NOTE: This document contains details regarding the substance of some of the remarks that were made during the recent March 28, 2013 LSI audio-seminar titled “New FTC Mobile Privacy Guidelines.”

On February 1, 2013, the Federal Trade Commission (“FTC”) issued its mobile guidance titled “Mobile Privacy Disclosures: Building Trust through Transparency (“FTC Mobile Guide”)” This guidance follows the FTC’s March 2012 report, “Protecting Consumer Privacy in an Era of Rapid Change,” which discusses mobile and applies the following concepts “privacy by design, consumer choice and transparency” to that mobile app ecosystem.

The FTC has focused on mobile for the last decade and it is important for companies to understand that mobile is a “huge priority for the agency” and a “major agency focus moving forward.” Companies should also keep in mind that the February 2013 staff report on mobile outlines recommendations - not rules or regulations. The FTC highly encourages industries to look carefully at the mobile best practices recommendations and move expeditiously to implement them. The FTC’s enforcement tools for mobile remain the same as for other forms of enforcement, including Section 5 of the FTC Act. In addition, the agency enforces numerous sector specific statutes (e.g., Fair Credit Reporting Act (“FCRA”) and Children’s Online Privacy Protection Act (“COPPA”)). To the extent there is activity that implicates those statutes, the commission has brought cases under those sector specific statutes as well.

The FTC Mobile Guide was predicated on extensive mobile workshops that the FTC conducted. While many apps are offered “free” to the public, they are built upon business models that involve behavioral advertising or targeting to be able to monetize the product. During the consumer mobile workshops, the FTC discovered that “consumers don’t have any understanding as to what is going on right now.” The FTC has noted with approval, that many of the platforms (e.g., Apple and others) have incorporated “Do Not Track” options. These tools give consumers a lot of choice about whether they want to be tracked or not.

Most of the FTC’s recommendations are focused on App Platforms where the apps are offered to the public. The theory behind this is that the App Platforms (e.g., Apple, Facebook) will have more influence on App Developers in the first instance and will therefore be the best place to ensure that certain disclosures are provided to consumers. Handset manufacturers and carriers were not the focus of the mobile privacy disclosure report, although there is a footnote in the FTC Mobile Guide that relates to them.

As far as best practices for App developers (companies who use mobile apps to market), the following best practices should apply:

  • Baseline requirement: Have a privacy policy and make sure that it is available throughout the app store. Some progress has been made but there are still scores of apps that still do not even have a policy. A privacy policy is required under California law. It is critical that developers have a privacy policy.
  • Understand that companies are “app developers” as far as regulators are concerned, regardless if one hires an outside vendor to create the app. As long as the consumer purchases the app marketed/owned by your company in the app store, the company is the one responsible.
  • If you are collecting behavioral information from children, you need parental consent. The new COPPA rule goes into effect this July. Companies will need parental consent if they use persistent identifiers to track children (such as unique device identifiers).
  • Be aware of the National Telecommunications Information Administration (“NTIA”) process as well as California. There are other initiatives underway, either through the California Attorney General’s office and the NTIA. The FTC hopes that its Mobile Guide will assist these initiatives, therefore companies should be familiar with all.