News & Insights  |  Newsletters

Mobile Apps Invite Privacy Problems

September 2011

The iPhone, Android devices and, more recently, the iPad and similar devices have spawned a new industry producing applications for mobile devices.  Mobile apps help users find their way, conduct banking, make hotel and restaurant reservations and participate in social networks while on the go. 

Data Collection

Apps that accomplish such tasks, and even many that do not, require users to provide personal information, including name, contact information, passwords and sometimes financial account information.  Many mobile apps also collect and record the user's location.  In a number of instances, developers have designed their apps to collect more data than may be needed, strictly speaking, to run the app, thinking that the additional data might prove useful someday. 

Apps that are operated by businesses that also run websites may be collecting data about a given individual from two sources (the Web and the mobile device).  The business may or may not combine these data in its internal records.

What happens to this data?  The privacy practices of mobile apps have received relatively little attention, but recent analyses suggest that few apps are addressing privacy issues.  A recent survey of 100 apps available from the iTunes App Store and the Android Market concluded that 39 left sensitive information readily recoverable from smart phones.  In other words, those apps retained sensitive data in plain text on the device.  Some apps stored email attachments on the device.  According to the survey, better privacy practices included either encrypting the user name and/or password or not storing that data at all. 

Nor do many apps appear to be making representations about their privacy practices.  A second recent survey, conducted by the Future of Privacy Forum, found that 22 of the 30 most popular mobile apps did not contain a privacy policy either on the downloaded app or at the website of the application developer.  It found that only one (Angry Birds iOS) contains a privacy policy link within the user interface.  Part of the problem may be the difficulties inherent in providing privacy information on the small screen of a smartphone, but part of the problem may simply be a lack of attention.

FTC Begins Enforcement

Mobile apps are not immune from federal law.  Federal Trade Commission (FTC) Commissioner Julie Brill told a meeting of the American Bar Association (ABA) in early August that "The screen is small, but Section 5 applies."  Section 5 of the FTC Act prohibits unfair and deceptive trade practices and serves as the legal basis for most of the FTC's privacy enforcement actions.  The FTC has recently begun to focus increased attention on mobile apps, and although to date, the FTC has not brought a Section 5 enforcement action against a mobile app for an unfair or deceptive practice, it seems only a matter of time.

Indeed, the FTC very recently brought a case against a mobile app developer, but under the Children's Online Privacy Protection Act (COPPA) and not Section 5.  On August 15, 2011, the FTC announced that W3 Innovations, LLC, a developer of mobile applications for the iPhone and iPod Touch, will pay $50,000 as part of a consent decree to settle charges that it illegally collected information from children without first obtaining parental consent.  This is the first time that the FTC has charged a mobile application developer with violating COPPA.

Under COPPA, a website operator may not collect via the Internet personal information (such as a first and last name, address, phone number, e-mail address or Social Security number) from children under 13 without first obtaining "verifiable" consent from their parents.  Additionally, website operators that collect personal information from children are required to post an accurate privacy policy online.

The FTC alleged that W3 Innovations used its "Emily" character-themed applications to collect thousands of e-mail addresses from underage children who it had encouraged to e-mail "Emily."  It also allowed users to post personal information on public message boards.  The FTC charged that because the applications send and receive information over the Internet, they are subject to COPPA.  In settling the case, the defendants agreed to a number of reporting and recordkeeping requirements.

What Should Mobile App Developers Do?

Many mobile app developers are simply unaware that laws may apply to the consumer data that they collect.  App developers should devote some effort to becoming aware of the laws and the legal risks that they run regarding privacy.

Even well-informed app developers, however, face a substantial problem in presenting a privacy policy on the small screen of a mobile device.  Doing so is challenging, but the FTC's position is that the difficulty does not excuse unfair or deceptive practices.  Consistent with the FTC's staff report on consumer privacy of last autumn, Commissioner Brill used her ABA remarks to urge industry to use the principles of privacy-by-design and simpler forms of notice to work privacy considerations into the design of an app.  She has also called on the industry to develop more simple forms of notices, including icons.  Some privacy sector firms are currently working to develop shortened, easy-to-use methods that app developers could employ.

What About Location?

The collection and use of location data from mobile devices remains extraordinarily sensitive and controversial.  Remember the stir-and the lawsuits-earlier this year caused by the discovery that the iPhone and Android devices were maintaining lists of Wi-Fi hotspots near users' locations?  The stir has subsided, but the litigation continues.  And a great deal of uncertainty exists regarding how often and when apps use location data, or disclose it to third parties. 

Legislation introduced in the Senate this summer would require businesses to obtain a user's consent before collecting a user's location or sharing a user's location-based data.  Although that bill may not become law, there are other ways that a consent requirement could be imposed on the collection and use of location-based data.  Many apps, of course, already include a consent feature, but many others do not.  Businesses contemplating the use of location-based data should consider how best to balance a user's privacy interest with their business needs, and how best to obtain a user's consent.