The FTC and California’s Attorney General Recommend Detailed New Privacy Practices and Disclosures for Entities Operating in the Mobile Environment

by Davis Wright Tremaine LLP
Contact

The Federal Trade Commission (FTC) and California Attorney General’s office each recently issued detailed guidance for providers of mobile platforms, apps, ad networks, and their trade associations. Building on a series of recent actions emphasizing specific privacy concerns in the mobile space, the FTC on Feb. 1, 2013 released a Staff Report titled “Mobile Privacy Disclosures: Building Trust Through Transparency” which outlines recommendations to improve privacy disclosures and control. The report recommends, among other things, the implementation of a Do Not Track mechanism for mobile devices. In addition, it recommends that mobile “platform” providers (such as Microsoft, Apple, Google and Blackberry) obtain express (opt-in) consent from users and provide additional privacy disclosures.

The FTC Staff Report, which the Commission proposed in its landmark Privacy Report, comes on the heels of the California Attorney General’s January 2013 report, “Privacy on the Go.” The AG’s report addresses not just privacy disclosures, but recommends “best practices” for platforms, app developers, and ad networks that explicitly go beyond existing law. Both reports are intended to influence the Obama administration’s ongoing multistakeholder workshops for mobile privacy overseen by the National Telecommunications and Information Administration (NTIA).

FTC STAFF REPORT ON MOBILE DISCLOSURES

The FTC Staff Report emphasizes the role platform providers should play to improve mobile privacy transparency. The report recommends that the platforms implement further privacy disclosures and obtain opt-in consent from users at the platform level, prior to consumer download of an app. In addition, the report recommends that platform providers use their position in the app development marketplace to exert greater control over app developers’ privacy practices. The report also recommends ways app developers can improve privacy disclosures, and urges coordination with and cooperation by ad networks and trade associations that represent app developers.

Following recent work on increasing privacy disclosures for mobile apps targeted at children, including a revised rule implementing the Children’s Online Privacy Protection Act (COPPA), the recommendations were also released at the same time the agency issued an $800,000 fine against Path, a social networking app developer that allegedly violated children’s privacy protections by collecting personal information. Approved by four of the agency’s five commissioners the report is, however, not binding on the industry. Nonetheless, outgoing FTC Chairman Leibowitz stated that implementation of these recommendations could reduce the possibility of additional regulatory or legislative mandates in this area. In addition, the report reflects the agency’s view that geolocation information is “sensitive” and should be subject to heightened protections, similar to those protections afforded to financial and health data.

FTC Staff Recommendations for Platform Providers
Platform providers are the focus of most of the FTC’s disclosure proposals, in part because they have power to exert significant control over the app market by providing a uniform application programming interface (API) that allows apps to access standard categories of content (e.g., geolocation data, user accounts, browser data). These recommendations include:

“Just in Time” Disclosures Protections for “sensitive” content. As to “sensitive” information (defined by the Commission as precise geolocation, Social Security number, financial, health, or children’s data) the report recommends that platform providers:

  • Provide disclosures to consumers just prior to the collection of sensitive information by the app;
  • Obtain affirmative express (opt-in) consent prior to apps using sensitive content; and
  • Consider providing the same just-in-time notice for other content which may be sensitive in many contexts, such as photos, contacts, or recorded audio or video content.

A Privacy Dashboard. The staff endorses the dashboard approaches of Apple’s iOS6 and Android’s “Settings/App Info” which shows the permissions each app has to access device data.

Privacy Icons. The Staff Report suggests that platforms explore the use of standardized privacy icons to alert consumers that apps are accessing their data, as both Apple and Google now have to depict collection of geolocation data. The report notes, however, that the use of icons requires further consumer testing and iterative design changes in response to test results.

Platform Oversight of Apps. The FTC Staff Report endorses greater control by platform providers over the privacy practices of app developers. It urges platform providers to incorporate and enforce contractual terms with app developers that require the developers to provide just-in-time disclosures and obtain opt-in consent before collecting or sharing sensitive information. The report suggests that platform providers “should do a better job” of disclosing which apps are reviewed by the platform before releasing to consumers.

