The FTC’s Mobile Privacy Report observes that mobile technology may raise unique privacy concerns. Enormous amounts of personal data are collected and transmitted by smartphones and tablets. And, to a greater extent than other technologies, mobile devices (and the data they collect) can be tied or connected in some manner to a specific individual. Mobile data is also collected by a diverse set of ecosystem players—for example, operating systems, application developers and advertising networks—and the relatively small screen size of mobile devices makes it more challenging to provide robust, detailed disclosures. Indeed, a May 2012 FTC panel on mobile privacy and associated industry comments point to a lack of consumer awareness and understanding about the data collection and use practices occurring on mobile devices.
The FTC’s Mobile Privacy Report offers suggestions on how industry can improve the current state of affairs. The FTC’s recommendations generally align with those of the California Attorney General, whose January 2012 report on mobile privacy encouraged app developers, platform providers, ad networks, mobile carriers and operating system developers to increase transparency, limit the collection and retention of data, provide meaningful choice to consumers, and improve data security. See our previous coverage of the California AG report here.
FTC’s Advice for Mobile Platforms
The Report notes that mobile platforms, such as those by Apple, Google, Amazon, Microsoft and BlackBerry, serve as the gatekeepers to the app marketplace and, therefore, are potentially in a position to effectuate change with respect to mobile privacy disclosures. The Report recommends that mobile platforms implement or consider:
- Providing “just-in-time” disclosures (at the point of collection) and obtaining affirmative express consent before allowing apps to access sensitive information, such as geolocation, and other content that consumers may consider sensitive, such as contacts, photos, calendar entries or videos.
- Developing a privacy “dashboard” to allow consumers to review the types of data accessed by the apps they have already downloaded.
- Developing icons to depict the transmission of user data.
- Promote app developer best practices through education, oversight, monitoring and enforcement.
- Consider developing a Do Not Track (DNT) mechanism, which would allow consumers to prevent tracking by ad networks through their mobile apps.
FTC’s Advice for Mobile App Developers
The Report recommends that mobile app developers:
- Provide just-in-time disclosures and obtain affirmative express consent when collecting sensitive information outside the platform’s API, such as financial, health, or children’s data, or when the app shares sensitive data with third parties. The FTC notes that app developers “should” be able to rely on platform-level disclosures (for example, that geolocation data will be collected by the app through APIs) and “need not repeat the same disclosure and consent process.” However, if the app then shares the geolocation data with a third party, it should provide a just-in-time disclosure and obtain affirmative consent from the user.
- Improve coordination and communication with third parties that provide services for the apps, such as ad networks or analytics companies, to understand each third party’s data collection practices and be able to accurately disclose such practices to consumers. The FTC specifically notes that ad networks and other third parties that provide services for apps should affirmatively assist app developers to understand the technologies used to facilitate activities like advertising or analytics—so that app developers can in turn make more complete and accurate disclosures to their users.
- Participate in self-regulatory programs, trade associations and industry organizations that may develop guidance on how to implement uniform, short-form privacy disclosures.
FTC’s Advice for App Developer Trade Associations, Academics and Privacy Researchers
The Report notes that trade associations and industry participants can play a role in standardizing processes, and recommends that they:
- Develop short-form disclosures for app developers.
- Promote standardized app developer privacy policies that will allow consumers to compare privacy practices across apps.
- Educate app developers on privacy issues.
The Report’s recommendations were intended to provide a flexible framework that will accommodate further developments in technology and innovation. The FTC strongly encourages companies to implement the recommendations in the Report and notes that it will continue to closely monitor developments in the mobile space. The text of the Report can be found here.
Concurrently with releasing this Report, the FTC also released guidance on implementing security for mobile applications. This guidance, although fairly high-level, demonstrates the FTC’s continuing focus on prodding industry to adopt data protection and security measures that are appropriate for the type of data collected and processed by the apps, and minimizing the collection and storage of consumer data generally.