Privacy issues related to mobile apps have been at the center of attention of U.S. authorities recently. In January, the Attorney General of the State of California, the state's chief legal officer whose duties include ensuring that the laws of the state are uniformly and adequately enforced, issued a report that provides recommendations for mobile app developers. On February 1, 2013, the Federal Trade Commission ("FTC"), the US federal agency in charge of consumer protection and the nation's chief privacy watchdog, issued a staff report, recommending ways in which the key mobile app market players can better inform consumers about their privacy practices. On the same day, the FTC also issued a press release stating that Path, Inc., the operator of the social networking app Path, had settled FTC charges relating to the alleged deception of users by collecting personal information from their address books without their knowledge and consent. As the largest app platforms such as Apple's App Store and Google Play are U.S. based and need to follow U.S. regulation when making apps available for public, these recent developments are highly relevant also for non-U.S. companies that either develop apps or have them developed by a third party.

RECOMMENDATIONS OF THE CALIFORNIA ATTORNEY GENERAL

The report named "Privacy on the Go - Recommendations for the Mobile Ecosystem" is one of many recent steps taken by the California Attorney General to address mobile privacy. The Recommendations are addressed primarily to app developers, but they also include some guidelines for other market actors. The stated aim of the Recommendations is to assist app developers, and others, in considering privacy at the outset of the design and development process of apps.

The Recommendations recognize that the legally required privacy policy is not always the most effective instrument to inform consumers. Therefore, a "surprise minimization" approach is set forth, which means supplementing the general privacy policy with enhanced measures to alert users and give them control over such privacy practices that are not related to an app's basic functionality or that involve sensitive information. This can be carried out for example through "special notices" delivered in a relevant context and just-in-time, or by making available privacy controls and a short privacy statement that emphasizes potentially unexpected practices.

Pursuant to the Recommendations, app developers should: 

  • Prepare a data checklist at the outset of the development process to review the personally identifiable data the app could collect. Such checklist should subsequently be used to make decisions on privacy practices;
  • Avoid or limit collecting such personally identifiable data that are not needed for the app's basic functionality;
  • As certain that the language used in the privacy policy is clear and accurate, and that the policy is conspicuously accessible to users;
  • Use enhanced measures to comply with the "surprise minimization" approach

The Recommendations also offer a Decision Path for building privacy into apps.

App platform providers (such as Amazon, Apple, Facebook, Google, Hewlett-Packard and Microsoft), on the other hand, should make app privacy policies accessible from the platform to enable review by users before downloading an app. Platforms should also be used to educate users on mobile privacy. Mobile ad networks are encouraged to avoid using out-of-app ads delivered by modifying browser settings or placing icons on the mobile desktop. Ad networks should also provide their own privacy policy to developers, and prefer app-specific or temporary device identifiers over interchangeable device-specific identifiers. Finally, operating system developers are encouraged to develop global privacy settings and mobile carriers are encouraged to make use of their relationship with consumers to educate them on privacy related issues.

THE FTC's STAFF REPORT

The FTC's staff report also provides federal level recommendations for the major participants in the mobile marketplace. The report emphasizes the importance of ensuring that consumers get timely and easily understandable information relating to the collected data and the purposes for which data are collected.
According to the report, app developers should:

  • Have a privacy policy and ensure that it is easily accessible through the app stores;
  • Provide just-in-time disclosures and obtain affirmative express consent before  collecting and sharing sensitive content, such as geo-location information  (unless already provided and obtained by the platform provider);
  • Improve coordination and communication with ad networks and other third party service providers, such as analytics companies, to better understand the software they use and as a result be able to provide accurate disclosures to  consumers;
  • Consider participating in self-regulatory programs, trade associations, and industry organizations, which can guide them in preparing uniform, short-form privacy disclosures.

Mobile platforms should:

  • Provide just-in-time disclosures and obtain consumers' affirmative express consent before allowing apps to access sensitive information, such as geolocation information;
  • Consider providing just-in-time disclosure and obtaining express affirmative consent before collecting other content that consumers may find sensitive, such as contacts, photos, calendar entries or audio or video recordings;
  • Consider developing a one-stop "dashboard" for consumers to review the types of content accessed by their apps, and icons that depict the transmission of user data.
  • Promote app developer best practices, for example by education and privacy disclosure requirements;
  • Consider providing consumers with disclosures about the extent to which  platforms review apps prior to making them available for download, and compliance checks they undertake afterwards;
  • Consider offering a mobile Do Not Track mechanism for smartphone users to allow them to prevent tracking by ad networks or other third parties.

According to the report, advertising networks and other third parties should communicate with app developers to enable the developers to provide truthful disclosures to consumers, and with platforms to ensure effective implementation of the Do Not Track mechanism. Further, app developer trade associations, as well as academics, experts and privacy researchers are encouraged to develop short form disclosures for app developers, promote standardized app developer privacy policies to enable consumers to compare data practices between apps, and to educate app developers on privacy issues.

In conjunction with its staff report, the FTC also released a new business guide, titled "Mobile App Developers: Start with Security", which is intended to provide guidance for app developers to address mobile data security.

SETTLEMENT WITH HEAVY FINES FOR THE OPERATOR OF THE SOCIAL NETWORKING APP PATH

On the same day with the staff report, the FTC also announced that Path, Inc., the operator of the social networking app Path, had settled a case filed by the FTC regarding alleged collection of personal information from users' address books without their knowledge and consent. According to the FTC, the user interface of Path's app was misleading and provided consumers no meaningful choice regarding the collection of personal information. Moreover, Path's privacy policy was alleged to deceive consumers by claiming that Path automatically collected only certain user information, such as IP address, operating system, browser type, address of referring site, and site activity information, while in fact one version of the Path app collected also information from users' address book.


Finally, according to the FTC Path violated the Children's Online Privacy Protection Rule (the COPPA Rule) by collecting information from children under age 13 without providing notice and obtaining parental consent (see also our earlier Legal Alert relating to the FTC's amendments to the COPPA Rule, available at http://bit.ly/WVBnR1.
The settlement requires Path to create a comprehensive privacy program and to obtain independent privacy assessments every other year for the next 20 years. Moreover, Path agreed to pay a fine of $800,000 for the alleged COPPA violation and to comply with COPPA.

IMPLICATIONS

As is evident, the regulations affecting the mobile marketplace are evolving rapidly. The Recommendations of the California Attorney General and the FTC's Staff Report serve as an indication of the U.S. authorities continuing commitment to monitor the mobile domain, while the Path settlement reflects the FTC's ongoing efforts to ensure that companies live up to their privacy promises.

In light of the above and taking into account the global nature of the mobile app market, app developers, companies for which apps are developed by third parties, platform providers and advertising networks are strongly recommended to review their privacy practices. If you are interested in learning more about mobile privacy regulations or need to review your privacy practices or policies, please contact us at your convenience.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.