Developments Concerning Privacy in Mobile Apps
As 2012 drew to a close, the privacy practices of mobile applications continued to attract significant interest from both law enforcement officials and policymakers. Here are some of the most important developments, with a forecast for what app developers and businesses that use their products should do and expect.
Following through on her warning, in early December Ms. Harris sued Delta Air Lines for an alleged failure to comply with CalOPPA. The Delta lawsuit is the first enforcement action since the October warning letters.
The Attorney General's action against Delta serves as an example for other businesses. If your business has customers in California, you should consider whether it is subject to this law.
FTC Issues Report Highly Critical of App Privacy Disclosures
On December 10, the Federal Trade Commission (FTC) released a report on “Mobile Apps for Kids: Disclosures Still Not Making the Grade.” The report summarized research conducted by FTC staff over the summer into the data practices (and associated disclosures, or not, to parents) of many of the top apps in the Apple and Android app stores. The FTC summarized its conclusion that “many of the apps surveyed included interactive features, such as connection to social media, and sent information from the mobile device to ad networks, analytics companies, or other third parties, without disclosing these practices to parents.”
The conclusions in the report are problematic for app developers for several reasons. First, it will feed the frustration of the agency and its staff that developers have not made great progress in improving app privacy disclosures. This will only attract further regulatory (and congressional) attention.
Second, the report suggests that some are collecting data from apps targeted at children in a manner that may violate the Children's Online Privacy Protection Act (COPPA). In general, COPPA forbids operators of websites or online services from collecting personally identifiable information from children under the age of 13 without first securing prior verifiable parental consent to the collection and use of that personal information. Indeed, the FTC report mentions that the agency is currently conducting a number of enforcement investigations into app practices, and it is reasonable to expect the agency to announce some enforcement actions in the first half of 2013.
What should apps do while waiting for that next shoe to drop? One important step is to review the app to see what information it collects, and then review what is done with that data after it is collected. This review should ask questions such as: How are the data used? How long are the data retained?
In addition, in late December the FTC announced revisions to its long-standing COPPA regulation. The changes, effective July 1, 2013, will greatly limit the ability of websites and apps to use third-party plug-ins and advertising networks in their services. For example, the FTC rules would require a mobile app that is supported by targeted in-app advertising delivered by an ad network to obtain parental consent to the collection and use of personal information from a child under 13, even if the app itself collects no personal data.
NTIA Multistakeholder Process on Transparency in Mobile App Privacy Practices
Since July, the National Telecommunications and Information Administration (NTIA)—a branch of the Department of Commerce—has hosted a series of multistakeholder meetings that are intended to devise an enforceable code of conduct to promote transparency in the privacy and data practices of mobile apps. This process was initiated by NTIA in response to the White House's “Blueprint for Consumer Privacy,” which called for industry and consumer groups to cooperate in devising binding self-regulatory privacy codes of conduct tailored for different types of technologies.
The process, one unfamiliar to Washington policymakers, got off to a slow start, but by the end of 2012 appeared to be making some progress in identifying potentially useful forms of short notices that developers could readily use. But many issues remained unaddressed by year's end, and it is not yet clear whether the process will successfully produce a consensus.