The FTC and California’s Attorney General Recommend Detailed New Privacy Practices and Disclosures for Entities Operating in the Mobile Environment
The Federal Trade Commission (FTC) and California Attorney General’s office each recently issued detailed guidance for providers of mobile platforms, apps, ad networks, and their trade associations. Building on a series of recent actions emphasizing specific privacy concerns in the mobile space, the FTC on Feb. 1, 2013 released a Staff Report titled “Mobile Privacy Disclosures: Building Trust Through Transparency” which outlines recommendations to improve privacy disclosures and control. The report recommends, among other things, the implementation of a Do Not Track mechanism for mobile devices. In addition, it recommends that mobile “platform” providers (such as Microsoft, Apple, Google and Blackberry) obtain express (opt-in) consent from users and provide additional privacy disclosures.
The FTC Staff Report, which the Commission proposed in its landmark Privacy Report, comes on the heels of the California Attorney General’s January 2013 report, “Privacy on the Go.” The AG’s report addresses not just privacy disclosures, but recommends “best practices” for platforms, app developers, and ad networks that explicitly go beyond existing law. Both reports are intended to influence the Obama administration’s ongoing multistakeholder workshops for mobile privacy overseen by the National Telecommunications and Information Administration (NTIA).
FTC STAFF REPORT ON MOBILE DISCLOSURES
The FTC Staff Report emphasizes the role platform providers should play to improve mobile privacy transparency. The report recommends that the platforms implement further privacy disclosures and obtain opt-in consent from users at the platform level, prior to consumer download of an app. In addition, the report recommends that platform providers use their position in the app development marketplace to exert greater control over app developers’ privacy practices. The report also recommends ways app developers can improve privacy disclosures, and urges coordination with and cooperation by ad networks and trade associations that represent app developers.
Following recent work on increasing privacy disclosures for mobile apps targeted at children, including a revised rule implementing the Children’s Online Privacy Protection Act (COPPA), the recommendations were also released at the same time the agency issued an $800,000 fine against Path, a social networking app developer that allegedly violated children’s privacy protections by collecting personal information. Approved by four of the agency’s five commissioners the report is, however, not binding on the industry. Nonetheless, outgoing FTC Chairman Leibowitz stated that implementation of these recommendations could reduce the possibility of additional regulatory or legislative mandates in this area. In addition, the report reflects the agency’s view that geolocation information is “sensitive” and should be subject to heightened protections, similar to those protections afforded to financial and health data.
FTC Staff Recommendations for Platform Providers
Platform providers are the focus of most of the FTC’s disclosure proposals, in part because they have power to exert significant control over the app market by providing a uniform application programming interface (API) that allows apps to access standard categories of content (e.g., geolocation data, user accounts, browser data). These recommendations include:
“Just in Time” Disclosures Protections for “sensitive” content. As to “sensitive” information (defined by the Commission as precise geolocation, Social Security number, financial, health, or children’s data) the report recommends that platform providers:
- Provide disclosures to consumers just prior to the collection of sensitive information by the app;
- Obtain affirmative express (opt-in) consent prior to apps using sensitive content; and
- Consider providing the same just-in-time notice for other content which may be sensitive in many contexts, such as photos, contacts, or recorded audio or video content.
A Privacy Dashboard. The staff endorses the dashboard approaches of Apple’s iOS6 and Android’s “Settings/App Info” which shows the permissions each app has to access device data.
Privacy Icons. The Staff Report suggests that platforms explore the use of standardized privacy icons to alert consumers that apps are accessing their data, as both Apple and Google now have to depict collection of geolocation data. The report notes, however, that the use of icons requires further consumer testing and iterative design changes in response to test results.
Platform Oversight of Apps. The FTC Staff Report endorses greater control by platform providers over the privacy practices of app developers. It urges platform providers to incorporate and enforce contractual terms with app developers that require the developers to provide just-in-time disclosures and obtain opt-in consent before collecting or sharing sensitive information. The report suggests that platform providers “should do a better job” of disclosing which apps are reviewed by the platform before releasing to consumers.
