FTC Assesses $800,000 Fine Against Mobile App Operator and Issues Mobile Privacy and Security Guidance

by Orrick, Herrington & Sutcliffe LLP

The Federal Trade Commission has emphasized in the past that general privacy protections in the website space apply equally to mobile services, but a new FTC Staff Report released on Friday hones in on some privacy considerations unique to mobile technologies.

Also on Friday, the FTC announced a settlement with Path, Inc. This is the agency’s first public enforcement action against a mobile app addressing the collection and use of a mobile device user’s address book contacts.

FTC Settles With Path, Inc. Over Charges That Social Networking App Improperly Collected Personal Information From Mobile Address Books and Violated COPPA

Path provides a social network service that allows users to keep journals of special life moments, including written thoughts, photos, the user’s geolocation and music, and to share those journals with up to 150 friends in their network. In version 2.0 of its iOS app, Path offered an “Add Friends” feature that would allow users to locate friends on the service through Facebook, through e-mail or SMS, or through the user’s mobile device address book (or contacts) list.

The FTC alleged that Path automatically collected and stored personal information from the user’s address book even if the user did not select the “find friends from your contacts” option. For each contact in the user’s address book, the Path app collected first and last names, addresses, phone numbers, e-mail addresses, Facebook and Twitter usernames, and dates of birth. This data collection occurred when a user first launched version 2.0 of the app and each time a user signed back into his/her account. The FTC focused on two aspects of consumer deception. First, the FTC believed that the Path app’s user interface was misleading because it implied that address book data would be accessed only if the user selected the “find friends from your contacts” option. Second, the FTC found that Path’s posted privacy policy misled consumers by disclosing that the app automatically collected only user information such as IP address, browser type, etc., but failed to disclose that the app also automatically collected address book information.

The settlement included a commitment to increase privacy safeguards and payment of an $800,000 fine. The regulators focused on the fact that the design of the application was deceptive in that users were made to believe that unless they elected to share address book contacts, the contacts would not be shared. However, legal authority for the fine was based in Path’s violation of the Children's Online Privacy Protection Act (COPPA). Early in the history of Path, the company collected personal information from about 3,000 users who were not yet 13, without their parents' consent, and permitted children to post personal information publicly on the Path social network service.

The FTC has indicated in past statements that it hoped Congress would pass legislation that would actually convey authority to the FTC to issue civil penalties for online privacy violations, but Congress has yet to act. Until then, the FTC will look to violations of other laws, such as COPPA, for authority to issue such fines.

Like the Facebook, Google, and MySpace settlements before, the Path settlement also requires the company to establish a comprehensive privacy program and to obtain independent privacy assessments every other year for the next 20 years.

As mobile apps continue to grow their user bases through invitation and other viral-marketing features, it is imperative that care is taken to conspicuously disclose data collection and use practices and to consider where or when more affirmative forms of user consent might be warranted (for example, where users may include children under the age of 13). The FTC's press release on the Path settlement can be found here.

'Mobile Privacy Disclosures: Building Trust through Transparency,' FTC Staff Report, February 2013

The FTC’s Mobile Privacy Report observes that mobile technology may raise unique privacy concerns. Enormous amounts of personal data are collected and transmitted by smartphones and tablets. And, to a greater extent than other technologies, mobile devices (and the data they collect) can be tied or connected in some manner to a specific individual. Mobile data is also collected by a diverse set of ecosystem players—for example, operating systems, application developers and advertising networks—and the relatively small screen size of mobile devices makes it more challenging to provide robust, detailed disclosures. Indeed, a May 2012 FTC panel on mobile privacy and associated industry comments point to a lack of consumer awareness and understanding about the data collection and use practices occurring on mobile devices.

The FTC’s Mobile Privacy Report offers suggestions on how industry can improve the current state of affairs.  The FTC’s recommendations generally align with those of the California Attorney General, whose January 2012 report on mobile privacy encouraged app developers, platform providers, ad networks, mobile carriers and operating system developers to increase transparency, limit the collection and retention of data, provide meaningful choice to consumers, and improve data security. See our previous coverage of the California AG report here.

FTC’s Advice for Mobile Platforms

The Report notes that mobile platforms, such as those by Apple, Google, Amazon, Microsoft and BlackBerry, serve as the gatekeepers to the app marketplace and, therefore, are potentially in a position to effectuate change with respect to mobile privacy disclosures. The Report recommends that mobile platforms implement or consider:

  • Providing “just-in-time” disclosures (at the point of collection) and obtaining affirmative express consent before allowing apps to access sensitive information, such as geolocation, and other content that consumers may consider sensitive, such as contacts, photos, calendar entries or videos.
  • Developing a privacy “dashboard” to allow consumers to review the types of data accessed by the apps they have already downloaded.
  • Developing icons to depict the transmission of user data.
  • Promote app developer best practices through education, oversight, monitoring and enforcement.
  • Consider developing a Do Not Track (DNT) mechanism, which would allow consumers to prevent tracking by ad networks through their mobile apps.

FTC’s Advice for Mobile App Developers

The Report recommends that mobile app developers:

  • Post a privacy policy and make the policy available through the platform’s app store so that consumers may review the terms before downloading the application.
  • Provide just-in-time disclosures and obtain affirmative express consent when collecting sensitive information outside the platform’s API, such as financial, health, or children’s data, or when the app shares sensitive data with third parties. The FTC notes that app developers “should” be able to rely on platform-level disclosures (for example, that geolocation data will be collected by the app through APIs) and “need not repeat the same disclosure and consent process.” However, if the app then shares the geolocation data with a third party, it should provide a just-in-time disclosure and obtain affirmative consent from the user.
  • Improve coordination and communication with third parties that provide services for the apps, such as ad networks or analytics companies, to understand each third party’s data collection practices and be able to accurately disclose such practices to consumers. The FTC specifically notes that ad networks and other third parties that provide services for apps should affirmatively assist app developers to understand the technologies used to facilitate activities like advertising or analytics—so that app developers can in turn make more complete and accurate disclosures to their users.
  • Participate in self-regulatory programs, trade associations and industry organizations that may develop guidance on how to implement uniform, short-form privacy disclosures.

FTC’s Advice for App Developer Trade Associations, Academics and Privacy Researchers

The Report notes that trade associations and industry participants can play a role in standardizing processes, and recommends that they:

  • Develop short-form disclosures for app developers.
  • Promote standardized app developer privacy policies that will allow consumers to compare privacy practices across apps.
  • Educate app developers on privacy issues.

The Report’s recommendations were intended to provide a flexible framework that will accommodate further developments in technology and innovation. The FTC strongly encourages companies to implement the recommendations in the Report and notes that it will continue to closely monitor developments in the mobile space. The text of the Report can be found here.

Concurrently with releasing this Report, the FTC also released guidance on implementing security for mobile applications. This guidance, although fairly high-level, demonstrates the FTC’s continuing focus on prodding industry to adopt data protection and security measures that are appropriate for the type of data collected and processed by the apps, and minimizing the collection and storage of consumer data generally.


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Orrick, Herrington & Sutcliffe LLP | Attorney Advertising

Written by:

Orrick, Herrington & Sutcliffe LLP

Orrick, Herrington & Sutcliffe LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.