The Federal Trade Commission Takes Aim at Mobile App Privacy: Why It’s About Time
This past month, the Federal Trade Commission (FTC) has taken two steps that show that it is finally getting serious about privacy protections for mobile applications (apps): (1) It issued a staff report recommending ways in which key businesses in the ever-expanding mobile app universe can better inform consumers about their data collection practices, and (2) It commenced an enforcement action and reached a settlement with Path—a two-year-old mobile social-networking app that lets users “cherish moments”, “recall memories” and create online journals to share with selected friends and family. . Through the Path app, users can upload, and share photos, written reflections and even the names of songs to which a user is listening, and their location—think of it like an online scrapbook.
The FTC settlement related to Path’s mobile-privacy practices. The FTC fined Path $800,000 after charging the company with violating federal privacy protections for children by collecting personal information from underage users, without parental permission. . The regulator also charged Path with misleading users by collecting personal information from their mobile-device address books without their prior consent. The settlement requires Path, Inc. to set up a comprehensive privacy program, and to obtain independent privacy audits every other year 20 years.
Together, the two actions represent the FTC’s heightened scrutiny of mobile devices, which for many Americans have become the primary way of gaining access to the Internet, rather than through a laptop or desktop computer. I believe that this more intense scrutiny from the regulator is a welcome step. As consumers—including children—migrate to mobile apps and ubiquitous use of their devices, the issues of who is collecting what and when, and how what is collected is being used, have together become a confusing and tangled web. In this column, I will describe the FTC enforcement action and its new report, and why the findings set forth in the report are sensible. Thanks to the action and the report, companies have now been given a roadmap that will help them avoid liability.
The FTC’s Enforcement Action Against Path: Is It Just the Tip of the Iceberg?
Smartphones and tablets offer convenience to consumers, and have become like watches—essential accessories that we always carry with us. They can be used to make phone calls, find the nearest nail salon or pizza parlor, help us find movie times, navigate roadways and even flirt. With people who may be nearby. As they serve up lots of useful information to us, however, they also provide intimate data to service providers about who we are, what places we frequent, whom we call and text, what we like to eat and drink, and generally, how we live. Yet it is often unclear to us, as consumers, how an app that we have purchased, is collecting our data and either storing or reusing it, or both. Because the mobile device or tablet may be on 24/7, apps may allow data aggregation on a different scale from even that which we provide via social-media platforms that we access via a PC or laptop.
The FTC’s recent enforcement action against Path’s mobile social-networking application provider illustrates some of the new privacy problems arising in the app space. It also gives consumers and regulators a valuable real-life example of what can go wrong.
In its complaint, the FTC charged that the user interface in Path’s iOS app was deceptive and left consumers with no real choice as to how their personal information would be collected. In version 2.0 of its app for iOS, Path offered an “Add Friends” feature to help users add new connections to their networks. This feature provided users with three options: “Find friends from your contacts;” “Find friends from Facebook;” or “Invite friends to join Path by email or SMS.” Despite these 3 purported options, however, Path automatically searched and collected personal information from a user’s mobile address book even if he or she had not selected the “Find friends from your contacts” option. For each contact in the user’s address book, Path automatically collected available first and last names, addresses, phone numbers, email addresses, Facebook and Twitter usernames, and dates of birth.
The Issues That Path’s Practices Raised Under the Children’s Online Privacy Protection Act Rule
The FTC also charged that Path, which collects a user’s date of birth information during registration, violated the Children’s Online Privacy Protection Act (COPPA). Path is alleged to have collected personal information from approximately 3,000 children under the age of 13 without first getting their parents’ verified consent. Through its apps for both iOS and Android, as well as through its website, Path—as noted above—enabled children to create personal journals containing songs, photos, music and written thoughts” as well as their precise location at different times. Path version 2.0 also collected personal information from a child’s address book, including full names, addresses, phone numbers, email addresses, dates of birth and other information, where available.
