On March 28, 2013, one of the Federal Trade Commission’s (“FTC”) privacy division attorneys predicted that the FTC will continue to remain focused on mobile privacy citing it as a “huge priority for the agency.” He also advised that enforcement actions will ensue if companies do not incorporate security, choice and transparency into the app development process.
The FTC has expressly stated that the concept of “privacy by design” applies to mobile apps. Privacy by design calls on companies to incorporate substantive privacy protections into their everyday business practices such as (1) data security; (2) reasonable collection limits; (3) sound retention and disposal practices and (4) data accuracy. The FTC has also recommended that companies incorporate choice (i.e., affirmative express consent for use of data out of context or for sensitive data); and transparency (i.e., shorter, clearer privacy notices) into their mobile apps before the collection of personal information begins1.
Mobile marketing is one of the important privacy trends for companies to pay attention to this year. In the last six months, recent activities indicate that regulatory enforcement and class action lawsuits are becoming common in the mobile media space. In December 2012, the California Attorney General (“CA AG”) sued Delta Airlines for failing to include privacy notices in its apps. That same month, six class actions were filed against companies for allegedly tracking children through mobile apps in violation of the Children’s Online Privacy Protection Act (“COPPA”). On February 1, 2013 the FTC announced an $800,000 “civil penalty” against a mobile app developer.
To avoid such penalties, companies with mobile apps need to address (1) privacy by design; (2) choice and (3) transparency in all phases of the development and distribution of their mobile apps.
Since January 2013, numerous best practice reports have been issued that companies can consult when developing their apps. For example:
- CA AG’s Privacy on the Go report (issued January 10, 2013) relating to any app that collects personal information (including behavioral data) from California residents
- FTC’s Mobile Privacy Disclosures report (issued February 1, 2013)
- Article 29 Working Party’s “Opinion on apps on Smart Devices” (adopted February 27, 2013) relating to apps targeted to the European Union (“EU”)
- Department of Commerce facilitated National Telecommunications and Information Administration (“NTIA”) Multi-stakeholder process has resulted in a draft Mobile App Transparency document (most recent version circulated on March 29, 2013)
Moreover, there are several Federal privacy bills and some 15 bills in the California legislature that will likely have national and international reach. How can companies that are interested in implementing compliance programs stay ahead of this trend and stay out of regulatory enforcement or class actions?
- Be aware that class actions and regulatory enforcement go hand in hand and are expensive. Consumer class action plaintiffs and regulators typically seek statutory damages. In the recent case against Delta, the CA AG alleged that Delta’s app was downloaded “millions” of times and seeks statutory civil penalties, under California state laws applicable to non-California companies, of $2,500 per download. Furthermore, many consumer class actions relating to targeted advertising allege violations of the Electronic Communications Privacy Act. These class actions often allege hundreds of millions of violations (for each time a consumer’s device is tracked) at $10,000 per violation. Regulators have announced enforcement action settlements involving 15-20 year reporting requirements. Reporting requirements can be even more onerous than class actions as they often require annual or bi-annual audits, for up to 20 years, at considerable expense to the companies facing them.
- If your company is tracking user behavior for internal analytics or ad service, you may need consumer consent. The FTC and CA AG are moving towards a definition of personally identifiable information that is more like Europe in that it includes persistent identifiers such as mobile device identifiers and unique identifiers within the definition of personal information. These numerical values are not currently contained in any breach notification statutes, however, the Article 29 working party (in the EU) and the CA AG have specifically attached security requirements to this type of data – in some instances calling for encryption of behavioral and other data collected via apps as well as “proactive” adherence to beach notification best practices.
- Know that the recent mobile guides go beyond the law but represent best practices from the regulators’ points of view. Understand that California’s mobile policy, the FTC mobile guide, the NTIA draft disclosure recommendations, and the Article 29 Working Party’s mobile guidance are a source of “best practices.” These guidelines apply to companies that collect personally identifiable information, including behavioral data collected through persistent identifiers, and are intended for nationwide or global reach.
- Be familiar with the mobile practice guides and use a check-list when developing your app. Currently, many companies are members of self-regulatory groups like the Digital Advertising Alliance (“DAA”), the Interactive Advertising Bureau (“IAB”) and others. It is important for companies to understand that compliance with industry self-regulation protocols like DAA or IAB, will not be sufficient to meet the recent guidelines from FTC, CA AG and the Article 29 Working Party. Rather than following any one guide, companies should understand the requirements for each of these documents in order to assess what will work for your company.