To say that mobile device usage has reached a tipping point would be an understatement. There are now more mobile devices than people in the world, a staggering 7.9 billion mobile devices for 7.4 billion people on Earth. In the U.S., more time is spent on mobile media than on desktop and other media, 2.8 hours per day per person. Mobile devices are dominating consumers’ media consumption: 80 percent of Internet users own a smartphone, and other “smart” devices are quickly gaining ground. The proliferation of mobile devices and apps has touched nearly every aspect of our lives and is playing an increasingly integral role in such wide-ranging areas as retail, health, finance, and home security.

As consumers embrace mobile technology, companies have more access than ever to a wide range of sensitive personal information. Not surprisingly, consumer concerns about the privacy and security of their data are at an all-time high: a recent survey shows that 89 percent of consumers reportedly have avoided companies that do not protect their privacy, and 45 percent are now more worried about online privacy than they were a year ago. This post updates our 2014 Mobile Privacy and Security Trends and What to Look for in 2015 article and examines recent developments in mobile marketing, mobile payments, and the Internet of Things (IoT), as well as the ever-evolving mobile legal and regulatory landscape.

Mobile Trends

A. Mobile Marketing

With consumers spending ever more time on mobile devices, marketers are finding them where they are. Advertisers spent an estimated $68.69 billion on mobile advertising in 2015, with spending expected to top more than $195 billion by 2019. With 90 percent of mobile consumers using location-based services to get directions and local recommendations, location-based advertising has skyrocketed and is expected to reach $15 billion by 2018. While these certainly are high figures, when compared with the total amount spent on Internet advertising, mobile still has plenty of room to grow. Figures for 2014 show that of the $50 billion spent on Internet advertising that year, mobile accounted for about only 25 percent.

Additionally, social media marketing, estimated at $24 billion in 2015, continues to be a lucrative investment for advertisers. Given that nearly 70 percent of mobile users in the 18-29 age group access social media sites on their mobile devices, marketers are adapting advertisements for mobile consumption. Native advertising and paid endorsements have become popular trends in social media and mobile marketing, with 90 percent of advertisers reportedly using native ads and 70 percent of Internet users reportedly wanting to learn about products through content instead of traditional ads.

Companies and advertisers also are increasingly developing mobile apps to reach consumers. According to Red Hat’s Mobile Maturity Survey 2015, 52 percent of companies now have a fully implemented mobile strategy, with 90 percent of surveyed companies reporting that investment in mobile apps would increase in 2016. Not only are web-based companies leading the charge, but in-store retailers also are increasingly leveraging mobile capabilities. More and more retailers are using in-store web beacons and other similar technologies to track consumers’ in-store location data, analyze consumers’ purchasing activity, and push relevant, real-time, in-store promotions to consumers.

B. Mobile Payments

Mobile payment systems are also on the rise. The value of purchases made on mobile devices is projected to grow from $52 billion in 2014 to $142 billion by 2019. While mobile commerce currently represents 22 percent of all U.S. digital commerce revenue, it is expected to jump to 50 percent by 2017. The Apple Pay mobile payment and digital wallet system illustrates the growing popularity of mobile payments, with more than a million credit cards registered for use with the service in the first three days of availability. Starbucks also has seen great success with its member loyalty program, which has driven mobile payments and resulted in Starbucks earning 90 percent of the $1.6 billion spent in U.S. stores via smartphones in 2013.

C. Internet of Things

Along with the rise of mobile devices, the IoT industry has grown exponentially. The term IoT refers to “things” such as devices or sensors – other than computers, smartphones, or tablets – that connect, communicate, or transmit information with or between each other through the Internet. It is hard to imagine any industry that has not been affected by this new form of technology, from wearable technology and health trackers, to smart thermostats, networked baby monitors, and connected cars. There will be an estimated 24 billion connected IoT devices by 2020, and nearly $6 trillion will be spent on IoT solutions over the next five years.

