FTC offers mobile app privacy advice
Sept. 12, 2012 -- One of Washington’s hot issues at the moment involves what kind of privacy requirements should be imposed on developers of mobile apps (a recent study by the Pew Internet Project found that half of the 43 percent of cell phone users who download apps take preventative measures to keep their information from being shared with app developers). The Commerce Department is leading a “multi-stakeholder process” designed to develop enforceable rules in this area.
But despite the uncertainty as to how those rules will develop, the Federal Trade Commission has stepped in with its own guidance.
The FTC’s posting, “Marketing Your Mobile App: Get it right from the start,” attempts to provide guidance for businesses using mobile apps. Its truth-in-advertising sections are standard, but its privacy recommendations arguably go beyond existing law.
The FTC posting initially advises businesses to build privacy considerations into their practices from the start. That’s the FTC’s new “privacy by design” mantra. Among other things it calls for retaining only information that is necessary, and for making default privacy settings “consistent with what people would expect based on the kind of app you’re selling.” While the tagline “privacy by design” is new, these principles are consistent with existing privacy laws.
Next, the FTC urges transparency about privacy practices, particularly with respect to data sharing: “For example, if you share information with another company, tell your users and give them information about that company’s data practices.”
The agency’s third key guideline, about making privacy choices easy to find and use, relates to the FTC’s concern that many privacy policies are so long and legalistic that consumers will never read or understand them. Long legal disclosures are a particular problem for mobile apps, where some disclosures involve scores of screens of text. But the FTC’s advice consists mostly of just giving the legal requirements (“clear and conspicuous,” “easy to find,” “simple to use”) while leaving app developers the difficult job of applying those principles.
The agency goes on to emphasize the number-one principle of privacy law (“Honor your privacy promises”), and to point out the special rules for any intentional collection of information from children. It also points out the need to keep data secure.
Significantly, the posting asserts that app developers need express consent before collecting “sensitive information,” which it defines to include “medical, financial or precise geolocation information.” At least with respect to geolocation information, this arguably goes beyond existing law. For example, where collection and use of geolocation data is essential to the app, many developers presume consent from the consumer’s installation and use of the app. And the issue of whether geolocation information should be deemed “sensitive,” and thereby subject to special rules, is one of the key issues in the current mobile app privacy debate.
The FTC’s guidance may be vague -- and it may have stretched the law a bit -– but if you are involved with mobile apps, it is worth consulting and considering.
By Mark Sableman, ABM information policy counsel