Today the FTC issued a report this report offering several suggestions for the major participants in the mobile ecosystem on ways to improve mobile privacy disclosures. See full report at http://www.ftc.gov/os/2013/02/130201mobileprivacyreport.pdf. The report issues specific recommendations to platforms and operating system providers, app developers, advertising networks and third-party analytics companies, and app developer trade associations, among others.

Recommendations for Platforms

The FTC recognized that some platforms have already implemented some of the recommendations below, but said that those that have not should:

  • Provide just-in-time disclosures to consumers and obtain their affirmative express consent before allowing apps to access sensitive content like geolocation;
  • Consider providing just-in-time disclosures and obtaining affirmative express consent for other content that consumers would find sensitive in many contexts, such as contacts, photos, calendar entries, or the recording of audio or video content;
  • Consider developing a one-stop “dashboard” approach to allow consumers to review the types of content accessed by the apps they have downloaded;
  • Consider developing icons to depict the transmission of user data;
  • Promote app developer best practices. For example, platforms can require developers to make privacy disclosures, reasonably enforce these requirements, and educate app developers;
  • Consider providing consumers with clear disclosures about the extent to which platforms review apps prior to making them available for download in the app stores and conduct compliance checks after the apps have been placed in the app stores;
  • Consider offering a Do Not Track (DNT) mechanism for smartphone users.

Recommendations for App Developers

The FTC indicated that App Developers should:

  • Have a privacy policy and make sure it is easily accessible through the app stores;
  • Provide just-in-time disclosures and obtain affirmative express consent before collecting and sharing sensitive information (to the extent the platforms have not already provided such disclosures and obtained such consent);
  • Improve coordination and communication with ad networks and other third parties, such as analytics companies, that provide services for apps so the app developers can provide accurate disclosures to consumers. For example, app developers often integrate third-party code to facilitate advertising or analytics within an app with little understanding of what information the third party is collecting and how it is being used. App developers need to better understand the software they are using through improved coordination and communication with ad networks and other third parties;
  • Consider participating in self-regulatory programs, trade associations, and industry organizations, which can provide guidance on how to make uniform, short-form privacy disclosures.

Advertising networks and other third-parties

The FTC indicated that ad networks, analytics companies and other third-parties should:

  • Communicate with app developers so that the developers can provide truthful disclosures to consumers;
  • Work with platforms to ensure effective implementation of DNT for mobile.

App Developer trade associations

The FTC indicated that App Developer trade associations and other academics, usability experts and privacy researcher should:

  • Develop short form disclosures for app developers;
  • Promote standardized app developer privacy policies that will enable consumers to compare data practices across apps;
  • Educate app developers on privacy issues.

This report was issued on the heels of an announcement that Path has settled a case filed by the FTC alleging that Path had improperly collected personal information from users' address books. See complaint and settlement here http://www.ftc.gov/opa/2013/02/path.shtm. In its complaint, the FTC alleged that the user interface in Path's iOS app was misleading and provided consumers no meaningful choice regarding the collection of their personal information. In version 2.0 of its app for iOS, Path offered an “Add Friends” feature to help users add new connections to their networks. The feature provided users with three options: “Find friends from your contacts;” “Find friends from Facebook;” or “Invite friends to join Path by email or SMS.” However, Path automatically collected and stored personal information from the user’s mobile device address book even if the user had not selected the “Find friends from your contacts” option. For each contact in the user’s mobile device address book, Path automatically collected and stored any available first and last names, addresses, phone numbers, email addresses, Facebook and Twitter usernames, and dates of birth.

The FTC also alleged that Path’s privacy policy deceived consumers by claiming that it automatically collected only certain user information such as IP address, operating system, browser type, address of referring site, and site activity information. In fact, version 2.0 of the Path app for iOS automatically collected and stored personal information from the user’s mobile device address book when the user first launched version 2.0 of the app and each time the user signed back into the account.

Note: It is important to note that the FTC engages technical researchers to test privacy policy disclosures. Companies need to be aware of this and make sure that they test their apps before and after launch and periodically throughout the lifecycle of the app, as apps are frequently updated.

Finally, the FTC charged that Path violated COPPA, which is important because this is how the penalty of $800,000 was justified.

The FTC charged that Path violated the COPPA Rule by:

  • not spelling out its collection, use and disclosure policy for children’s personal information;
  • not providing parents with direct notice of its collection, use and disclosure policy for children’s personal information; and
  • not obtaining verifiable parental consent before collecting children’s personal information.