COPPA operators of online sites or services that are directed to children, and operators that have actual knowledge of child users on their sites or services, to notify parents and obtain parental consent before they collect, use, or disclose personal information from children under 13.
FTC’s proposed settlement requires Path to delete information collected from children under age 13 and bars future violations of COPPA.
The Path settlement is important because it demonstrates that there are general privacy problems in the mobile-app space. First, Path did not abide by its own policies when it came to adult users – and even more strikingly also did not do so with its under-thirteen users, who are covered by COPPA.
The FTC Report and Its Key Recommendations
Is there a way forward for app developers? How does one meaningfully notify consumers of their privacy options on mobile devices? The FTC has finally begun to offer some guidance on these issues.
The FTC staff report, “Mobile Privacy Disclosures: Building Trust Through Transparency” is based in part on the findings of a May 2012 FTC workshop, which brought together stakeholders from industry, trade associations, academia, and consumer-privacy to examine how privacy disclosures work in the mobile context. The report recognizes the explosive growth of mobile service. In the fourth quarter of 2012, consumers worldwide bought approximately 217 million smartphones. The report acknowledges that mobile devices raise unique privacy concerns. Unlike other types of technology like PCs that can be shared, mobile devices are often linked to one person are almost always on, and with the user. This may lead to unprecedented amounts of data collection. One device can also allow for sharing across multiple platforms, apps and services leading a consumer to be unaware of where they should turn to sort out their privacy concerns.
The FTC’s recent report makes recommendations for critical players in the mobile ecosystem: (1) operating-system providers, such as Apple, BlackBerry, Google, and Microsoft, (2) app developers, and their trade associations and (3) advertising networks and data analytics companies, Most of the recommendations in the FTC report focus on how consumers could obtain timely, easy-to-understand disclosures about what data of theirs is being collected and how it is being used. Whether disclosures alone are sufficient to empower consumers with information that will help them make smart choices, however, still remains to be seen.
The report cites recent data showing that consumers increasingly are concerned about their privacy on mobile devices. For example, the FTC reports that 57 percent of all app users have either uninstalled an app over concerns about having to share their personal information, or have declined to install an app in the first place for similar reasons. I have discussed some of the privacy concerns of apps in my other columns for Justia’s Verdict.
The FTC report recommends that mobile platforms should provide better disclosures about when apps are accessing sensitive content like geolocation, and should also seek “affirmative express consent for content that consumers would find sensitive in many contexts, such as contacts, photos, calendar entries, or the recording of audio or video content. The FTC suggests that such platforms should consider developing a one-stop “dashboard” approach, to allow consumers to review the types of content that are being accessed by the apps they have downloaded. The FTC also asks platforms to consider offering a Do Not Track (DNT) mechanism for smartphone users. A mobile DNT mechanism, which a majority of the Commission has endorsed, would allow consumers to choose to prevent tracking by ad networks or other third parties as they navigate among apps on their phones.
The FTC is working with other stakeholders including the Department of Commerce, to develop a code of conduct on mobile-application transparency. To the extent that strong privacy codes are developed, the FTC will view adherence to such codes favorably in connection with it enforcement work.
The Way Forward: This Is Not Just About the Big Companies
The FTC report lays out a clear picture of what sort of activities might bring a company under investigation. One example would be a company’s conveying the impression that an app will gather geolocation data only once, when, in fact, it does so repeatedly.
For companies like Apple, Google, Microsoft, Amazon and BlackBerry these suggestions essentially create public policy guidance to which these big players will adhere. But the FTC also has its sights set on thousands of small businesses that create apps that smartphone users can download for thousands of more tailored services they seek—from hailing taxis to finding dog walkers. The FTC report and its recent enforcement action put these smaller companies on notice that their own privacy practices are under scrutiny as well. And in some sense, it is this group of businesses that may have been unaware of their obligations under existing laws such as COPPA.
The FTC recommendations follow a similar set of guidelines issued last month by the California Attorney General, Both the California AG and the FTC will have influence on the key issue of mobile app privacy in the future.