FTC Provides Privacy Guidance for Mobile App Developers

With about 100 new mobile apps being released every day, how do you keep track of how your personal information is being used?  Mobile apps have been notoriously slow in adopting privacy policies and user-friendly privacy settings.  After some recent pronouncements by the California Attorney General, the Federal Trade Commission issued a new Report on Mobile Privacy Disclosures and some best practice guidelines for mobile app developers last week..

While a great deal of the report is directed at platform developers (such as Apple, Google, Microsoft and Blackberry), there are some recommendations for app developers as well.  These include:

• Having a privacy policy and making sure the policy is available through the platform's app store
• Providing just-in-time disclosures and obtaining affirmative express consent when collecting sensitive data outside the platform's API (such as financial, health or children's data) or sharing sensitive data with third parties
• While app level disclosures do not need to repeat the platform level disclosures on data the app collects, if the app developer decides to share that data then the just-in-time disclosures and consents should kick in
• App developers need to understand the third party apps they integrate (particularly those that facilitate advertising and analytics) in order to provide truthful disclosures
• App developers should consider participating in self regulatory programs, trade associations, and industry organizations, which can provide industry wide guidance on how to make uniform, short-form privacy disclosures

The FTC also issued some tips to mobile app developers.  These are more in the nature of suggestions and best practices, such as understanding the platform and libraries you are using and how they collect data, and considering encryption for sensitive data. 

The thrust of the FTC's concerns is that privacy be incorporated by design, not by afterthought.  The FTC has demonstrated that it is serious about these issues, and has initiated enforcement actions against companies whose apps do not comply.  For example, the FTC recently settled with the social media company Path.  Path was collecting birth dates as part of the registration process, but its original app did not prevent children under 13 from registering.  Path caught the error on its own and revised the app to kick out children under 13 who tried to register.  But the FTC still enforced an $800,000 penalty for Path's violation of COPPA with its initial design, and is requiring Path to obtain independent privacy assessments every other year for the next 20 years.

The FTC publications, following the California Attorney General's pronouncements last month, make it clear the the state and federal regulators are watching the mobile industry closely.  All participants --- app developers, app platforms, and app advertisers --- should carefully review their privacy and data collection policies and those of the apps from which they collect information to make sure that the privacy practices are following the current guidelines and that the data collection practices are consistent with the privacy policies.