Data Privacy and Security Risks and Legal and Regulatory Trends

While mobile and IoT devices offer immense real-time convenience and functionality, they raise commensurate privacy and security concerns about the collection and use of sensitive personal data. As consumers and the companies that market to them move to mobile, the regulators are following. In the past year, regulators increasingly have turned a watchful eye toward all things mobile.

A. Federal Trade Commission

The FTC has continued to focus on the mobile industry, in both its enforcement actions and educational workshops and reports. We summarize below the FTC’s recent actions relating to the mobile industry.

Internet of Things

In January 2015, the FTC released a report titled The Internet of Things: Privacy and Security in a Connected World (the “IoT Report”) following a 2013 FTC workshop by the same name. Echoing the FTC’s core fair information practice principles (FIPPs), the IoT Report recommends a number of concrete steps companies can take to enhance and protect consumers’ privacy and personal information collected by the multitude of Internet-connected devices, including:

  1. Build security into devices at the outset rather than as an afterthought in the design process.
  2. Train employees about the importance of security, and ensure that security is managed at an appropriate level in the organization.
  3. Ensure that outside services are capable of maintaining reasonable security, and provide reasonable oversight of the providers.
  4. When a security risk is identified, consider a “defense-in-depth” strategy whereby multiple layers of security may be used to defend against a particular risk.
  5. Consider measures to keep unauthorized users from accessing a consumer’s device, data, or personal information stored on the network.
  6. Monitor connected devices throughout their expected life cycle, and where feasible, provide security patches to cover known risks.
  7. Limit the collection of consumer data, and retain that information only for a set period of time, not indefinitely.
  8. Notify consumers about their choices about how their information will be used, particularly when the data collection is beyond consumers’ reasonable expectations.

The FTC also released a companion business guide to the IoT Report, titled Careful Connections: Building Security in the Internet of Things. This guide summarizes, in plain English, the best practices set forth in the IoT Report and encourages businesses to take reasonable steps to protect consumers.

Most recently, on March 31, 2016, FTC Chairwoman Edith Ramirez made remarks at an American Bar Association IoT Conference in Washington, D.C. suggesting that companies need to take steps to deal with the “significantly magnified” risks posed by the rapidly evolving IoT industry. Commissioner Ramirez stated, “In light of various studies showing consumers are deeply concerned about IOT’s data collection, disclosure of sensitive information and their lack of control and awareness of who has access to the data that’s collected, it’s particularly important for IOT manufacturers to design devices that take into consideration unexpected uses of their IOT data, and the potential for misuse.” Commissioner Ramirez emphasized the importance of developing IoT products with a “privacy by design” approach, and addressing issues as they arise throughout the product’s life cycle. Commissioner Ramirez also stated that the FTC would hold a series of workshops this fall 2016 to look at the variety of consumer protection issues posed by drones, “smart” televisions, and ransomware.

Location-Based Tracking and Cross-Device Tracking

In April 2015, the agency reached a settlement with retail tracking firm Nomi Technologies, Inc. Nomi places sensors in retail stores to track customers’ purchasing behavior by recording their mobile device’s MAC addresses. Nomi’s privacy policy promised that it would provide an opt-out mechanism at stores using its services, which, according to the FTC, implied that consumers would be informed when stores were using Nomi’s tracking technology. In reality, the FTC alleged, Nomi failed to notify consumers when their mobile devices were being tracked and failed to provide the ability to opt out of the tracking. Under the terms of the settlement, Nomi is prohibited from misrepresenting consumers’ options for controlling whether information is collected, used, disclosed, or shared about them or their devices, as well as the extent to which consumers will be notified about information practices.

