Keywords: personal information, mobile devices, mobile privacy

The amount and types of personal information available on mobile devices, combined with the unique privacy concerns raised by mobile technology, has resulted in mobile privacy emerging as one of the key privacy topics of the year. Numerous agencies and organizations—both public and private—have issued guidance for best practices regarding mobile privacy, including the Federal Trade Commission (FTC), the California Attorney General and many private trade associations. Many states have also introduced bills related to mobile privacy.

The FTC

The FTC recently issued a report titled "Mobile Privacy Disclosures: Building Trust Though Transparency," which describes its best practice recommendations for mobile privacy. In the report, the FTC seeks to apply to the mobile environment principles from the privacy framework identified in its March 2012 privacy report, such as privacy by design, simplified choice and transparency. The FTC identifies specific guidelines for various participants in the mobile environment, including platform providers, application developers, third-party service providers and trade associations. The recommendations encourage companies to consider privacy from the outset (rather than as an afterthought) and include using just-in-time notices, providing clear privacy policies and obtaining express affirmative consent for the collection and sharing of certain data categories.

States

Many states are also becoming involved in regulating mobile privacy. In 2012, California Attorney General Kamala Harris released a self-regulatory agreement with the major mobile platform providers, including Amazon, Apple and Google, to improve privacy protections. The protections include allowing consumers to review a mobile application's privacy policy before downloading the application (rather than after). The California Attorney General also filed a lawsuit against Delta Airlines in late 2012 for failing to comply with the state's Online Privacy Protection Act, which requires that any mobile applications that collect personal information to conspicuously post a privacy policy. Earlier this year, the California Attorney General also issued recommendations for mobile application privacy in a report titled "Privacy on the Go: Recommendations for the Mobile Ecosystem." The report targets mobile application developers, application platform providers and other mobile participants, and, similar to the FTC report, it recommends incorporating privacy practices in an application's initial design stages and using enhanced measures to draw the user's attention to data practices that may be unexpected.

Other states have also begun proposing legislation related to mobile privacy. Some courts had previously ruled that police do not need a warrant from a judge in order to obtain mobile phone location data (such as GPS information) and that they only needed to show that the data contained "specific and articulable facts" related to an investigation, which is a lesser standard than probable cause. In response, Delaware, Maryland, Texas and Oklahoma have each proposed laws that would require police to obtain a warrant for location data. (California had previously passed such a law, but its governor vetoed it.) In addition, the proposed legislation in Texas would also require mobile carriers to issue an annual transparency report to the public, reporting how often they receive demands from law enforcement for mobile device-related data and how much information the mobile carriers disclose.

Private Trade Associations

Many private trade associations have issued their own mobile privacy principles. The Mobile Marketing Association, a global trade association for the mobile industry, released a mobile application privacy policy framework in late 2011. The framework provides an annotated model privacy policy to be used as a starting point for mobile applications. The GSM Association, a worldwide association of mobile operators, also released a report listing mobile privacy principles in 2012, with the objective of "foster[ing] business practices and standards that deliver meaningful transparency, notice, choice and control for users with regards to their personal information and the safeguarding of their privacy." The Digital Advertising Alliance also plans to unveil a set of mobile privacy guidelines this year.

While the majority of the recent mobile privacy developments have been in the form of best practice recommendations, rather than binding law, these recommendations are likely a sign of things to come. The recommendations may evolve into standards, and companies that fail to heed them may become subject to investigations and enforcement actions in the future.

Visit us at mayerbrown.com

Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.

© Copyright 2013. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.