Following a February 2012 report chastising the mobile app industry for not disclosing data privacy practices in connection with apps directed to children, the FTC has issued a follow-up report that concludes the industry has not improved. The new FTC report indicates that since its first study on kid’s apps 10 months ago, 80% of those examined still do not have posted privacy policies and many of those that do disclose data practices are inaccurate or incomplete. In a press conference the FTC also announced that it had commenced a series of law enforcement investigations against unnamed companies for violations of law in this regard. Both California and federal law require disclosure of data privacy practices by website and mobile app publishers, and the Children’s Online Privacy Protection Act (COPPA) requires verified parental consent in most instances before collection of personal information of children under the age of 13.

The new report suggests that the majority of app publishers are still failing to comply with legal requirements that web sites and mobile apps must have a privacy policy that explains their data practices and that there are also many apps that further fail to comply with the even more stringent requirements of COPPA. Aside from the issue as it relates to children, failure to have adequate data privacy disclosures is an issue for publishers of adult sites and apps too, as the California Attorney General’s law suit against Delta Airlines last week for failing to have a privacy policy on its app demonstrates. As for children specifically, the FTC has proposed new rules for children’s privacy under the COPPA law, which the Commission is expected to vote on this month or early next year. One of those proposed changes would be to deem persistent identifiers (such as mobile device identifiers or browser identifiers) as personal information, which would require verified parental consent before collecting and using for anything other than internal operations. This would require such advance consent before sharing with third parties such as the many participants in the digital advertising ecosystem. The FTC’s concentration in its report on app publishers’ apparent widespread sharing of persistent identifiers with third parties such as ad networks and analytics companies suggests that the Commission continues to believe that such sharing is inappropriate absent verified parental consent. It also may suggest a backdoor way to try to expand the definition of personal information to include persistent identifiers regardless of age. If a device identifier is personal information for a 12 year old, it does not make sense that it would not be personally identifying when they turn 13. The big question will be what degree of consumer notice and control should there be over persistent identifiers, especially with regard to the advertising ecosystem. The FTC seems to be moving more and more towards wanting to restrict what the advertising industry can do with identifiers absent consumer choice. In its proposed rulemaking under COPPA, the FTC draws a distinction between first party contextual advertising, which it seems to be willing to accept use of persistent identifiers for without parental consent, and third party behavioral advertising, which it proposes should require parental consent.

The mobile industry is lagging behind the Internet industry in developing effective self-regulation of consumer data privacy and the investigations that the FTC and the CA Attorney General have each announced they have opened against multiple companies in the mobile app space should be a wakeup call. It seems clear that there will be a series of law enforcement actions in 2013, and it would not be surprising to see the class action bar pile on soon with private law suits. Companies should take heed and audit their data practices and ensure that their apps and web sites have accurate privacy policies posted. They should also ensure that they take reasonable precautions to protect the security of the data and are prepared to respond to a breach.

As for law enforcement, expect to see actions not only against app publishers (like Delta), but also the market places like Apple and Android, and third parties like ad exchanges, ad networks, social media plug-ins and analytics companies. Indeed, one of the things the proposed changes to COPPA would do is to make both publishers and third parties responsible for sharing of device identifiers associated with children with third parties, though it remains unclear what the knowledge standard will be for each.