In November 2015, the FTC hosted a workshop focused on cross-device tracking of consumer behavior. The workshop focused on new methods the mobile industry has adopted to track consumer behavior, including “deterministic” tracking, which requires a consumer to sign into a platform to access its service. This allows the company to then link the consumer’s various devices to a single account. Another method is “probabilistic” tracking, which involves the collection of information such as device type, operating system, fonts, and IP address to create a “digital fingerprint” of the user to link him or her to different devices. The FTC’s workshop focused mainly on this probabilistic type of tracking, which is generally invisible to consumers and therefore poses privacy concerns. The FTC identified the following takeaways, which may shed light on the FTC’s potentially emerging position on cross-device tracking: (1) companies need to work toward providing greater transparency, choices, and education for consumers; (2) companies should engage consumers in a way that will not cause consumers to lose trust in the marketplace; (3) data minimization policies and technologies will become more important as the amount of data collected about consumers increases; and (4) companies should be mindful of, and comply with, the privacy representations they make to consumers, both about their own actions and the actions of affiliated third parties. For more information, see this previous post on our blog.

Native Advertising and Paid Endorsements

Another area the FTC has recently focused on is native advertising and paid endorsements in the mobile environment. Native advertising is advertising that bears a similarity to the news, feature articles, product reviews, entertainment, and other material that surrounds it online. A related advertising trend is paid endorsements on social media, where advertisers will pay celebrities or “influencers” with a strong social media following to post pictures or videos of them with the advertiser’s product. Last December, the FTC issued its long-awaited Enforcement Policy Statement on Deceptively Formatted Advertisements (the “Policy Statement”) and its companion Native Advertising: A Guide for Businesses (the “Business Guide”). As discussed more fully in our previous post, the Policy Statement and Business Guide apply the FTC’s long-standing consumer protection standards to the native context. The key takeaways from the Policy Statement are: (1) native ads should clearly be identified as consumer advertising; (2) promotional content is deceptive if it misleads consumers into believing it is independent or impartial; (3) qualifying information, such as the advertiser’s connection to the content, must be clear, conspicuous, and prominent; and (4) the FTC will decide whether an ad is deceptive based on the net impression the ad conveys to the reasonable consumer in the context of the platform and any qualifying information in the ad.

Additionally, in June 2015, the FTC updated its frequently asked questions (FAQs) guidance to the FTC’s 2009 Endorsement Guidelines (the “Guidelines”). The Guidelines FAQs provide helpful commentary on how to apply the agency’s endorsement guideline standards to evolving forms of digital marketing and promotion. As we discussed in more detail in our previous post, the Guidelines FAQs provide greater clarity on when social media influencers and bloggers must make disclosures about their connection to the brand they are promoting.

The FTC has been actively enforcing its native advertising and endorsement guidelines in the past year. For instance, in September 2015, the FTC announced that it had settled charges against Machinima, Inc., that the online entertainment network had engaged in deceptive advertising by paying influencers to post YouTube videos endorsing Microsoft’s Xbox One system and several games. The FTC alleged that the influencers paid by Machinima failed to adequately disclose that they were being paid for their seemingly objective opinions. As part of the final order, just recently approved by the FTC this March, the company is prohibited from misrepresenting in any influencer campaign that the endorser is an independent user of the product or service being promoted. Notably, Machinima must also ensure that all its influencers are aware of their responsibility to make required disclosures, by monitoring them and prohibiting payment to influencers who do not make such disclosures.

Most recently, on March 15, 2016, the FTC settled charges that Lord & Taylor deceived consumers by paying for native advertisements, including a seemingly objective article and Instagram post, without disclosing that the posts actually were paid promotions. The FTC also charged the company with paying 50 online fashion influencers to post Instagram pictures of themselves wearing the same dress design while failing to disclose they had paid each influencer thousands of dollars and given each influencer a dress in exchange for her endorsement. The agreement (1) prohibits Lord & Taylor from misrepresenting that paid commercial advertising is from an independent or objective source and misrepresenting that any endorser is an independent or ordinary consumer, (2) requires the company to disclose any payment or benefit given to an influencer or endorser, and (3) establishes a monitoring and review program for the company’s endorsement campaigns.

Unauthorized Installation of Mobile Software

In June 2015, the FTC reached a settlement with Prized Mobile, a mobile app that grants users points for playing games or downloading affiliated apps, which can be spent on rewards such as clothes and gift cards. The app promised consumers that it would be free of malware and viruses. The FTC alleged that the app’s actual purpose was to infect the consumers’ mobile phones with malicious software to mine virtual currencies. As part of the settlement, the Prized Mobile app developer is banned from creating and distributing malicious software and must destroy all information about consumers collected through the marketing and distribution of the app.

