Mobile Apps: Lax Privacy Practices Are a Legal Hazard

In issuing a new report issued on February 1, 2013, "Mobile Privacy Disclosures: Building Trust Through Transparency," the staff of the Federal Trade Commission (FTC) has made clear that the Commission will not tolerate inadequate disclosures of how mobile applications collect, share and use personal information. Indeed, on the same day the new report was released, the Commission announced that it had obtained a settlement agreement with a social networking app developer, Path Inc, regarding the FTC's charges that Path collected personal information from children under 13 and imported personal data from the address books without their consent or knowledge. The concurrence of that settlement and the issuance of the new report should send a strong message to those who are involved in facilitating consumers' use of mobile apps that they face considerable enforcement exposure for any failures to provide clear and conspicuous disclosures of the apps' data collection and protection practices.

The report builds on the FTC's previous work on privacy issues, including the FTC's March 2012 privacy report; the FTC's February 2012 report and December 2012 follow-up report regarding mobile apps for children; and the FTC's May 2012 workshop regarding mobile privacy. It also takes into account and favorably endorses the California Attorney General's January 2013 recommendations regarding "Privacy on the Go" for app developers, platform providers, ad networks, mobile carriers, and operating system developers. (For previous posts regarding privacy issues in this blog, see here).

The new report provides guidance to various participants in the mobile device ecosystem, including platform providers (e.g., Apple, Google, Amazon, Blackberry, and Microsoft), app developers, trade associations representing the developers, and third parties such as ad networks and analytics companies.

For platform providers, the FTC staff recommends the following actions:

• developing a "do-not-track" mechanism for mobile devices, similar in function to do-not-track controls already implemented in the leading internet browsers;
• providing "just-in-time" disclosures when apps attempt to collect sensitive data, to allow consumers to decide whether to allow the collection;
• developing a "privacy dashboard," such as that already used by some platforms, to assist consumers in determining and reviewing which apps have access to which data;
• using icons, as some platforms already do, to signal to consumers when apps are accessing geolocation information;
• increasing platform supervision and regulation of app providers, including through contractual provisions requiring privacy measures;
• increasing transparency of the app review process, to allow consumers to better understand the extent platforms review apps prior to making them available in app stores, as well as any later compliance checks or reviews undertaken by platforms.

For app developers, the new report recommends:

• developing a privacy policy, and making it easily available to consumers through the platform's app store;
• providing just-in-time disclosures and obtaining affirmative express consent when collecting sensitive information, to the extent the platform does not already do so;
• improving coordination with ad networks and other third-parties, to ensure that the app developers understand what information the third party is collecting and how that information is being used, so that the app developer can provide truthful disclosures to consumers.

With respect to developers' trade associations, the report suggests they could help design standardized icons and "badges" or other similar short, standardized disclosures to depict app privacy practices. Finally, for advertising networks and other third parties, the report urges efforts to improve coordination and communication with app developers regarding privacy protection and assistance to platforms in developing and implementing an effective do-not-track system for mobile apps.

The recommendations in the FTC staff report, while not legally binding, merit very close attention by all four groups of players mentioned in the report. The report itself emphasizes the FTC's past enforcement activities in the data privacy and security arena, and the FTC's suit against Path is confirmation that those activities will be aggressive in the area of mobile apps. Platforms and developers, in particular, that fail to attend to the report's recommendations will invite unnecessary liability exposure, which can be avoided by taking the report seriously and being proactive in all areas reasonably applicable to their role in the mobile app ecosystem.

UPDATE (2/12/2013): If you want a more in-depth article on this topic, click here.

© Arnold & Porter Kaye Scholer LLP 2013 All Rights Reserved. This blog post is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.