Do Not Track. Although a Do Not Track mechanism is not related to consumer disclosures like the other aspects of this report, the Staff continues the Commission’s strong preference, absent new legislation, for a Do Not Track mechanism. The Staff Report finds Do Not Track especially important to consumer privacy in the mobile ecosystem, given the omnipresence of most consumers’ mobile devices.
 
FTC Staff Recommendations for App Developers
The Staff Report’s recommendations for platform providers carry through to its recommendations for app developers themselves. The report recommends that app developers have a privacy policy available for consumers through app stores and provide just-in-time disclosures and obtain express (opt-in) consent.

The report emphasizes that disclosures at the app-level not repeat the same disclosures made at the platform level, so that app developers (and consumers) rely on the app level disclosure if it would otherwise be the same. If, however, the app developer decides to share sensitive information later, it should provide a just-in-time disclosure from within the app, and obtain affirmative consent for that sharing.

The Staff Report suggests developers should improve “coordination and communication” with ad networks that provide services for the app developers (i.e., understand what information the third party is collecting and using). Developers should also consider participating in self-regulatory programs, trade associations and industry organizations that address privacy disclosures.

FTC Staff Recommendations for Ad Networks and Other Third Parties
Given that a main concern of the FTC and other regulators on mobile privacy is the collection and use of data to deliver advanced advertising, the report suggests that ad networks communicate with app developers so they can provide accurate and “truthful” disclosures to consumers. Most specifically, the report notes that ad networks should better explain to developers the function of code provided by the networks. Ad networks are also urged to work with operating platforms to ensure effective implementation of some form of Do Not Track mechanism for mobile devices. The report explains that the staff expects to issue a separate report with updated guidance on advertising disclosures.

FTC Staff Recommendations for App Developer Trade Associations
The Staff Report urges app developer trade associations to work with the app platforms to improve transparency of app privacy practices:

  • App trade associations could work with app platforms to develop interactive icons that would appear on smartphones to indicate that an app is collecting data, and allow consumers to quickly determine the data practices that triggered the icon’s appearance;
  • Trade associations could develop “badges” akin to the TRUSTe badge, or other short form disclosures that could appear within apps or ads promoting apps. These short form disclosures would allow consumers to quickly determine the general privacy practices of an app, such as “No Ads” for a kids app; and
  • Trade associations could develop more standardized privacy policies that will enable consumers to compare data practices across apps.

In conjunction with these recommendations, the Staff Report recognizes that the successful use of privacy icons, badges, and standardized policies will require coordination among app platforms, app developers, and ad networks. The report thus urges stakeholders to work together, as they are attempting through the NTIA stakeholder workshops, to develop complementary and consistent approaches to privacy disclosures.

CALIFORNIA AG RECOMMENDATIONS FOR MOBILE PRIVACY

California Attorney General Kamala D. Harris beat the FTC to press with her office’s report, “Privacy on the Go: Recommendations for the Mobile Ecosystem,” issued Jan. 10, 2013. Although the AG’s recommendations share some of the FTC Staff Report’s recommendations for improved disclosures of mobile privacy practices, the AG’s report includes numerous detailed recommendations reflecting its view of “best practices” for mobile app platforms, developers, and ad networks to comply with both federal and California privacy laws. The AG recommendations are premised on Fair Information Privacy Principles as interpreted by the AG, and reflect the AG’s preferred approach of minimizing surprises to users from practices that they may not have expected from an app.

AG Recommendations for Improved Mobile Privacy Disclosures
Like the FTC Staff Report, the AG’s report includes recommendations for various improvements in mobile privacy transparency. It recommends:

  • App platforms should disclose the privacy policies for apps prior to download, and provide other consumer education at the platform level;
  • Apps must have clear, conspicuous privacy policies;
  • “Just-in-time” or other contextual notice before collection or use of sensitive information;
  • Use of a dashboard for consumers to see and control an app’s access to data; and
  • Delivery of better information from ad networks to app developers, including the impact of code provided to apps.
  • As detailed below, however, the AG’s recommendations are not limited to recommendations for consumer disclosures.

