On September 5, 2012, the Federal Trade Commission ("FTC") published a nonbinding guide directed at mobile application ("mobile app") developers, to inform developers on how to best comply with truth-in-advertising and basic privacy principles.1 This is the first guide published by the FTC specifically directed towards mobile app developers. The guide makes clear that regardless of a mobile app developer's size or profitability, the FTC will hold developers to the same data privacy standards as all other companies that operate online. Mobile app developers, therefore, must comply with all applicable truth-in-advertising and data privacy regulations or risk enforcement actions by the FTC, pursuant to its power to take action against unfair and deceptive trade practices under the Federal Trade Commission Act ("FTCA").2
The guide provides mobile app developers with a set of principles to guide their advertising and privacy policies. However, as noted in the guide, there is "no one-size fits-all approach," and advertising and privacy policies should be tailored to the specific mobile app depending on the purpose and use of the user's personal information.
In order to comply with truth-in-advertising requirements, the FTC urges developers to (1) avoid making false or misleading claims in advertising and marketing, (2) avoid omitting important information and (3) to only make objective claims with proof to substantiate such claims. Developers are urged to look at their product and advertising from the perspective of an average user and should make disclosures "clear and conspicuous."3
In order to comply with basic privacy regulations, the guide urges developers to use a "privacy by design" approach whereby privacy protections are integrated into the developer's operations.4 This position is consistent with and builds upon earlier policy announcements by both the Obama Administration and the FTC over the last year.5 Developers should limit the information collected, securely store the information, and safely dispose of information once it is no longer needed. If the collection or sharing of information is not immediately apparent to an average user of the app, developers should obtain the user's express agreement before collecting or sharing such information.6
In addition, to comply with basic privacy regulations, the FTC outlines the following six data privacy requirements:
- Developers should be transparent about their data practices, and disclose what information is collected and what is done with such information.
- Developers should provide users with easy to find and easy to use options to control whether and how they share their data, such as through opt-outs or privacy settings.
- If the app is designed for children, there are additional requirements and developers must comply with the Children's Online Privacy Protection Act ("COPPA"). If the app is directed to kids under the age of 13 or if the developer has actual knowledge that a user is under the age of 13, the app must clearly explain its information practices and get parental consent before collecting personal information from children. The app must also keep personal information confidential and secure.
- Developers are required to obtain consent before collecting sensitive data, such as medical, financial or precise geolocation information.
- Developers must take reasonable steps to keep sensitive data secure. At a minimum, the FTC urges developers to collect information only as necessary, take precautions against well-known security risks, limit access to information on a need-to-know basis, and safely dispose of data when it is no longer needed.7
In addition to the above suggested principles, mobile app developers may also be required to comply with other federal and state regulations, depending on the type of information they collect, the purpose for using and sharing such information, and the states where such companies operate.
Companies should regularly assess their privacy policies to ensure that they comply with minimum standards required by the FTC as well as suggested guidelines issued by the agency. In addition, companies should keep abreast of proposed data privacy regulations and published guidelines to anticipate likely changes in this dynamic area of the law. It is likely that these guidelines will be used in crafting future legislation and regulations.