FTC Mobile Privacy Report

On February 1, 2013, the FTC released a new report, Mobile Privacy Disclosures: Building Trust Through Transparency, setting out current data protection best practices for mobile operating system (OS) providers and app-developers.

The report’s guiding principle is that these providers must work to give mobile device users:

(1)  clear understandings of how her information is being collected, and

(2)  tools to manage and protect access to her data.

The FTC recommends that app-developers and OS-providers integrate specific privacy designs into their products, to protect themselves from future FTC actions.  It also recommends a general ‘privacy by design’ approach, which would prioritize data minimization, data security, and procedural safeguards at every stage of product development.

It also pushes ad networks, third-party data collectors, and app-industry groups to put a priority on data protection measures, so that they encourage OS-providers and app-developers to provide users more notice and controls.

Recommendations for OS-providers

The FTC focuses on OS-providers as the main stakeholder who can promote data protection. This is because OS-providers largely determine the users’ experience & awareness of data privacy, and because they have substantial leverage over app-developers.

The FTC recommends OS-providers build in privacy alerts and management tools for users, and that they implement enforceable standards for app-developers. These best practices are:

Privacy Alerts for Users

• Definitely provide ‘just-in-time’ warnings (i.e., just prior to the collection of information) to the device-owners before apps can access ‘sensitive content’ — especially geolocation. Ask the user if she agrees to let the app access the data, and only if she consents, will the app be granted access.
• Consider providing ‘just-in-time’ consent interfaces for apps’ collection of semi-sensitive content, including contacts, photos, calendar entries, and the recording of audio or video.
• Publish a clear policy about how the OS-provider reviews apps before they are released for download.

Management Tools for Users

• Build a dashboard into the platform, on which the user can review what types of content certain apps can access, and what data apps have already accessed.
• Create a set of universal icons that communicate to the user what data is being accessed by an app.
• Offer users a Do Not Track mechanism, which would let them choose to prevent tracking by ad networks and other third parties while using apps, unless apps get their consent.

Supervision of App-Developers

• Require developers to disclose data collection to users and have a privacy policy in place, through contract provisions.
• Educate developers about best practices in data protection.
• Conduct compliance checks of apps, to determine if they are in violation of data protection standards.  If the standards are not met, then enforce them by taking action against the developer.

Recommendations for App-Developers

The FTC also focuses on what app-developers could be doing better regarding data protection.  It recommends the following best practices:

Privacy Alerts for Users

• Post a privacy policy on the app store about how they may collect and distribute users’ data.
• If the OS-provider does not do so already, provide ‘just-in-time’ warnings to users before collecting data, and only accessing the data if the user explicitly consents to it.

Oversee Ad Networks & 3^rd Parties

• Before integrating third-party code into an app (e.g., for ads or for analytics), first determine what user information the third-party will be collecting.
• Communicate to the user that this third-party data collection will occur.

Reach out for Guidance

• Take advantage of self-regulatory programs, trade associations, and industry organizations to stay up-to-date on what best practices are.
• Follow the National Telecommunications & Information Agency’s upcoming privacy code of conduct.

Enforcement & consequences

The FTC emphasizes that it will enforce data protection standards for mobile businesses.

It points to its recent action against Path for their collection of users’ address book data and collection of children under 13 without parental consent – and by their action against Frostwire for a peer-to-peer file-sharing app that would lead to users’ unwitting exposure of personal files on their device.

The FTC has put together this report of recommendations so that mobile businesses can avoid such actions.  If OS-providers and app-developers implement these designs, and if they comply with the upcoming NTIA privacy code of conduct, the FTC indicates that this compliance will insulate companies from law enforcement actions.