New FTC Mobile Privacy Report: Trust Through Transparency

FTP Logo

On February 1, 2013, the FTC released its latest privacy-focused report, Mobile Privacy Disclosures: Building Trust Through Transparency. In the report, which arose from the FTC's May 2012 mobile privacy summit and other efforts and suggestions, the Commission offers guidance to the many types of organizations that contribute to how mobile devices collect and use personal information: the operating system providers/platforms (Apple, Google, Microsoft, Blackberry, Amazon and others), app developers, the advertising networks, analytics firms and other third parties whose products are integrated with mobile devices, and the broader trade and research communities. In the FTC's view, each has responsibility toward the overall goal of improving privacy disclosure and protection. (The FTC states that it will also be issuing updated guidance regarding the related issue of advertising disclosure.)

The new report lays out the FTC's history of privacy study and enforcement, especially its efforts since and including its March 2012 Privacy Report, its ongoing work on children's privacy, and risk issues such as financial privacy. Building on its own work, the ongoing multistakeholder mobile privacy initiative of the National Telecommunications and Information Administration ("NTIA"), a Government Accountability Office ("GAO") report on mobile device location data and enforcement and guidance by the California Attorney General's Office, the FTC summary recommendations include the following:

Platforms, or operating system providers offer app developers and others access to substantial amounts of user data from mobile devices (e.g., geolocation information, contact lists, calendar information, photos, etc.) through their application programming interfaces (APIs). In addition, the app stores they offer are the interface between users and hundreds of thousands of apps. As a result, platforms have an important role to play in conveying privacy information to consumers. While some platforms have already implemented some of the recommendations below, those that have not should:

  • Provide just-in-time disclosures to consumers and obtain their affirmative express consent before allowing apps to access sensitive content like geolocation;
  • Consider providing just-in-time disclosures and obtaining affirmative express consent for other content that consumers would find sensitive in many contexts, such as contacts, photos, calendar entries, or the recording of audio or video content;
  • Consider developing a one-stop "dashboard" approach to allow consumers to review the types of content accessed by the apps they have downloaded;
  • Consider developing icons to depict the transmission of user data;
  • Promote app developer best practices. For example, platforms can require developers to make privacy disclosures, reasonably enforce these requirements, and educate app developers;
  • Consider providing consumers with clear disclosures about the extent to which platforms review apps prior to making them available for download in the app stores and conduct compliance checks after the apps have been placed in the app stores;
  • Consider offering a Do Not Track (DNT) mechanism for smartphone users. A mobile DNT mechanism, which a majority of the Commission has endorsed, would allow consumers to choose to prevent tracking by ad networks or other third parties as they navigate among apps on their phones.


App developers should:

  • Have a privacy policy and make sure it is easily accessible through the app stores;
  • Provide just-in-time disclosures and obtain affirmative express consent before collecting and sharing sensitive information (to the extent the platforms have not already provided such disclosures and obtained such consent);
  • Improve coordination and communication with ad networks and other third parties, such as analytics companies, that provide services for apps so the app developers can provide accurate disclosures to consumers. For example, app developers often integrate third-party code to facilitate advertising or analytics within an app with little understanding of what information the third party is collecting and how it is being used. App developers need to better understand the software they are using through improved coordination and communication with ad networks and other third parties.
  • Consider participating in self-regulatory programs, trade associations, and industry organizations, which can provide guidance on how to make uniform, short-form privacy disclosures.


Advertising networks and other third parties should:

  • Communicate with app developers so that the developers can provide truthful disclosures to consumers;
  • Work with platforms to ensure effective implementation of DNT for mobile.


App developer trade associations, along with academics, usability experts and privacy researchers can:

  • Develop short form disclosures for app developers;
  • Promote standardized app developer privacy policies that will enable consumers to compare data practices across apps;
  • Educate app developers on privacy issues.


As with other similar FTC reports, the Mobile Privacy Report does not mandate or legislate specific practices. It does, however, provide guidance on what the FTC might do in its own enforcement activity, or request in legislation from Congress should businesses consistently fail to follow the Commission's guidance on best practices. It will also be very influential on state attorneys general and their own privacy-related enforcement. As such, it should be read, understood and taken seriously by everyone involved in mobile device development and marketing.

(NOTE: This blog entry was originally published by Olshan counsel Jonathan I. Ezor on the IBLT Privacy and Technology Law Blog)

Add a comment

Type the following characters: whisky, whisky, foxtrot, romeo

* Indicates a required field.

Subscribe

Recent Posts

Contributors

Archives

Jump to Page

Necessary Cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Analytical Cookies

Analytical cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.