Mobile Apps: FTC Says Vague Privacy Policies and Lack of Terms a Problem

Last week, the FTC released a study it conducted in connection with price-comparison apps, deal apps and apps that allow people to pay for purchases using their mobile device while shopping in brick-and-mortar stores.  The newly released study is the latest commentary from the FTC in a long line of workshops and reports that started in 2012 on the issue of mobile apps, mobile payment mechanisms and related matters, such as mobile cramming and mobile security.  Here are the key takeaways from the latest study:
  • While the FTC found that most of the apps it reviewed had a privacy policy, those privacy policies were vague and reserved broad rights to collect, use and share data without meaningful information about how the apps actually use and share data.  The FTC is looking for less boilerplate and more real details to help consumers evaluate and compare data practices among apps before app installation.  This concept harkens back to the FTC’s report “Protecting Consumer Privacy In An Era Of Rapid Change” in which the FTC stated: “general statements in privacy policies…are not an appropriate tool to ensure [a reasonable limit on the collection of consumer data] because companies have an incentive to make vague promises that would permit them to do virtually anything with consumer data.”  In the current study, the FTC says that the use of broad language to address use and sharing of data “suggests that these app developers may not be evaluating whether they have a business need for the data they are collecting.”  The assessment the FTC alludes to here is part of the overall “privacy by design” concept that we have been discussing with clients for several years now.
  • The FTC is concerned that apps are not disclosing consumers’ rights in connection with payments made via mobile devices.  Specifically, apps that include the ability to accept or make payments need to disclose the process for resolving payment disputes and the consumers’ rights and liability limits for bad transactions (unauthorized, fraudulent, etc.).  The FTC says that consumers do not understand the difference between the automatic liability protections someone might have in connection with the use of their credit or debit card as opposed to lesser protections available for money that might be transferred to the app for use later (similar to a stored value account).  Indeed, the protections for unauthorized or fraudulent transactions between those two categories are likely different.  The Consumer Financial Protection Bureau is currently in the process of lobbying Congress to extend the legal protections afforded to credit and debit card transactions to gift card and similar transactions.  The FTC wants apps to disclose to consumers their potential liability for unauthorized transactions – especially if the liability is different from the normal expectation that most unauthorized credit and debit card transactions receive.
  • The FTC reiterated that strong data security promises (which it found in many of the app privacy policies it reviewed) must translate into strong data security practices.  Honoring the commitments you make in a privacy policy is not a new sentiment from the FTC.  The FTC did not include any results in its study that suggests the data security statements in the privacy policies were untrue.  In fact, for this study, the FTC did not test the actual security practices of any of the apps reviewed.

The FTC made several comments in the study indicating that it liked seeing that so many apps posted privacy policies.  Nonetheless, while that is a step in the right direction, making those policies meaningful is where the focus is now.  To that end, it bears repeating that there is no such thing as a template or boilerplate privacy policy.