A mobile app that collects users’ location data while the mobile app is not in use should clearly disclose such practices and provide users with choices. Failure to do so could give rise to an FTC claim of deceptive practices.

In mid-February, the Federal Trade Commission (FTC) published advice regarding mobile apps’ collection of users’ location data when the mobile apps are not in use. The FTC recommends that such mobile apps clearly disclose such data collection practices and offer choices to users regarding such collection, especially if such data collection would not be intuitive to a user. For example, consumers may assume that a mobile app that provides driving directions will collect their location data, but consumers may not assume that such mobile app also collects their location data when the mobile app is not in use.

The FTC’s guidance acknowledges that mobile app platforms and mobile operating systems, such as Apple’s iOS and Google’s Android, may or may not have built-in, system-level disclosures that provide information to users about a mobile app’s collection of location data. Regardless of such system-level disclosures, the FTC urges mobile apps that collect users’ location data when the mobile apps are not in use to disclose such data collection in a transparent way. Below are the tips provided by the FTC on ways for mobile apps to explain such data collection practices to users:

  • For a mobile app that is available through the iOS8 system, the system prevents the mobile app from accessing a user’s location data when the mobile app is not in use, unless the user affirmatively allows such collection in response to a system-level prompt. The dialog box for this system-level prompt includes space for the mobile app to provide details on its collection of location data. The FTC recommends that the mobile app use this space to clearly explain why the mobile app wants to access the user’s location data, how the mobile app will use this data, and whether the mobile app shares this data with third parties.
  • For a mobile app that is available through an operating system that does not provide users with system-level disclosures and choices about the collection of their location data, the FTC recommends that the mobile app explain its data collection practices and offer users choices within the mobile app regarding the collection of their data. For example, the FTC recommends that before the mobile app begins collecting a user’s location data when the mobile app is not in use, the mobile app may give users an in-app notification that explains why it wants to access location data and give the user an opportunity to opt in to such data collection.
  • Regardless of what platform consumers use to obtain a mobile app, the FTC recommends that the mobile app’s privacy disclosures and other information pages clearly describe the mobile app’s data collection practices in plain language, so that users will understand whether the mobile app collects their location data when the mobile app is not in use and for what purposes.

This recent guidance expands on the FTC’s recommendations included in its “Mobile Privacy Disclosures” report published in February 2013. In that report, the FTC recommended, among other things, that mobile app developers provide just-in-time disclosures and obtain users’ affirmative express consent before collecting and sharing sensitive information, such as location data (to the extent the platforms have not already provided such disclosures and obtained such consent). In the 2013 report, the FTC clarified that, to the extent its guidance goes beyond existing legal requirements, it was not intended to serve as a template for law enforcement actions or regulations under laws currently enforced by the FTC.

However, in late 2013, the FTC pursued enforcement action against at least one mobile app developer that did not clearly and accurately disclose its collection and use of location data to users. In December 2013, the FTC filed a complaint against Goldenshores Technologies, LLC, a company that provided a popular “Brightest Flashlight Free” mobile app, and its owner. The FTC’s complaint alleged, among other things, that the company’s acts and practices constituted unfair or deceptive acts or practices in or affecting commerce in violation of Section 5(a) of the Federal Trade Commission Act because it provided a privacy policy that did not reflect the mobile app’s use of personal data, including location data, and presented consumers with a false choice on whether to share such data. In 2014, the FTC approved a final settlement that required the company to, among other things, provide a just-in-time disclosure that fully informs users when, how, and why their location data is being collected, used, and shared and obtain users’ affirmative express consent before doing so.

This settlement, together with the FTC’s published guidance, emphasizes the importance for mobile apps to provide clear, transparent, and accurate disclosures about their collection of location data and to provide users with choices related to such data collection. Potential penalties for failing to comply with the FTC’s laws, rules, regulations, and guidance may include significant fines, required deletion of all consumer information improperly obtained, ongoing FTC audits and inspections, and other compliance obligations.

Click here to view a copy of the FTC’s recent guidance for mobile apps that collect users’ location data.

Click here to view a copy of the FTC’s 2013 Mobile Privacy Disclosures Report.

Click here to view a copy of the FTC’s final order settling charges against Goldenshores Technologies, LLC.