Do Not Track. Although a Do Not Track mechanism is not related to consumer disclosures like the other aspects of this report, the Staff continues the Commission’s strong preference, absent new legislation, for a Do Not Track mechanism. The Staff Report finds Do Not Track especially important to consumer privacy in the mobile ecosystem, given the omnipresence of most consumers’ mobile devices.
FTC Staff Recommendations for App Developers
The Staff Report’s recommendations for platform providers carry through to its recommendations for app developers themselves. The report recommends that app developers have a privacy policy available for consumers through app stores and provide just-in-time disclosures and obtain express (opt-in) consent.
The report emphasizes that disclosures at the app-level not repeat the same disclosures made at the platform level, so that app developers (and consumers) rely on the app level disclosure if it would otherwise be the same. If, however, the app developer decides to share sensitive information later, it should provide a just-in-time disclosure from within the app, and obtain affirmative consent for that sharing.
The Staff Report suggests developers should improve “coordination and communication” with ad networks that provide services for the app developers (i.e., understand what information the third party is collecting and using). Developers should also consider participating in self-regulatory programs, trade associations and industry organizations that address privacy disclosures.
FTC Staff Recommendations for Ad Networks and Other Third Parties
Given that a main concern of the FTC and other regulators on mobile privacy is the collection and use of data to deliver advanced advertising, the report suggests that ad networks communicate with app developers so they can provide accurate and “truthful” disclosures to consumers. Most specifically, the report notes that ad networks should better explain to developers the function of code provided by the networks. Ad networks are also urged to work with operating platforms to ensure effective implementation of some form of Do Not Track mechanism for mobile devices. The report explains that the staff expects to issue a separate report with updated guidance on advertising disclosures.
FTC Staff Recommendations for App Developer Trade Associations
The Staff Report urges app developer trade associations to work with the app platforms to improve transparency of app privacy practices:
- App trade associations could work with app platforms to develop interactive icons that would appear on smartphones to indicate that an app is collecting data, and allow consumers to quickly determine the data practices that triggered the icon’s appearance;
- Trade associations could develop “badges” akin to the TRUSTe badge, or other short form disclosures that could appear within apps or ads promoting apps. These short form disclosures would allow consumers to quickly determine the general privacy practices of an app, such as “No Ads” for a kids app; and
- Trade associations could develop more standardized privacy policies that will enable consumers to compare data practices across apps.
In conjunction with these recommendations, the Staff Report recognizes that the successful use of privacy icons, badges, and standardized policies will require coordination among app platforms, app developers, and ad networks. The report thus urges stakeholders to work together, as they are attempting through the NTIA stakeholder workshops, to develop complementary and consistent approaches to privacy disclosures.
CALIFORNIA AG RECOMMENDATIONS FOR MOBILE PRIVACY
California Attorney General Kamala D. Harris beat the FTC to press with her office’s report, “Privacy on the Go: Recommendations for the Mobile Ecosystem,” issued Jan. 10, 2013. Although the AG’s recommendations share some of the FTC Staff Report’s recommendations for improved disclosures of mobile privacy practices, the AG’s report includes numerous detailed recommendations reflecting its view of “best practices” for mobile app platforms, developers, and ad networks to comply with both federal and California privacy laws. The AG recommendations are premised on Fair Information Privacy Principles as interpreted by the AG, and reflect the AG’s preferred approach of minimizing surprises to users from practices that they may not have expected from an app.
AG Recommendations for Improved Mobile Privacy Disclosures
Like the FTC Staff Report, the AG’s report includes recommendations for various improvements in mobile privacy transparency. It recommends:
- App platforms should disclose the privacy policies for apps prior to download, and provide other consumer education at the platform level;
- Apps must have clear, conspicuous privacy policies;
- “Just-in-time” or other contextual notice before collection or use of sensitive information;
- Use of a dashboard for consumers to see and control an app’s access to data; and
- Delivery of better information from ad networks to app developers, including the impact of code provided to apps.
- As detailed below, however, the AG’s recommendations are not limited to recommendations for consumer disclosures.
