FTC Releases Recommendations for Mobile Privacy Disclosures

This weekend’s excellent Superbowl game, which was delayed by a power outage that prompted several announcers in passing to mention the “extra power” used by tablets and smartphones, highlighted that the mobile arena continues to take center stage everywhere.  We’ve covered the growing attention on mobile privacy policies and data gathering in recent posts (see, California AG Releases Mobile App Guidelines; Industry Responds; FTC Report: Mobile Apps For Kids Not Making The Grade; Trick or Treat: California’s AG Notifies Nearly 100 Apps of Need for Privacy Policy ; etc.). Adding the next domino to the line, the Federal Trade Commission (“FTC”) last Friday, Feb. 1, 2013, issued a new 36-page staff report, Mobile Privacy Disclosures: Building Trust Through Transparency,  that recaps the FTC’s previous mobile and online privacy related efforts and distills its latest recommendations for clearly and transparently informing users about mobile data practices in the “rapidly expanding mobile marketplace.”  The recommendations are comprehensive.

The Report itself is the culmination of the FTC’s previous “enforcement and policy experience with mobile issues,” most notably its May 2012 workshop (In Short: Advertising and Privacy Disclosures in a Digital World) held with participation from numerous groups to discuss the mobile landscape and privacy disclosures on mobile platforms.

Rather than highlighting merely one facet of the mobile world, the Report cements the FTC’s broad interest in improving privacy disclosures across the entire “mobile ecosystem” in recognition of the mushrooming growth, use and capabilities of mobile devices and smartphones.  Today it calls upon apps developers, OS providers, carriers, advertisers and mobile device makers.

In particular, the FTC’s oft-stated three key areas of focus (enforcement, outreach and policy initiatives) are each touched upon, driven by the view that mobile tech raises “unique privacy concerns,” due to the coupling of mobile users always on, always on hand usage habits and the massive array of applications opening the door to potentially “unprecedented amounts of data collection” that can “build detailed profiles of consumer movements over time and in ways not anticipated by consumers.”

In recapping its past efforts, the Report notes all three core principles laid out in its Mar. 2012 "Privacy Framework," namely, Privacy by Design; Simplified Consumer Choice and Greater Transparency, firmly apply to mobile companies and technologies.

The result is that the Report’s recommendations span the mobile spectrum, with specific “suggestions” for ways to help improve mobile privacy disclosures by (1) mobile platforms, (2) app developers, (3) advertising networks and (4) everyone else, including app developer trade associations, academics, usability experts and privacy researchers.  The FTC doesn’t necessarily stop there, however, recommending in a footnote that “[o]ther mobile ecosystem participants – such as carriers, handset manufacturers, and chip makers – also should review these recommendations carefully and consider how they may contribute to improving mobile privacy disclosures.” A word to the wise…

In short, the FTC recommends that mobile platform providers (i.e., Apple and Google, etc.) should work to:

  • Provide “just-in-time” disclosures and obtaining affirmative express consent before allowing apps to access sensitive content through APIs, such as “photos, contacts, calendar entries, or the recording of audio or video content”;
  • Explore development of a one-stop “privacy dashboard” to allow consumers to review the types of content accessed by the apps they have downloaded, with the Report noting two approaches “worth considering” – one framed by content elements and one framed by applications;
  • Consider developing icons to more appropriately depict the real time transmission of various user data;
  • Promote app developer best practices. As an example of ideas “for further consideration” in this category, the Report states platforms could require developers via contractual provisions to make privacy disclosures, and then reasonably enforce these requirements in conjunction with educating app developers;
  • Consider providing consumers with clear disclosures about the extent to which platforms review actual apps prior to making them available for download in the app stores and thereafter conduct “compliance checks” once apps have been placed in the app stores, especially in light of the frequency with which may apps are updated; and lastly
  • Consider offering a Do Not Track (DNT) mechanism for mobile users that would “prevent an entity from developing profiles about mobile users.” The Report states a mobile DNT mechanism, which a majority of the Commission has endorsed, would allow consumers to choose to prevent tracking by ad networks or other third parties as they navigate among apps on their phones.

In turn the Report recommends that App developers should:

  • In keeping with recent efforts of the California Attorney General’s agreement with leading platforms, have a privacy policy for apps and ensure they are easily accessible through app stores;
  • Again, provide just-in-time disclosures and obtain affirmative express consent before collecting and sharing sensitive information (“such as financial, health or children’s data”) outside the platform’s API (to the extent the platforms have not already provided such disclosures and obtained such consent);
  • Improve coordination and communication with “ad networks and other third parties” that provide services for apps, such as analytics companies, so app developers can provide accurate and meaningful disclosures to consumers; and
  • Explore participating in “self-regulatory programs, trade associations, and industry organizations,” to receive guidance on how to best provide “uniform, short-form privacy disclosures.”

For their part, the Report calls on Advertising networks and other third parties to:

  • Improve communication with app developers to enable developers in turn to provide truthful disclosures to consumers; and
  • Work with platforms to develop and then ensure effective implementation of DNT for mobile participants.

As the final “group” in the mobile landscape, App developer trade associations, academics, usability experts and privacy researchers are being called upon by the Report to:

  • Develop improved short form disclosures for app developers;
  • Promote “standardized” app developer privacy disclosures, terminology, formats, model privacy notices and “badges” (e.g., the Moms With Apps’s privacy badge icon) that will enable consumers to readily compare data practices across apps; and finally
  • To continue to educate app developers about information collection and use practices and privacy issues through “boot camps, workshops, panels and other activities.”

The Report concludes with the observation that, despite the work done to date, “many questions remain” outstanding and that work by the FTC and others in the evolving mobile environment is a work in progress that the FT “will continue to closely monitor.” We will likewise continue to monitor the FTC's progress, as well as other developments in the mobile arena that could bear on your mobile usage, practices, procedures and policies, and provide actionable recommendations to best comply with the rapidly changing regulatory and contractual landscape.

FTC, MobileInfoLawGroup LLP