For companies that market by using mobile apps, develop mobile apps, or provide platforms for mobile apps to be sold or distributed, special attention should be given to an FTC enforcement action and staff report released today. Today’s settlement with social networking app developer Path, which includes an $800,000 civil penalty and 20 year reporting requirement, should serve as a warning to those in the mobile app industry of what to expect should they fail to incorporate the recommendations in today’s staff report and associated security guidance or comply with the COPPA rule and the revisions to that rule which go into effect this coming July.
The FTC’s complaint against Path alleged general privacy violations under the FTC Act and children’s privacy violations under the Children’s Online Privacy Protection Act (COPPA). Under the FTC Act, the agency charged that the Path app’s user interface and privacy practices were misleading and deceptive. The FTC claimed that Path violated its own privacy policies by automatically collecting more information than the policy claimed the app collected. The user interface was alleged to be misleading because it offered users an option to add friends from their device’s contacts to the app, but added those contact even when users did not choose that option. With regard to COPPA the FTC alleged that Path knowingly collected the personal information of approximately 3,000 children without parental consent in violation of the rule. By collecting their users’ dates of birth, and then failing to screen out those who indicated they were under 13 years old, Path had actual knowledge that it was collecting personal information from children and so was subject to COPPA.
Under the settlement, Path will, among other things, pay $800,000, be subject to 20 years of reporting and recordkeeping requirements, and must obtain biennial third-party assessments of its privacy practices. During a phone call, FTC Chairman Jon Leibowitz stated that the enforcement action against Path was not taken to signal the start of addition enforcement actions against a particular industry, but was rather the latest in a line of enforcement actions against companies that run afoul of the COPPA rule and FTC policies governing consumer protection and privacy. The Commission added that Path was targeted for this enforcement action because it involved both clearly deceptive practices as well as children’s privacy concerns.
The staff report, Mobile Privacy Disclosures: Building Trust Through Transparency, was prepared independently by the FTC but, according to statements by the agency, should be seen as synergistic with the privacy protection efforts of California Attorney General Kamala Harris and the multi-stakeholder process underway at the National Telecommunications and Information Administration (NTIA). The staff report and security guidance for mobile app developers lay out several best practices and other recommendations for those involved in the app ecosystem that touch on hot button issues such as do-not-track for mobile, notice and consent for behavioral data, and data minimization. The recommendations include:
- App platforms should provide “just-in-time” notice and obtain affirmative express consent to collect sensitive information, such as geolocation data;
- App developers should provide “just-in-time” notice and obtain affirmative express consent before collecting and sharing data with third parties, including analytics and advertising providers;
- App developers may consider using “icons” for privacy disclosures;
- App developers should collect only the data that they need;
- Consider do-not-track mechanisms for mobile users;
- Consider a “one-stop” dashboard approach to allowing consumers to review the types of content accessed.
In sum, today’s actions by the FTC indicate that the agency is prepared to enforce its policies against any and all businesses operating in the mobile app space. The staff report highlights recommendations for everyone from advertising networks to app developers to even academic privacy researchers. The settlement with Path should encourage businesses to evaluate their mobile privacy policies and ensure, at the most basic level, that they do not say one thing but in practice do another.
For more information: