News & Insights  |  Newsletters

Federal Investigators Eyeing Data Collection by Smartphone Apps

May 2011

As companies continue to use smartphone applications and online services to expand their potential audiences, a federal prosecutor is exploring whether some applications illegally collect and share personal information. Streaming-music provider Pandora disclosed in a recent Securities and Exchange Commission filing that it and other smartphone app publishers received subpoenas about their practices in early 2011.  A federal grand jury in New Jersey apparently is investigating whether app publishers properly disclose the full extent of their data collection and sharing practices. 

Prosecutors appear to be focused on whether such data collection practices violate the Computer Fraud and Abuse Act (CFAA), an anti-hacking law passed in 1994, long before the recent iPhone-fueled proliferation of mobile apps.  The Act prohibits a person or company from, knowingly and with the intent to defraud, exceeding authorized access to devices with storage capabilities.  Some mobile app publishers may be harvesting personal information, location information and financial account details made available through apps.  If so, prosecutors could be proceeding under a theory that app publishers have exceeded their authority to access personal information via smartphones, as users granted only limited authority to publishers when they downloaded apps.  Notably, the CFAA does not prevent companies from using a smartphone app or other online service to collect and share personal information.  Rather, it focuses on whether such collection exceeds authorized access and amounts to fraud.

Also, it remains to be seen whether prosecutors will proceed further than demanding information from mobile app providers.  Prosecutors may find it difficult, actually, to establish a CFAA violation.  In 2001, federal courts in New York and California rejected civil lawsuits claiming that installing cookies on computers violated the CFAA, holding that individual damages did not exceed the $5,000 threshold required for a CFAA claim. 

Yet, to avoid potential liability under the CFAA, companies with an online presence may wish to conduct a thorough review of how they collect, use and share personal information via mobile apps and other online services.  Such a review should examine whether published privacy policies reflect actual data usage practices and are reasonably comprehensive, easy to read and easy to access. 

Wiley Rein regularly helps its clients conduct reviews of current privacy practices and privacy policies, and can provide guidance on how your business can avoid potential liability under the CFAA and other privacy-related legal regimes. 

*District of Columbia Bar pending. Supervised by principals of the firm.