Underscoring their view that long-standing FTC guidance for fair and transparent consumer privacy practices applies equally to mobile applications, on September 5th, the FTC released Marketing Your Mobile App: Get It Right from the Start
This publication draws attention to several key guidelines the FTC believes every app developer should follow:
- “Tell the Truth About What Your App Can Do”: A developer must provide solid proof –what the FTC calls “competent and reliable evidence” — to support any claims made about an app.
- “Disclose Key Information Clearly and Conspicuously.” Key disclosures must be large enough and clear enough so that users not only notice these disclosures, but also understand them. In other words, no hiding important terms and conditions inside a maze of legal jargon – write for laypersons.
- “Build Privacy Considerations In From the Start.” This is a reiteration of the FTC’s “privacy by design” principle. It means that developers should be baking in privacy protection practices from the start of the product cycle. This means limiting what personal information is collected, storing important data securely, and disposing of what you no longer need.
- “Be Transparent About Your Data Practices.” Provide a clear explanation of exactly what information the app collects and what is then done with the data.
- “Offer Choices That Are Easy to Find and Easy to Use.” Provide tools such as privacy settings, opt-outs, etc., so that users can easily and intuitively control how their information is collected.
- “Honor Your Privacy Promises.” If you make claims about your privacy settings, you must honor those claims. This means that companies must pay attention to what they say in their privacy policies – particularly when product models, business models, and data usage models change.
- “Protect Kids’ Privacy”. Under COPPA and the FTC’s COPPA Rule, operators who knowingly collect data from children under 13, or whose apps are directed to those ages, must clearly explain their information practices and get parental consent before collection personal information from children. For more information on the FTC’s latest proposed amendments to the COPPA regulations, go here.
- “Collect Sensitive Information Only With Consent.” ALWAYS get consent before collecting any sensitive data from users. Sensitive information in this context would be, for instance, potentially harmful financial information, medical information (as with the numerous health-related apps that have recently come to market), or precise geo-location information (and particularly near-field communication or other micro-targeted geo-location data).
- “Keep User Data Secure.” Regardless what disclosures are made, the FTC considers developers to be required to keep all sensitive data secure. The FTC suggests that the wisest policy is to: “collect only the data you need…secure the data you keep by taking reasonable precautions against well-known security risks…limit access to a need-to-know basis…and safely dispose of data you no longer need.”
If you are an app developer or are considering developing applications, the FTC also offers “Protecting Personal Information: A Guide for Business,” and an accompanying online tutorial to assist in developing a proper security plan for your business.
This is another warning sign that the FTC is taking app privacy seriously – a signal of more regulatory action to come. In the privacy space in general (but particularly as to mobile and children’s’ privacy), the FTC has followed a regulatory arc of increasingly steep fines alongside increased education efforts: in May 2012, the FTC held a broadly informative, one-day workshop on mobile privacy, for instance. It went so far in February 2012 to customize a warning to businesses regarding potential FCRA violations in the mobile app space. And in March 2012, it issued a report evaluating how mobile apps treat children’s’ privacy – re-emphasizing that children’s’ primacy is perhaps foremost on its list of concerns in the app market.
At the same time, it has assessed increasingly onerous fines for privacy violations. Last summer, the FTC fined W3 Innovations $50,000 for allegedly violating COPPA and taking personal information from children under 13 without parental consent – emphasizing in the process that COPPA applies in the mobile setting. (COPPA subjects companies to fines of up to $16,000 per violation.) More recent settlements suggest higher penalties on the horizon for violators, such as the FTC’s $22.5 million penalty against Google for allegedly misrepresenting to users to Apple products its tracking activities.
In an interview with a popular blog, an FTC spokesperson dismissed the notion that only major players such as Facebook or Apple are in their sights: the spokesman states, “when we consider any app that’s part of an ecosystem, we look at all the players . . . just because you’re small or your entity is new doesn’t mean you’re not part of the same system and subject to the same legal standards as everyone else.”
