On Friday, February 1, 2013, the Federal Trade Commission ("FTC") released a staff report, Mobile Privacy Disclosures: Building Trust Through Transparency ("Report"), setting forth recommended steps stakeholders in the mobile industry should take to improve consumer awareness of mobile privacy practices. Though they do not have the force of law, FTC recommendations are given great consideration by the industry because they shed light on the types of issues the FTC is focused on and, more importantly, where it is likely to take enforcement actions. 

The Report comes fast on the heels of a similar set of recommendations issued by the California Attorney General (issued January 10, 2013), and the two regulatory proclamations are in general agreement, with one exception. Whereas the California AG puts the primary onus for consumer privacy practice notification on developers, the FTC report recommends that the large, centralized platform providers take primary responsibility for consumer notification.

The Report also continues the FTC's major focus on privacy. In December 2012, the FTC updated its Rule implementing the Children's Online Privacy Protection Act, which also significantly affects the mobile industry. This Report, though, is directed more generally at the mobile industry and suggests steps for protecting the privacy of all users, not just children under the age of 13. The Report includes recommendations for key players in the mobile ecosystem - mobile app platforms; app developers; advertising networks and other third parties; and app developer trade associations - and emphasis was placed on the importance of disclosures and, in particular, the timing of those disclosures.

Mobile App Platforms

The recommendations are largely directed at the platforms that make mobile apps accessible to consumers. The Report referenced major businesses responsible for the development of mobile device and software platforms as the "gatekeepers" of the mobile app marketplace, finding that platforms are in the greatest position to improve privacy disclosures. This is because platforms can set contractual requirements for app developers and reject apps that fail to meet those requirements. The FTC then encouraged platforms to use their gatekeeper role in this manner and provided several mechanisms for platforms to employ.

Just-in-Time Disclosures. Just-in-Time Disclosures are disclosures that are made immediately before consumer information is accessed. A sort of "Hey, you're about to share some information; are you sure you want to?" type of disclosure. The Report would like platforms to ensure that apps provide these disclosures whenever they are about to access geo-location information, and other potentially sensitive consumer information such as photos, contacts and calendar entries, and that consumers affirmatively consent to the data collection after receiving the disclosure. Further, to ensure clarity, the Just-in-Time Disclosures should be made clear and understandable by use of language simple enough for any ordinary person to understand. 

Privacy Dashboard.  The Report recommended that platforms provide users with a privacy dashboard, which would show users which apps have access to which data in one centralized location. This would provide consumers with the opportunity to occasionally revisit previous choices that they made and stay abreast of who is accessing what.

Privacy Icons.  The Report referenced the use of icons employed by some app developers that appear whenever an app is accessing a user's geo-location information. The Commission endorsed the use of icons in this manner and encouraged more of it.   

The Report strongly encouraged platforms to use their gatekeeper function and the powers of contract as leverage to ensure that app developers employ the suggested disclosures and that apps have privacy policies in general. Moreover, the FTC wants platforms to be reasonably vigilant in the enforcement of these contractual arrangements. Thus, platforms are not expected to sit by idly while apps collect sensitive consumer information without appropriate disclosures in place.

In addition to ensuring that the apps themselves make disclosures, platforms were encouraged to provide transparency about their app review process. Specifically, platforms should, through disclosures of their own, clearly inform users what process is used in reviewing apps and what requirements an app must meet before being made publicly available on a platform.

Last, but not least, the Report recommends that all industry stakeholders add a do-not-track ("DNT") mechanism, but would ideally like to see such mechanisms made available at the platform level. Providing a DNT option at the platform level would allow consumers to make a one-time decision to either allow or not allow entities from developing profiles about them. The Commission prefers this method over an app by app decision making process. Further, the Report recommends that any DNT system must be, at a minimum, universal; easy to find and use; persistent; effective and enforceable; and limit collection of data, not just its use to serve ads.

App Developers

The recommendations for app developers largely echo those that platforms are encouraged to require from them. App developers are expected to implement privacy policies detailing a particular app's privacy practices and disclose the information to consumers. Importantly, these policies should be made available at the platform's marketplace before users download the app. The Commission referenced with approval the California Attorney General's 2012 agreement with leading platforms that app developers should provide an optional data field through which they provide a link to an app's privacy policy, the text of the policy or a short statement describing the app's privacy practices.

App developers should also provide Just-in-Time Disclosures and obtain affirmative express consent before collecting sensitive information outside of a platform's Application Programming Interface (API), such as financial, health or children's data, or sharing sensitive data with third parties. This is because this kind of information is particularly sensitive and needs additional safeguards. To be clear, there need not be any overlap of disclosures. So, if a platform provides the disclosure, the app should not have to provide it again, but to the extent that an app goes beyond what a platform disclosure covers, for example if an app not only collects geo-location information but also shares it with a third party, the app developer should provide another Just-in-Time Disclosure and obtain affirmative consent before doing so.

Further, app developers are expected to know more about the relationships they enter into with ad networks and other third parties. Often, ad networks and other third parties provide coding to app developers and developers are expected to know what the coding does in order to provide more truthful disclosures to consumers. Specifically, app developers are expected to take responsibility for the information that third parties are collecting and for what purposes they are using it.

Finally, app developers were encouraged to become involved and stay involved with industry initiatives such as self-regulatory programs, to ensure that they are staying up to date with privacy practices and work to achieve uniformity in those policies.

Ad Networks, Analytics Companies, and Other Third Parties

Ad networks, analytics companies, and other third parties are expected to coordinate and communicate with app developers to enable developers to better convey information about their data collection and use practices to consumers.

Ad networks should also work with platforms to ensure implementation of an effective DNT system for mobile.

App Trade Associations

The Commission encouraged the growth and increased role of app trade associations comprised of all stakeholders. These associations are considered important to help develop and improve standardized disclosures, terminology, formats, and model privacy notices. The notion is that industry-wide uniformity will reduce consumer confusion. The Report also listed some potential ideas for improving such uniformity, namely, the use of icons, badges, or other short standardized disclosure tools. The Report suggested that a given badge could indicate:   

  • whether an app collects or shares data
  • whether an app contains advertising
  • whether an app shares information with social networks
  • whether an app includes external links to other websites  
  • whether any purchases can be made within an app

The FTC strongly encourages these methods but also wants to see t hat these things are consumer tested to make sure that badges or any other disclosure tools clearly and accurately convey privacy practices to consumers.

The Report's main concern with trade associations is that they work to create more standardization across the board. This also applies to the language used in privacy policies. In this regard, the Commission recommends using shorter, simpler language such as "we don't share personal information with marketers", or "location services", or "tracking technologies." The Commission thinks that this or similar language should be used to give consumers the quick idea, and in the event that a consumer wants to know more, they should have the ability to drill down into more granular information seamlessly.

Finally, the Report recommends that in developing standardization tools, associations should consult with experts and academics, test the effectiveness on consumers, and include a robust education campaign for new standardized icons, terminology, format, privacy notices, or other disclosures. The key for all this is uniformity because without it, disclosures will lose their effectiveness.

While the FTC's recommendations provide slightly more clarity on what is expected at the different levels of the mobile app industry hierarchy, it is largely a work in progress. As with all other dynamic industries, mobile apps are changing every day and privacy practices will evolve alongside them. The Report noted this and articulated that the FTC's intent is to ensure that a process is in place and that it adapts as the industry advances.

Ultimately, determining what to disclose and how to disclose it is in large part a commonsense inquiry informed by disclosure obligations. This remains to be the case, but the Commission's recommendations create some nuance that could require special attention, and is likely a prelude to more well-defined regulations and enforcement actions down the road.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.