AG Recommendations for Mobile App Developers
Privacy by Design. The AG recommends a detailed “decision path” for mobile app developers to use during development that includes:

  • Careful consideration of data the app may collect, use or disclose;
  • Use of a checklist or matrix of data collected, and for each type of data an assessment of numerous questions, including the necessity of collection, uses of the data, length of storage, sharing potential, use by third parties, and whether children will use the app; and
  • Decisions on privacy practices with respect to each type of data.

Privacy Disclosures. Once the app is developed, the AG recommends creation of a privacy disclosure that accurately reflects those practices. The AG also recommends developers use “enhanced measures,” such as just-in-time disclosures, to alert consumers to “unexpected practices” or uses of sensitive information. Disclosure to third parties of personally identifiable information (PII) for uses such as advertising is an “unexpected practice” that should trigger enhanced measures for disclosure.

Data Minimization. The AG recommends that mobile apps avoid the collection of PII altogether, or otherwise minimize the collection of data for uses that are not related to the app’s basic functionality. The AG report appears to place advertising functions outside of an app’s “basic functionality,” without reconciling the fact, acknowledged elsewhere in the report, that “a common business model” for apps depends on advertising revenue.

Collected data should be kept only as long as necessary to support the intended function or to satisfy legal requirements.

Another recommendation that undermines advertising functions is the report’s recommendation that apps use an app-specific or other non-persistent identifier, rather than a persistent unique identifier. It also recommends that the default setting for all apps be “privacy protective,” implicitly favoring opt-in practices for collections of data that could be deemed “personal,” including device identifiers.

User Access to Data. The AG recommends that apps include mechanisms for users to access any PII collected and retained.

Security. The report recommends limiting access to personally identifiable to those on a need-to-know basis, along with data encryption, compliance with the PCI DSS for entities that collect payment card data.

Privacy Officer. The AG recommends that all developers—with no apparent exception for smaller developers—appoint a privacy officer or other person designated to be responsible for the entity’s general privacy policy and notices. The person should update policies and notices when business practices change, and serve as a point person for privacy compliance and communication. The privacy officer should also “stay informed of new privacy laws and regulations.”

AG Recommendations for App Platform Providers
The AG report repeats key elements of the AG’s agreement last year with the app platform providers. These include recommendations to allow consumers to review app privacy policies before downloading the app, to educate app developers and consumers on privacy rights, obligations, and to give app users a way to report apps that do not “comply with applicable laws,” or to simply ask questions about privacy policies and terms of service.

AG Recommendations for Advertising Networks
The AG report recognizes that ad networks support a common business model for mobile apps by delivering targeted ads and compensation. It thus adopts certain voluntary industry standards (like those contained in Lookout Mobile Security’s Mobile App Advertising Guidelines) as the AG’s own, presumably laying the groundwork for future enforcement.

Specifically, the report recommends that ad networks provide app developers with clear information about their privacy practices, and that the ad networks themselves develop privacy policies following the same recommendations the AG issued for app developers. Ad networks should provide developers with a link to their privacy policies to make the link available for users to review before downloading or activating the app.

Ad networks are advised to avoid the oft-criticized practice of delivering ads outside the context of the app, and at minimum provide clear attribution for the source application responsible for the ad. Ad networks should use “enhanced measures” to provide notice, and obtain prior consent, before accessing users’ personal information at any time.

The AG recommends that ad networks move away from the use of unchangeable device-specific identifiers and begin using app-specific or temporary device identifiers. Apple already disallows apps to use the Apple UDID, and alternative methods of tracking a user are evolving, such as device fingerprinting.

AG Recommendations for OS Developers and Mobile Carriers
Finally, the AG report mentions the role that operating system developers (like Apple, Android and RIM) and mobile carriers should play to promote mobile privacy. These entities are encouraged to leverage their roles in the mobile ecosystem to promote standards for privacy controls, transparency, choice and education of other entities and consumers in the mobile ecosystem.


Davis Wright Tremaine attorneys counsel clients on various privacy matters in the communications and mobile space. Should you have any questions about this matter, please contact us

 

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Davis Wright Tremaine LLP | Attorney Advertising

Written by:

Davis Wright Tremaine LLP
Contact
more
less

Davis Wright Tremaine LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):
hide

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.

Security

JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.