The mobile app industry has grown exponentially in recent years. Data indicate that there are currently over a million mobile apps, with an additional 1,600 new apps introduced every day. The growth of the mobile app industry has prompted concern regarding the collection and handling of consumers' personal information. In the past year, federal and state regulators have increased enforcement of consumer privacy laws and issued new, sometimes controversial, guidelines for the mobile app industry. More than ever before, compliance with existing regulations is a critical business concern. Inadequate privacy disclosures or data-security practices may not only prompt expensive federal and state regulatory actions, but may also tarnish a company's brand in the marketplace. While the legal landscape regulating mobile apps is evolving, developments in a few areas deserve particular attention.
1. Regulation of Location Information
An increasing number of companies offer apps that use or collect
location data. While geolocation information may improve app
functionality and allow companies to offer additional services to
consumers, a number of regulators have expressed growing concern
that location data could be used to reveal personal details that
consumers prefer to keep private.
The FTC is paying particular attention to consumer privacy concerns relating to the collection of location information. In its 2012 Privacy Report, the FTC noted that location information could be used to build detailed profiles of consumers and "in ways not anticipated by consumers." The FTC characterized precise location information as "sensitive" data and outlined additional measures mobile app providers should take prior to obtaining this information. Most significantly, the FTC stated that providers "should first obtain affirmative express consent from consumers" before collecting such location information. The FTC further stated that consumers should be provided "more prominent notice and choices" regarding the way data is collected and shared with third parties.
In addition to urging increased consent and disclosure obligations, the FTC recommended that companies re-evaluate their apps to assess whether collection of location information is truly necessary. The FTC specifically cautioned that "a wallpaper app or an app that tracks stock quotes does not need to collect location information."
Although the guidance contained in the FTC's 2012 Privacy Report is direct, the FTC has not codified its pronouncements into specific regulations. The FTC similarly did not prescribe specific codes of conduct in connection with its latest 2013 Mobile Privacy Disclosures Report, which sets forth best practices for mobile privacy disclosures and also urges disclosure and affirmative consent prior to collection of geolocation information. To be sure, the FTC made clear that the 2013 Mobile Privacy Disclosures Report would not "serve as a template for law enforcement actions or regulations under laws currently enforced by the FTC," but was instead intended to be "sufficiently flexible to accommodate further innovation and change."
Given the absence of specific FTC regulations, it is unclear whether companies are likely to face liability for not complying with the disclosure and affirmative consent obligations detailed in the FTC's 2012 and 2013 reports. That said, the FTC has warned that many companies have inadequately disclosed the "frequency or extent of the collection, transfer, and use of [geolocation] data," which intimates that enforcement actions for unfair or deceptive practices under Section 5 of the FTC Act may be on the horizon.
2. Enforcement by the California Attorney
General
Recent actions by California's Attorney General, Kamala D.
Harris, provide an example of increasing state efforts to
strengthen privacy protections for mobile app users.
In early 2012, Harris announced a Joint Statement of Principles intended to promote compliance with California's Online Privacy Protection Act ("CalOPPA"), which requires websites and other online services that collect personally identifiable information to post a privacy policy containing specific disclosures. To date, seven of the largest platform providers—Amazon, Apple, Facebook, Google, Hewlett-Packard, Microsoft, and Research in Motion—have committed to the Joint Statement of Principles, pledging to facilitate compliance with CalOPPA and promote best practices for protecting consumer privacy. Although the Joint Statement does not impose any legally binding obligations, it cautions that the AG will ensure that mobile apps comply with California law.
In July 2012, Harris took further measures to protect consumer privacy by establishing the Privacy Enforcement and Protection Unit within the California Department of Justice. This unit has been particularly active in enforcing CalOPPA and other state privacy and consumer protection regulations. On October 30, 2012, Harris notified "scores" of application providers of their noncompliance with CalOPPA and gave them 30 days to update their privacy practices. Shortly thereafter, on December 6, 2012, Harris announced the first ever CalOPPA enforcement suit for failure to publish a privacy policy, signaling the state's intent to vigorously enforce its consumer privacy laws. (Read about California v. Delta Air Lines and the dismissal of the case.)
In addition to making clear that mobile apps must comply with CalOPPA, in January 2013 the AG released a report setting forth "privacy practice recommendations" for mobile app developers. The AG advised app providers to adopt a "surprise minimization" approach. This approach aims to lessen unwelcome surprises to consumers by (1) avoiding collection of personally identifiable data that is unnecessary for the basic functions of the application, and (2) making privacy policies available for consumer review before an application is downloaded.
3. Potential Liability under the Fair Credit Reporting
Act
The Fair Credit Reporting Act ("FCRA") regulates the
collection and use of personal information by consumer reporting
agencies ("CRAs"). The FCRA defines a consumer reporting
agency as any operation that regularly assembles or evaluates
certain consumer information—including data regarding
creditworthiness, character, general reputation, personal
characteristics, or mode of living—for the purpose of
providing "consumer reports" to third parties. Such
consumer reports are prepared for specific, statutorily-defined
purposes, including evaluating candidates for employment, housing,
or credit.
In January 2012, the FTC issued letters to three providers whose mobile apps supplied criminal history information, warning that the providers may be CRAs under the FCRA if they had reason to believe that their apps were being used for employment screening, housing, credit, or similar purposes. Notably, the FTC letters deemed the providers' disclaimers that their products should not be used for employment screening or other FCRA purposes insufficient. In the FTC's view, providers may not disclaim away their responsibilities under the Act.
On January 10, 2013, the FTC filed a complaint and proposed consent decree against three other providers of mobile apps that supplied criminal histories, reaffirming the agency's position that apps providers may in fact be subject to the extensive regulations and requirements of the FCRA. Following a public comment period, on May 1, 2013, the FTC approved a final order settling charges against the providers. The consent decree will be enforced for twenty years and imposes heightened oversight for five years.
The FTC's enforcement actions under the FCRA are indicative of two important trends: (1) a growing risk that mobile apps may implicate a host of regulations unforeseen by the provider; and (2) the FTC's view that disclaimers may not shield companies from liability or obligations under existing law.
4. Mobile Apps for Kids
Apps marketed toward children have drawn particular attention from
federal regulators. In 2012, the FTC issued two reports questioning
the practices of companies developing mobile apps for kids. The FTC's
initial report, released in February 2012, stated that current
privacy disclosures for children's apps provide parents
with insufficient information regarding data collection and data
sharing practices. The report was "a warning call" to the
industry that it "must do more to provide parents with easily
accessible, basic information about the mobile apps that their
children use." Indeed, the FTC threatened to
"vigorously" enforce the Children's Online
Privacy Protection Act ("COPPA"), which generally
prohibits the collection of a child's "personal
information" without parental consent, to ensure that the app
industry complies with its disclosure and consent obligations.
In December 2012, the FTC released a follow-up to its initial report, stating that the industry had made "little or no progress" since the FTC's earlier warning. The FTC found that most children's apps still "failed to provide any information about the data collected through the app, let alone the type of data collected, the purpose of the collection, and who would obtain access to the data." In addition, the FTC noted that it had launched "multiple non-public investigations" to enforce COPPA and to guard against unfair or deceptive trade practices.
In late December 2012, the FTC strengthened its ability to protect children's privacy and deter illegal conduct by amending the regulations governing COPPA. (Read a client alert that provides a detailed analysis of the COPPA amendments.)
In short, federal and state regulation of mobile apps is in flux. Increased enforcement and regulatory and legislative activity make it imperative that companies offering mobile apps remain cognizant of their evolving disclosure and consent obligations.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
