By Donald G. Aplin
Mobile device applications platforms and developers should improve their
disclosures to ensure that users understand how their personal data will be
collected and used, the Federal Trade Commission said in a staff
report released Feb. 1.
If they do not work quickly to achieve that goal, the mobile apps industry
may face strong regulatory or legislative privacy mandates, outgoing FTC
Chairman Jon Leibowitz said during a Feb. 1 teleconference with reporters on the
report. If developers do not act now, “industry is far more likely to face more
prescriptive policies down the road, and … not very far down the road,” he
Lisa Sotto, a partner at Hunton & Williams LLP, New York City, said in a
Feb. 1 statement to BNA: “For key players in the mobile space, the message is
clear: pay close attention to the shifting landscape and don't wait to take
action to increase transparency.”
The staff report was released concurrently with an announcement of a
settlement with the developer of a social networking app over charges it
collected personal information from mobile device address books without the
consent of users, including children (see related report).
The issuance of an $800,000 monetary penalty in the settlement demonstrates
that the principles of the mobile apps report “will not be guidance without
teeth,” Paul Bond, a partner at Reed Smith LLP, in Princeton, N.J., told BNA in
a Feb. 1 statement.
Bond suggested that the report signaled federal support of the mobile apps
privacy enforcement position taken by California Attorney General Kamala Harris
Harris worked with large mobile app developers to reach agreement on broad
privacy principles in sync with the state's privacy laws (11 PVLR 375, 2/27/12).
She subsequently issued 30-day warnings to developers not in compliance with
those principles (11 PVLR 1623, 11/5/12), and then sued over an application
still not in compliance (11 PVLR 1776, 12/10/12).
More recently, Harris issued recommendations
to provide apps developers guidance on how to comply with California privacy law
(12 PVLR 80, 1/14/13).
Leibowitz and other FTC officials told reporters that although the commission
communicated with Harris, the situation in California--with a slate of privacy
statutes and a strong privacy provision in its constitution--was different than
the federal situation.
The FTC does not have the kind of specific statutory enforcement authority
that the AG has on privacy issues in California, Liebowitz noted, adding that he
hoped the commission would continue to push Congress to grant it broader power
to seek civil monetary penalties.
The FTC said the report was based, in part, on commentary at its May 2012
public workshop on mobile devices that focused on digital privacy disclosures
(11 PVLR 891, 6/4/12).
Liebowitz said the FTC mobile privacy oversight process and new report were
separate and independent of the mobile privacy code of conduct multistakeholder
process being conducted by the Department of Commerce's National
Telecommunications and Information Administration (12 PVLR 136, 1/28/13).
The report said that mobile apps platforms should:
before an app is downloaded, obtain affirmative opt-in consent from users to
allow collection of certain sensitive information, such as geolocation;
seeking such consent before uploading other personal information, such as
contacts, calendar entries, and photographs;
adopting a better way to allow users to review the types of data accessed by an
app they have downloaded, and including an icon that depicts the transmission of
industry best practices, such as requiring developers to make privacy
disclosures, conducting compliance checks, and enforcing best practices
offering a do-not-track feature for smartphones to give users better control
over information used for targeting advertisements.
The report repeats similar recommendations for apps developers and online
advertising networks and other third parties that utilize data retrieved from
Finally, the report calls on app developer trade associations, academics,
privacy researchers, and other experts to assist mobile apps platform providers
and developers to meet the privacy and security goals of this largely
The FTC Feb. 1 also posted on its Bureau of Consumer Protection Business
Center website new data
security guidance for mobile apps developers.
The guidance advises developers to implement “reasonable data security” in
the development stage of an app and offers a checklist of measures developers
should consider to ensure the privacy and security of their users' data.
Meanwhile, the Article 29 Working Party, which is made up of data protection
officials from the 27 European Union member states, Feb. 1 announced that is
slated to discuss an opinion on mobile applications at its Feb. 26-27 meeting in
Brussels (see related report).
The FTC report, “Mobile Privacy Disclosures FTC Staff Report--Building Trust
Through Transparency,” is available at http://www.ftc.gov/os/2013/02/130201mobileprivacyreport.pdf.
The FTC guidance, “Mobile App Developers: Start with Security,” is available