AG Recommendations for Mobile App Developers
Privacy by Design. The AG recommends a detailed “decision path” for mobile app developers to use during development that includes:
- Careful consideration of data the app may collect, use or disclose;
- Use of a checklist or matrix of data collected, and for each type of data an assessment of numerous questions, including the necessity of collection, uses of the data, length of storage, sharing potential, use by third parties, and whether children will use the app; and
- Decisions on privacy practices with respect to each type of data.
Privacy Disclosures. Once the app is developed, the AG recommends creation of a privacy disclosure that accurately reflects those practices. The AG also recommends developers use “enhanced measures,” such as just-in-time disclosures, to alert consumers to “unexpected practices” or uses of sensitive information. Disclosure to third parties of personally identifiable information (PII) for uses such as advertising is an “unexpected practice” that should trigger enhanced measures for disclosure.
Data Minimization. The AG recommends that mobile apps avoid the collection of PII altogether, or otherwise minimize the collection of data for uses that are not related to the app’s basic functionality. The AG report appears to place advertising functions outside of an app’s “basic functionality,” without reconciling the fact, acknowledged elsewhere in the report, that “a common business model” for apps depends on advertising revenue.
Collected data should be kept only as long as necessary to support the intended function or to satisfy legal requirements.
Another recommendation that undermines advertising functions is the report’s recommendation that apps use an app-specific or other non-persistent identifier, rather than a persistent unique identifier. It also recommends that the default setting for all apps be “privacy protective,” implicitly favoring opt-in practices for collections of data that could be deemed “personal,” including device identifiers.
User Access to Data. The AG recommends that apps include mechanisms for users to access any PII collected and retained.
Security. The report recommends limiting access to personally identifiable to those on a need-to-know basis, along with data encryption, compliance with the PCI DSS for entities that collect payment card data.
Privacy Officer. The AG recommends that all developers—with no apparent exception for smaller developers—appoint a privacy officer or other person designated to be responsible for the entity’s general privacy policy and notices. The person should update policies and notices when business practices change, and serve as a point person for privacy compliance and communication. The privacy officer should also “stay informed of new privacy laws and regulations.”
AG Recommendations for App Platform Providers
The AG report repeats key elements of the AG’s agreement last year with the app platform providers. These include recommendations to allow consumers to review app privacy policies before downloading the app, to educate app developers and consumers on privacy rights, obligations, and to give app users a way to report apps that do not “comply with applicable laws,” or to simply ask questions about privacy policies and terms of service.
AG Recommendations for Advertising Networks
The AG report recognizes that ad networks support a common business model for mobile apps by delivering targeted ads and compensation. It thus adopts certain voluntary industry standards (like those contained in Lookout Mobile Security’s Mobile App Advertising Guidelines) as the AG’s own, presumably laying the groundwork for future enforcement.
Specifically, the report recommends that ad networks provide app developers with clear information about their privacy practices, and that the ad networks themselves develop privacy policies following the same recommendations the AG issued for app developers. Ad networks should provide developers with a link to their privacy policies to make the link available for users to review before downloading or activating the app.
Ad networks are advised to avoid the oft-criticized practice of delivering ads outside the context of the app, and at minimum provide clear attribution for the source application responsible for the ad. Ad networks should use “enhanced measures” to provide notice, and obtain prior consent, before accessing users’ personal information at any time.
The AG recommends that ad networks move away from the use of unchangeable device-specific identifiers and begin using app-specific or temporary device identifiers. Apple already disallows apps to use the Apple UDID, and alternative methods of tracking a user are evolving, such as device fingerprinting.
AG Recommendations for OS Developers and Mobile Carriers
Finally, the AG report mentions the role that operating system developers (like Apple, Android and RIM) and mobile carriers should play to promote mobile privacy. These entities are encouraged to leverage their roles in the mobile ecosystem to promote standards for privacy controls, transparency, choice and education of other entities and consumers in the mobile ecosystem.
Davis Wright Tremaine attorneys counsel clients on various privacy matters in the communications and mobile space. Should you have any questions about this matter, please contact us