More recently, in February 2016, the FTC reached a settlement with technology company Vulcun on charges that it unfairly replaced a popular web browser game with a program that installed applications on consumers’ mobile devices without their permission. The FTC alleged that Vulcun’s Google Chrome browser extension game, Running Fred, installed apps directly on the Android devices of consumers while bypassing the permissions process required by the Android operating system. The FTC’s complaint charged that Vulcun’s actions unfairly put consumers’ privacy at risk. According to the FTC, “by bypassing the permissions process in the Android operating system, the apps placed on consumers’ mobile devices also could have easily accessed users’ address books, photos, location, and device identifiers.” Under the terms of the settlement, Vulcun is required to tell consumers about the types of information a product or service will access and how it will be used, display any built-in permissions notice associated with installing a product or service, and get users’ express affirmative consent before the installation or material change of a product or service

Children’s Privacy and the COPPA Rule

In December 2015, the FTC reached two settlements with app developers on allegations that they violated the Children’s Online Privacy Protection Rule (COPPA Rule). As we have blogged about previously, the FTC brought actions against app developers LAI Systems (also known as TapBlaze) and Retro Dreamer. In both actions, the FTC alleged that the app developers violated COPPA by allowing third-party advertisers to collect personal information from children under 13 through the use of persistent identifiers without first obtaining parental consent. The third-party advertisers then served targeted advertisements to those children. Under the terms of the settlement agreements, Retro Dreamer agreed to pay a $300,000 civil penalty, and TapBlaze agreed to pay a $60,000 civil penalty and post a link on its website that provides notice of its data policies. Both app developers are prohibited from engaging in practices that would further violate the COPPA Rule.

In addition to its COPPA enforcement actions, the FTC continued to examine data privacy and security issues relating to children. In 2015, the FTC conducted its third kids’ app survey. The survey examined what information kids’ app developers are collecting from users, whom they are sharing it with, and what disclosures they are providing to parents about their practices. The resulting report found that privacy policies on children’s apps have become easier to locate, but it encouraged companies to make disclosures that accurately reflect what children’s information the app collects.

Most recently, in January 2016, the FTC’s Bureau of Consumer Protection posted a blog article warning parents about weak data security protections in Internet-connected baby monitors. Following its review of five baby monitors, the FTC found that each lacked sufficiently strong password requirements and that nearly half of the monitors did not encrypt the feed between the monitor and the home router. According to the FTC, these security vulnerabilities pose the risk of strangers hacking into the live baby monitor feed. The FTC’s focus on this industry suggests further enforcement actions in the future.

B. Federal Legislation

In January 2015, Sen. Ron Wyden (D-OR) and Rep. Jason Chaffetz (R-UT) reintroduced the GPS Act, which would create a process for government agencies to get a probable cause warrant to obtain geolocation information, as well as prohibit businesses from disclosing geographical tracking data about a customer to others without the customer’s permission.

In February 2015, House Representatives Zoe Lofgren (D-CA), Ted Poe (R-TX), and Suzan Delbene (D-WA) reintroduced the Online Communications and Geolocation Protection Act. The act would require the government to obtain a warrant to access the contents of any wire or electronic communication that is stored, held, or maintained by an electronic communication service or remote computing service, as well as prohibit government entities from intentionally intercepting an individual’s geolocation information that was obtained in violation of the act’s prohibitions.

In November 2015, Senator Al Franken (D-MN) reintroduced the Location Privacy Protection Act of 2015, which would prohibit companies from collecting or disclosing geolocation information from an electronic communications device without the user’s consent. It provides exceptions for parents tracking their children, emergency services, law enforcement, and other cases. The bill would also prohibit development and distribution of “stalking apps,” establish an Anti-Stalking Fund at the Department of Justice, and take other steps to prevent geolocation-enabled violence against women.

