FTC Mobile Apps Report Calls on Industry To Adopt Strong Privacy, Security Measures

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Donald G. Aplin  

Mobile device applications platforms and developers should improve their disclosures to ensure that users understand how their personal data will be collected and used, the Federal Trade Commission said in a staff report released Feb. 1.

If they do not work quickly to achieve that goal, the mobile apps industry may face strong regulatory or legislative privacy mandates, outgoing FTC Chairman Jon Leibowitz said during a Feb. 1 teleconference with reporters on the report. If developers do not act now, “industry is far more likely to face more prescriptive policies down the road, and … not very far down the road,” he said.

Lisa Sotto, a partner at Hunton & Williams LLP, New York City, said in a Feb. 1 statement to BNA: “For key players in the mobile space, the message is clear: pay close attention to the shifting landscape and don't wait to take action to increase transparency.”

The staff report was released concurrently with an announcement of a settlement with the developer of a social networking app over charges it collected personal information from mobile device address books without the consent of users, including children (see related report).

The issuance of an $800,000 monetary penalty in the settlement demonstrates that the principles of the mobile apps report “will not be guidance without teeth,” Paul Bond, a partner at Reed Smith LLP, in Princeton, N.J., told BNA in a Feb. 1 statement.

California Connection?

Bond suggested that the report signaled federal support of the mobile apps privacy enforcement position taken by California Attorney General Kamala Harris (D).

Harris worked with large mobile app developers to reach agreement on broad privacy principles in sync with the state's privacy laws (11 PVLR 375, 2/27/12). She subsequently issued 30-day warnings to developers not in compliance with those principles (11 PVLR 1623, 11/5/12), and then sued over an application still not in compliance (11 PVLR 1776, 12/10/12).

More recently, Harris issued recommendations to provide apps developers guidance on how to comply with California privacy law (12 PVLR 80, 1/14/13).

Leibowitz and other FTC officials told reporters that although the commission communicated with Harris, the situation in California--with a slate of privacy statutes and a strong privacy provision in its constitution--was different than the federal situation.

The FTC does not have the kind of specific statutory enforcement authority that the AG has on privacy issues in California, Liebowitz noted, adding that he hoped the commission would continue to push Congress to grant it broader power to seek civil monetary penalties.

Report Recommendations

The FTC said the report was based, in part, on commentary at its May 2012 public workshop on mobile devices that focused on digital privacy disclosures (11 PVLR 891, 6/4/12).

Liebowitz said the FTC mobile privacy oversight process and new report were separate and independent of the mobile privacy code of conduct multistakeholder process being conducted by the Department of Commerce's National Telecommunications and Information Administration (12 PVLR 136, 1/28/13).


“For key players in the mobile space, the message is clear: pay close attention to the shifting landscape and don't wait to take action to increase transparency.”  


Lisa Sotto, Partner,
Hunton & Williams LLP, New York City

The report said that mobile apps platforms should:

• directly before an app is downloaded, obtain affirmative opt-in consent from users to allow collection of certain sensitive information, such as geolocation;

• consider seeking such consent before uploading other personal information, such as contacts, calendar entries, and photographs;

• consider adopting a better way to allow users to review the types of data accessed by an app they have downloaded, and including an icon that depicts the transmission of user data;

• promote industry best practices, such as requiring developers to make privacy disclosures, conducting compliance checks, and enforcing best practices requirements; and

• consider offering a do-not-track feature for smartphones to give users better control over information used for targeting advertisements.


The report repeats similar recommendations for apps developers and online advertising networks and other third parties that utilize data retrieved from smartphones.

Finally, the report calls on app developer trade associations, academics, privacy researchers, and other experts to assist mobile apps platform providers and developers to meet the privacy and security goals of this largely self-regulatory program.

The FTC Feb. 1 also posted on its Bureau of Consumer Protection Business Center website new data security guidance for mobile apps developers.

The guidance advises developers to implement “reasonable data security” in the development stage of an app and offers a checklist of measures developers should consider to ensure the privacy and security of their users' data.

Meanwhile, the Article 29 Working Party, which is made up of data protection officials from the 27 European Union member states, Feb. 1 announced that is slated to discuss an opinion on mobile applications at its Feb. 26-27 meeting in Brussels (see related report).

By Donald G. Aplin  

The FTC report, “Mobile Privacy Disclosures FTC Staff Report--Building Trust Through Transparency,” is available at http://www.ftc.gov/os/2013/02/130201mobileprivacyreport.pdf.

The FTC guidance, “Mobile App Developers: Start with Security,” is available at http://business.ftc.gov/documents/bus83-mobile-app-developers-start-security.

Request Bloomberg Law: Privacy & Data Security