United States: Mobile >> Regulators Seek To Protect Users' Information In An Ever Increasing Mobile Universe

April 19, 2016

In the mobile world, regulators grappled with how best to protect the privacy and security of user information as new technologies continued to emerge, with the Federal Trade Commission (FTC) and Digital Advertising Alliance (DAA) issuing reports, convening workshops, and signaling their intention to increase enforcement.

The FTC's report on the "Internet of Things" (IoT) recommended steps companies should take to protect users' security and privacy. The report defined IoT as devices or sensors — other than computers, smartphones, or tablets — that connect, store, or transmit information with or between each other via the Internet. It estimated that there will be 50 billion of these devices by 2020. Privacy risks arising from mobile devices such as fitness monitors, wearable technologies, and GPS trackers prompted the FTC to recommend that companies implement certain "reasonable security" mechanisms, including:

• Building security into devices at the outset through "security by design."
• Ensuring that outside service providers are capable of maintaining reasonable security.
• Taking steps to prevent unauthorized users from accessing consumer information.

In addition, the FTC made recommendations regarding data minimization and consumer choice and notification, acknowledging that there may not be a "one size fits all" approach.

Another regulatory body, in the mobile space, the DAA, announced that it would begin to enforce its self-regulatory principles, which define categories of mobile data and apply to companies engaged in online behavioral advertising. Upon issuing mobile guidance with user notice and consent requirements back in 2013, the DAA indicated then that it would allow an "implementation phase" and would not immediately begin enforcement. As of September 2015, however, any entity engaged in interest-based advertising or the collection and use of certain mobile data is required to comply with the DAA's self-regulatory principles.

In addition, 2015 brought increased attention to cross-device data and tracking, which involves identifying users across multiple devices (such as a laptop, tablet, and smartphone) to deliver targeted advertising or personalized services. In November, the FTC convened a workshop that discussed the need for consumer notice and consent, and the DAA released specific guidance emphasizing transparency and user control.

Looking Ahead

• The key issues will be the extent to which the FTC and DAA seek to enforce their respective recommendations and self-regulatory guidelines, and whether any further rulemaking is on the horizon.
• IoT companies will be expected to follow the relevant recommendations in the FTC's report, and mobile companies that collect user data or engage in online behavioral advertising will be subject to the DAA's self-regulatory principles.
• We, at the minimum, expect to see enforcement where IoT companies do not provide reasonable data security or privacy to consumers using their devices. Cross-device data will also remain at the top of the regulatory agenda in 2016.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.