The Federal Trade Commission (FTC) issued a staff report on Friday recommending ways for participants in the mobile ecosystem to improve their mobile privacy disclosures. The report includes guidance tailored for key commercial players involved in the mobile area, including platforms (such as Apple’s iOS and Google’s Android), app developers, certain third parties (such as ad networks and analytics companies), and trade associations. The report is based, in part, on feedback the FTC received at a May 2012 workshop, as well as other panel discussions and written submissions. Similar recommendations from California’s Attorney General were released last month.
The FTC noted in the report that its recommendations are intended to be “sufficiently flexible to accommodate further innovation and change” and, to the extent any guidance in the report extends beyond the requirements of existing law, that guidance “is not intended to serve as a template for law enforcement actions or regulations under laws currently enforced by the FTC.”
The recommendations are largely focused on making sure that consumers receive timely and easily understandable disclosures about what data is being collected, and how that information is used. Specifically, the report includes the following guidance:
A. Recommendations for Mobile Platforms
- Provide just-in-time disclosures to consumers and obtain their affirmative consent prior to allowing apps to access sensitive content (e.g., geolocation data);
- Consider creating a dashboard of privacy controls to allow consumers to review the types of data accessed by the apps they download and to revisit information choices previously made;
- Use icons to communicate key concepts to users, such as to alert users when data is being transmitted;
- Promote best practices to app developers;
- Clearly disclose to consumers the extent to which platforms review apps prior to making them available for download and conduct compliance checks for apps placed in app stores; and
- Consider offering a Do Not Track mechanism for smartphone users.
B. Recommendations for App Developers
- Provide just-in-time disclosures and obtain affirmative express consent prior to collecting or sharing sensitive information (to the extent platforms have not already done so);
- Improve coordination with advertising networks and other third parties (e.g., analytics companies) in order to make sure accurate disclosures are made to consumers; and
- Consider participating in self-regulatory regimes and industry organizations.
C. Recommendations for Advertising Networks and Other Third Parties
- Communicate and coordinate with app developers to help them provide truthful and complete disclosures to consumers; and
- Work with App Platforms to implement mobile Do Not Track.
D. Recommendations for Trade Associations, Academics, and Researchers
- Create short form disclosures (e.g., icons and badges) for use by app developers;
- Promote standardized forms of privacy policies that will enable consumers to compare data practices across apps; and
- Educate developers about privacy.
The report also mentions that the FTC recently settled charges that Path, Inc. (“Path”), a mobile social networking service, deceived consumers about the collection of address book information on mobile devices through its mobile app, and illegally collected information from children in violation of the Children’s Online Privacy Protection Act (COPPA). According to the terms of the consent order, Path will, in addition to other requirements, pay a civil penalty of $800,000.
This enforcement action, together with the report, clearly demonstrates the FTC’s continued focus on consumer privacy issues in the mobile app context.
- Glen Westerback