C. State Regulator Actions and Legislation

In January 2016, the New York Attorney General’s office announced that it had reached a settlement with the ride-hailing app Uber Technologies Inc. over its alleged tracking of riders and exposure of drivers’ personal data. This follows intense scrutiny of the company started in 2014, after reports about its “God View” – which allowed Uber employees real-time access to customers’ location information – surfaced. Under the terms of the settlement, Uber is required to encrypt riders’ GPS information and adopt authentication measures before any employee can access riders’ sensitive personal information. The New York Attorney General also fined Uber $20,000 for failure to provide timely notice to drivers and his office in the aftermath of a September 2014 data breach.

In California in 2015, the state legislature introduced a bill, AB886, which would have forced Uber, Lyft, and other ride-sharing apps to guard customers’ personal information. The bill would have prohibited smartphone-ordered ride services from disclosing any passenger data except to combat fraud or other crimes. It also would have required the ride-sharing services to destroy all personal information when customers canceled their accounts. The bill died in committee in January 2016.

D. Mobile Industry Self-Regulation

In addition to federal and state laws and regulations, industry self-regulatory groups have developed their own regulations. The Interactive Advertising Bureau (IAB) has recently developed a Mobile Location Data Guide for Publishers, which advises companies to strike a balance between collecting accurate location data and delivering an optimal user experience (i.e., preserving battery life, reducing network activity).

Beginning September 1, 2015, the Digital Advertising Alliance (DAA) began enforcing its Application of Self-Regulatory Principles to the Mobile Environment (Mobile Guidance). The Mobile Guidance urges mobile app advertisers and publishers to be transparent in collection of multisite data, cross-app data, precise location data, and personal directory data. It also sets guidelines for app advertisers and publishers to give consumers control over how and when such data is collected. Entities that are not compliant with the Mobile Guidance risk being subject to DAA accountability mechanisms. For more information, see this previous post on our blog.

In 2015, the DAA also released two mobile tools for consumers, the AppChoices mobile app and the DAA Consumer Choice Page for Mobile Web. AppChoices is a free mobile app that allows consumers to opt out of the collection and use of cross-app data, other than for permitted uses, by listing third-party AppChoices participants that consumers may select. The DAA Consumer Choice Page for Mobile Web is a mobile-web-optimized tool that consumers can use to opt out of the collection of cookie-based data for interest-based advertising by selected participating third parties. For more information, see this previous client alert.

Looking Forward: Mobile Privacy and Security in 2016

2016 is shaping up to see a continuation and acceleration of the mobile trends of the past few years. More specifically, for the balance of 2016, we expect to see the following.

  1. Regulators will continue to follow companies and advertisers to mobile. Along with a steady rise in mobile marketing, we expect to see increased regulatory scrutiny of advertisers that engage in native advertising and paid endorsements, especially on mobile screens. As evidenced by the FTC’s recent settlement with Lord & Taylor, advertisers that do not clearly disclose the nature of these ads are at risk of facing an FTC enforcement action.
  2. Advertisers and retailers will increase their use of location-based ads. With the number of mobile devices and the types of personal information users are comfortable sharing through their devices continuing to grow, advertisers will be able to craft more personalized and sophisticated real-time ads targeted at individuals’ unique characteristics and preferences. Location-based tracking, including the use of web beacons, will continue to play a large role as advertisers and retailers continue to reach consumers where they are, in many cases even in their own stores. As the collection and use of location-based data grow, we also expect to see traction in the legislatures and from the regulators regarding the collection and use of location-based consumer data.
  3. Privacy by Design in IoT will become increasingly important. As consumer-facing companies continue to expand and experiment with IoT functionality and capabilities across all industry verticals, data privacy and security will continue to be ongoing concerns for consumers and regulators alike. As Commissioner Ramirez made clear in her recent remarks, the FTC especially will be looking to the IoT industry to address potential consumer data privacy and security concerns and implement security measures from the start, during the product development and design phase. Industries in consumer-facing verticals such as home security, child care, and transportation will be smart to get ahead of the curve and leverage data security and privacy as differentiators in the market rather than potential Achilles’ heels.