The iPhone, Android devices and, more recently, the iPad and similar devices have spawned a new industry producing applications for mobile devices. Mobile apps help users find their way, conduct banking, make hotel and restaurant reservations and participate in social networks while on the go.
Apps that accomplish such tasks, and even many that do not, require users to provide personal information, including name, contact information, passwords and sometimes financial account information. Many mobile apps also collect and record the user's location. In a number of instances, developers have designed their apps to collect more data than may be needed, strictly speaking, to run the app, thinking that the additional data might prove useful someday.
Apps that are operated by businesses that also run websites may be collecting data about a given individual from two sources (the Web and the mobile device). The business may or may not combine these data in its internal records.
What happens to this data? The privacy practices of mobile apps have received relatively little attention, but recent analyses suggest that few apps are addressing privacy issues. A recent survey of 100 apps available from the iTunes App Store and the Android Market concluded that 39 left sensitive information readily recoverable from smart phones. In other words, those apps retained sensitive data in plain text on the device. Some apps stored email attachments on the device. According to the survey, better privacy practices included either encrypting the user name and/or password or not storing that data at all.
FTC Begins Enforcement
Mobile apps are not immune from federal law. Federal Trade Commission (FTC) Commissioner Julie Brill told a meeting of the American Bar Association (ABA) in early August that "The screen is small, but Section 5 applies." Section 5 of the FTC Act prohibits unfair and deceptive trade practices and serves as the legal basis for most of the FTC's privacy enforcement actions. The FTC has recently begun to focus increased attention on mobile apps, and although to date, the FTC has not brought a Section 5 enforcement action against a mobile app for an unfair or deceptive practice, it seems only a matter of time.
Indeed, the FTC very recently brought a case against a mobile app developer, but under the Children's Online Privacy Protection Act (COPPA) and not Section 5. On August 15, 2011, the FTC announced that W3 Innovations, LLC, a developer of mobile applications for the iPhone and iPod Touch, will pay $50,000 as part of a consent decree to settle charges that it illegally collected information from children without first obtaining parental consent. This is the first time that the FTC has charged a mobile application developer with violating COPPA.
The FTC alleged that W3 Innovations used its "Emily" character-themed applications to collect thousands of e-mail addresses from underage children who it had encouraged to e-mail "Emily." It also allowed users to post personal information on public message boards. The FTC charged that because the applications send and receive information over the Internet, they are subject to COPPA. In settling the case, the defendants agreed to a number of reporting and recordkeeping requirements.
What Should Mobile App Developers Do?
Many mobile app developers are simply unaware that laws may apply to the consumer data that they collect. App developers should devote some effort to becoming aware of the laws and the legal risks that they run regarding privacy.
What About Location?
The collection and use of location data from mobile devices remains extraordinarily sensitive and controversial. Remember the stir-and the lawsuits-earlier this year caused by the discovery that the iPhone and Android devices were maintaining lists of Wi-Fi hotspots near users' locations? The stir has subsided, but the litigation continues. And a great deal of uncertainty exists regarding how often and when apps use location data, or disclose it to third parties.
Legislation introduced in the Senate this summer would require businesses to obtain a user's consent before collecting a user's location or sharing a user's location-based data. Although that bill may not become law, there are other ways that a consent requirement could be imposed on the collection and use of location-based data. Many apps, of course, already include a consent feature, but many others do not. Businesses contemplating the use of location-based data should consider how best to balance a user's privacy interest with their business needs, and how best to obtain a user's consent.