspahr.com.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Ballard Spahr LLP | Attorney Advertising

Written by:

Ballard Spahr LLP

Ballard Spahr LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.