On December 10, 2012, the FTC released a follow-up to its February 2012 report on mobile apps for kids. The February 2012 report found that little or no information was available to parents about the privacy practices of the mobile apps the FTC surveyed on Apple’s App Store and Google’s Android Market. The FTC’s follow-up report finds that, by and large, privacy and other material disclosures are still not being made available to parents prior to app download or at all. Moreover, the follow-up report finds that where there are privacy disclosures, the disclosures sometimes contradict the actual practices of the app. Indeed, the FTC’s methodology in the new report went a step beyond the methodology used in the February 2012 report and tested app practices and compared them to the disclosures made. The privacy practices analyzed not only touched on the collection of obvious personal information, but also the collection and sharing of mobile device unique identifiers, how in-app purchases are addressed and the presence of social media integrations. To quote directly from the FTC report: “The results of the survey are disappointing. Industry appears to have made little or no progress in improving its disclosures since the first kids’ app survey was conducted….” As the FTC did in the February 2012 report, the FTC is calling on all players in the app ecosystem to take responsibility for privacy disclosures and compliance — not just app developers, but also the platform/store providers, the ad networks, etc.
Here are the key takeaways from the report (importantly, not all are specifically privacy related):
- The FTC wants privacy and other material disclosures about an app to be provided prior to download of the app. Note that it is my belief there is still a place for meaningful contextual privacy disclosures (i.e., disclosures made at the time information is accessed/collected during interaction with an app).
- The FTC found that 60% of the apps reviewed transmitted a device identifier to the app developer and to advertising networks, analytics companies or other third parties. It is a real problem if your app discloses personal or device information to third parties (including ad networks or analytics companies ) when that fact is not disclosed in an available privacy disclosure. The FTC’s comments in the report demonstrate how concerned they are with the ability to develop a detailed profile associated with a particular device ID when apps share data with the same company (for example an ad network) without adequate disclosure of that practice.
- The FTC noted a concern with the screen shots displayed on an app’s promotion page. In some instances they found promotion pages for apps that showed the app pages without advertising; however, when using the app, the kids app included advertising and sometimes advertising for a mature audience (such as dating services). Hence, the app promotion page must not misrepresent the app.
- The FTC noted that many of the apps surveyed allowed for in-app purchases, and while the apps provided some information about in-app purchasing, the information was not enough and was sometimes confusing. The FTC wants specific information disclosed about in-app purchases, such as why the in-app purchases are being offered, whether they may result in recurring charges, whether further parental authorization is required to make them, and the applicable refund policies.
- The FTC is concerned with in-app links to social media platforms (e.g., to post a drawing made in the app on a social media platform). The FTC says that the presence of social features within an app is a material disclosure that needs to be made to parents prior to download.
- The FTC wants the entire app ecosystem to adopt the 3 principles laid out in the FTC’s Privacy Report: (1) adopting a “privacy-by-design” approach to minimize risks to personal information; (2) providing consumers with simpler and more streamlined choices about relevant data practices; and (3) providing consumers with greater transparency about how data is collected, used, and shared.
As the FTC points out in its new report, the issuance of this report comes at the same time a number of other agencies and states are engaging in mobile app policy, enforcement and educational initiatives (for example, the California Attorney General and the U.S. Department of Commerce). Of course, I am publishing this post on the same day that the FTC is announcing its updated COPPA rule, and we will have more information on that development soon.