Data use and sharing disclosures on mobile devices need work,
the FTC said in a staff report released last week. The report
recommends ways that actors in the mobile marketplace—such as
mobile operating system providers, application developers,
advertising networks, and analytics companies—can inform
consumers of data collection and sharing practices. While the FTC
tailors recommendations for each group, the recommendations are
essentially focused on providing consumers with timely and
understandable data use disclosures. If such disclosures do not
materialize, FTC Chairman Jon Leibowitz said to reporters in a
teleconference discussing the report, the mobile industry may face
regulatory or legislative mandates.
The report is in part the result of the FTC's May 30, 2012
workshop, which brought together members of
the mobile industry, trade associations, academia, and consumer
privacy groups to discuss privacy issues presented by mobile
devices. The report is also in response to increasing consumer
concern about privacy on mobile devices.
While providing a wealth of benefits to consumers and players in
the mobile marketplace, mobile devices have presented novel privacy
issues because they are personal to the consumer and are used for
numerous activities such as surfing the Internet and social
networks, sending e-mails and messages, taking and sharing
photographs, and simply making phone calls. Additionally, mobile
devices are almost always turned on and are almost always with the
user. All this facilitates new avenues and levels of data
collection, but the space available for disclosures is limited to
the size of the mobile device's screen – often just a few
While the report does not carry the force of law, it offers
several suggestions for mobile privacy disclosures and provides a
window into the FTC's approach to mobile privacy. For instance,
the report indicates that the FTC views adherence to a "strong
privacy code" favorably and considers geolocation information
to be "sensitive"—akin to financial, health, and
The FTC report recommends the following with respect to specific
actors in the mobile marketplace:
Operating System Providers:
Provide disclosures and obtain consumers' affirmative
express consent before allowing apps to access data;
Consider a one-stop "dashboard" approach and the use
of icons to allow consumers to review the types of content accessed
by apps and to depict the transmission of user data;
Implement developer best practices that require developers to
make privacy disclosures, enforce those requirements, and educate
Provide clear disclosures about the extent to which the
platform reviews apps before making them available for download;
Offer a Do Not Track function for mobile devices that allows
consumers to prevent tracking by ad networks or other third
Provide layered disclosures and obtain affirmative express
consent before collecting and sharing sensitive information (to the
extent the platforms have not already done so);
Coordinate with ad networks and other third parties such as
analytics companies to better understand the third-party software
and provide accurate disclosures to consumers;
Participate in self-regulatory programs, trade associations,
and industry organizations to develop uniform, short-form privacy
Advertising Networks and Other Third Parties:
Communicate with app developers towards providing truthful
Work with platforms to ensure effective implementation of
mobile Do Not Track.
Trade associations, Academics, Experts and Researchers:
Develop short-form disclosures for app developers;
Promote standardized privacy policies that will enable
consumers to compare data practices across apps;
Educate app developers on privacy issues.
While the FTC has indicated that it will continue to monitor
developments in the mobile marketplace and is open to further
suggestions and proposals, it encourages actors in the mobile
marketplace to implement the recommendations in the report. In the
end, the FTC hopes the report will help build trust between
businesses and consumers.
In last year's BakerHostetler Incident Response Report, we reported the range of PCI DSS non-compliance fines as $5,000 – $50,000 and the per card amount of liability imposed to reimburse issuers of affected cards as $3-$25.
Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.
The Payment Card Industry Security Standards Council (PCI SSC) has released a new version of its data security standard for the protection of cardholder data, the Payment Card Industry Data Security Standard (PCI DSS).
The idea of cybersecurity may be foreign—or even frightening—to many attorneys. However, as evidenced in Part One of this series ("Cybersecurity: You Can't Afford to Ignore It Anymore," April 25) law firms appear to be the next great target for hackers. In light of that, as a risk management prevention tool, attorneys and firms need to be aware of how to protect themselves.
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).