The FTC issued a new report, Mobile Privacy Disclosures: Building Trust Through Transparency, on February 1, 2013, detailing the Commission's recommendations for best practices for key players in the mobile "ecosystem": mobile platforms, app developers, advertising networks, and other third parties such as analytics companies that collect and use data from mobile apps. The recommendations are intended to address the challenges of providing effective, accessible and timely privacy disclosures on mobile devices, given the limitations of mobile technology, including the small screen on most devices and the limited attention span of users. The report also suggests how other stakeholders, such as app developer trade associations, academics, usability experts and privacy researchers, can assist the major players in meeting the FTC's recommendations.
In the report, the FTC indicates that it has identified three key areas for ongoing work to address mobile privacy concerns: enforcement, outreach and policy initiatives. Concurrent with the release of the report, the FTC also announced a significant settlement with mobile social networking service Path, related to the discovery in February 2012 that the company's app collected and transmitted information from users' address books.
According to the report, the recommendations are based on the FTC's work in the area of privacy in the mobile space; the Commission's May 30, 2012, mobile privacy workshop, "In Short: Advertising and Privacy Disclosures in a Digital World"; and written submissions that the Commission received from industry stakeholders. The report specifically notes that these recommendations are best practices and that, to the extent that the recommendations exceed current legal requirements, the report "is not intended to serve as a template for law enforcement actions or regulations under laws currently enforced by the FTC." A summary of the FTC's recommendations, organized by industry participant, follows.
According to the report, mobile platforms or providers of operating systems (Apple, Amazon, Google, BlackBerry and Microsoft, for example) that provide app developers, advertisers and others with access to users and user data from mobile devices through their application programming interfaces (APIs) and apps offered through their app stores play a key role in consumer privacy in the mobile space. Noting the significant control mobile platforms exert over app developers, given that the platforms essentially function as the gatekeepers between app developers and consumers, the report suggests that platforms could place greater emphasis on consumer privacy in their relationship with app developers.
The report recommends a number of best practices for mobile platforms:
- Provide consistent disclosures at multiple points in time concerning the mobile content available to all apps through the API;
- Provide just-in-time disclosures to consumers that are clear, accurate and understandable (i.e., use plain language and avoid the use of technical jargon); obtain affirmative express consent before allowing apps to access sensitive consumer data, such as geolocation information; and consider providing these disclosures and obtaining consent for other information that consumers might consider sensitive in many contexts, including contacts, photos, calendar entries, and recordings of audio or video content;
- Consider developing a one-stop "privacy dashboard" providing consumers with the ability to review the apps they have downloaded and the types of data accessed by those apps, organized either by apps or content categories relating to significant types of information, including geolocation, contacts, calendar, and photographs and videos;
- Consider developing and implementing icons to signal when an app is accessing user data (e.g., both Apple and Google currently utilize icons to signal to consumers when an app is collecting their geolocation information);
- Use their control of and relationship with app developers to improve app developers' privacy disclosures, including promoting app developers' best practices, adding contractual provisions to require just-in-time disclosures and express consent, enforcing these requirements, and educating app developers about privacy and transparency;
- Consider providing consumers with clear disclosures about the extent to which mobile platforms review apps prior to making them available for download in the app stores, and conduct compliance checks after the apps have been placed in the app stores; and
- Consider offering a Do Not Track (DNT) mechanism at the mobile platform level that would prevent an entity from developing profiles about mobile users by allowing consumers to make a onetime choice rather than on an app-by-app basis.
In light of the critical role that app developers play in informing consumers about mobile privacy, the FTC report includes a number of best practices for app developers:
- Provide just-in-time disclosures and obtain affirmative express consent before collecting and sharing sensitive information, including financial, health or children's data, that the FTC believes warrants special protection and before sharing this sensitive data with third parties;
- Improve coordination and communication with ad networks and other third parties that provide services for apps, such as analytics companies, so the app developers can understand and better provide accurate disclosures to consumers;
- Consider participating in self-regulatory programs, trade associations and industry organizations that can provide industry-wide guidance on how to make uniform, short-form privacy disclosures; and
- Ensure that app-level disclosures do not repeat the mobile platform-level disclosures (e.g., an app should be able to rely on mobile platform disclosures that geolocation information will be collected by the app through APIs).
Advertising Networks and Other Third Parties
In its report, the FTC suggests that app developers frequently don't fully understand the functionality of the code that advertising networks provide to them to facilitate advertising or analytics within apps. The FTC suggests that advertising networks improve coordination and communication with app developers in order to enable app developers to better understand how the code works, thereby providing truthful and complete disclosures to consumers. The report recommends that advertising networks and other third parties that provide services for mobile apps do the following:
- Communicate with app developers so that the developers can provide truthful disclosures to consumers; and
- Work with mobile platforms to ensure effective implementation of DNT for mobile.
Other Industry Stakeholders
The report also suggests how other stakeholders, including app developer trade associations, academics, usability experts and privacy researchers, can assist the major players in improving transparency and meeting the FTC's recommendations:
- Develop standardized interactive icons to depict an app's privacy practices;
- Develop "badges" or other short-form disclosures that appear in apps or in-app advertising;
- Promote standardized app privacy policies to enable consumers to compare data practices across apps;
- Consider conducting consumer testing of new mechanisms to ensure meaningful consumer comprehension; and
- Educate app developers on privacy issues, including information collection and use practices.
FTC Settlement with Path Mobile Social Networking App
In the report, the FTC represents that it will continue to bring enforcement actions against companies in the mobile space, and concurrent with the announcement of the staff report, it announced an $800,000 settlement with start-up mobile social networking service Path. The FTC's complaint charged that the company deceived consumers by collecting information from their address books without their knowledge and consent and illegally collected information from children under age 13 without providing notice and obtaining parental consent, in violation of the Children's Online Privacy Protection Act (COPPA). The settlement requires Path to implement a comprehensive privacy program and to obtain independent assessments of its privacy practices for the next 20 years.
Leadership Changes at the FTC
The release of the FTC's report on privacy disclosures in the mobile space comes as the Commission is experiencing a significant change in leadership. On January 31, 2013, Jon Leibowitz announced his anticipated resignation after eight years as chairman of the Commission, effective in mid-February. On December 31, David Vladeck, director of the FTC's Consumer Protection Bureau, left the Commission in order to return to Georgetown University Law Center, and Charles Harwood has been named acting director of the Consumer Protection Bureau.