Keywords: mobile technology, privacy, mobile devices
Mobile technology raises new and unique privacy concerns due to the unprecedented amounts and types of personal information that a mobile device can collect. As a result, consumer privacy on mobile devices has become an increasingly important issue, and mobile privacy has emerged as one of the key privacy topics this year.
Mobile technology raises new and unique privacy concerns due to the unprecedented amounts and types of personal information that a mobile device can collect.
Numerous agencies and organizations—both public and private—have issued or plan to issue guidance for mobile privacy best practices. Among the most significant of these developments are the mobile privacy reports released in 2013 by both the Federal Trade Commission (FTC) and the office of California Attorney General Kamala Harris. The FTC's report, Mobile Privacy Disclosures: Building Trust Though Transparency, and the California Attorney General's report, Privacy on the Go: Recommendations for the Mobile Ecosystem, both describe best-practice recommendations for mobile privacy. The reports offer specific guidelines for participants in the mobile environment, including platform providers, application developers and third-party service providers.
This article provides an overview of the recommendations provided by both the FTC and the California Attorney General.
What Is Personal Information?
The California Attorney General defines "personally identifiable data" as "data linked to a person or persistently linked to a mobile device," including data that can identify a person via personal information or a device via a unique identifier.1 Generally, personal information in the mobile space includes a mobile device's unique device identifier, geolocation data, a user's name, mobile phone numbers, email addresses, text messages or email, call logs, address books, financial and payment information, health and medical information, photos or videos, web-browsing history and lists of apps downloaded or used.2
In addition, a special subset of personal information called "sensitive information" is now recognized. The FTC views information concerning children, financial and health information, Social Security numbers and precise geolocation data as sensitive and warranting special protection.3 Likewise, the California Attorney General defines "sensitive information" as personally identifiable data about which users are likely to be concerned, such as precise geolocation data, financial and medical information, passwords, stored information such as contacts, photos and videos and information about children.4
Both the FTC and the California Attorney General provide specific recommendations for various participants in the mobile environment:
Use Privacy Dashboards and Icons: Platform providers should consider using dashboards, icons and other visual cues to help users more easily and quickly recognize an app's privacy practices and settings.7 Such privacy icons and graphics are most effective if they are standardized and users are educated about them through an awareness campaign.8
Provide Transparency About the Platform's App Review Process: The FTC recommends that platform providers clearly disclose the extent to which they review an app before making it available for download, including any compliance checks they perform.11 This recommendation likely stems from the FTC's complaint against Facebook, in which the FTC charged Facebook with deceiving users through Facebook's "Verified Apps" program. Facebook claimed it certified the security of apps participating in the program, when it actually did not.12
Develop a Do Not Track System: The FTC had previously recommended the development of a "do not track" system for web browsers that would enable users to avoid having their actions monitored online.13 Applying this same principle to the mobile space, the FTC recommends that platform providers develop a "do not track" mechanism at the platform level so that users can choose to prevent apps from tracking their behavior across apps and transmitting such information to third parties.14
In order to provide a complete and accurate disclosure to users, app developers should coordinate with ad networks and other third parties to fully understand the function of any third-party code being used in their apps.
Limit Collection of Personal Information: App developers should build privacy considerations and protections into their apps from the beginning. This includes limiting the amount of personal information an app collects (e.g., minimizing the collection of information not necessary for the app's basic functionality), collecting or sharing sensitive information only with consent and limiting the retention of data to the time necessary to support the app's functionality or satisfy any legal requirements.20
ADVERTISING NETWORKS AND OTHER THIRD PARTIES21
While all service agreements include a requirement for the service provider to comply with laws, this requirement may not be sufficient when mobile apps are involved. The mobile privacy landscape is rapidly evolving, and what are considered recommendations today are likely to become requirements in the future. In addition, if a service provider is only required to design a mobile app to comply with current laws rather than incorporating privacy protections from the beginning, the adaptation of any future privacy requirements will be unnecessarily difficult. This is especially true if maintenance of the mobile app is transferred from the service provider to the company after the expiration or termination of the service agreement. To resolve this concern, service agreements should require service providers to build in privacy considerations from the beginning and to comply with any best-practice recommendations from major public or private organizations, such as those contained in the reports from the FTC and the California Attorney General. While both the FTC and the California Attorney General have stated that the guidelines in these reports are only best-practice recommendations and not binding law,24 these recommendations are likely a sign of things to come. The recommendations may evolve into standards, and companies that fail to heed them may become subject to investigations and enforcement actions in the future.
1 Cal. Att'y Gen. Office, Privacy on the Go: Recommendations for the Mobile Ecosystem 6 (Jan. 2013), available at http://www.gsma.com/publicpolicy/mobile-andprivacy/mobile-privacy-principles .
2 Cal. Att'y Gen. Office, supra note 1, at 8.
3 F.T.C., Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers 59 (Mar. 2012), available at http://www.ftc.gov/os/2012/03/120326privacyreport.pdf .
4 Cal. Att'y Gen. Office, supra note 1, at 6. The European Union also recognizes certain "special categories of data" requiring extra restrictions, including data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and health or sex life. See EU Directive 95/46/EC art. 8 (1995), available at http://www.dataprotection.ie/viewdoc.asp?DocID=93&m= .
5 F.T.C., Mobile Privacy Disclosures: Building Trust Through Transparency 15, 16 (Feb. 2013), available at http://www.ftc.gov/os/2013/02/130201mobileprivacyreport.pdf .
6 Cal. Att'y Gen. Office, supra note 1, at 9.
7 F.T.C., Mobile Privacy Disclosures, supra note 5, at 17-18.
8 Cal. Att'y Gen. Office, supra note 1, at 11.
9 Id. at 14; F.T.C., Mobile Privacy Disclosures, supra note 5, at 22.
10 Press Release, Cal. Att'y Gen. Office, Joint Statement of Principles (Feb. 22, 2012), available at https://oag.ca.gov/news/press-releases/attorney-general-kamala-d-harris-secures-global-agreement-strengthen-privacy .
11 Id. at 20.
12 See Press Release, F.T.C., Facebook Settles FTC Charges That It Deceived Consumers by Failing to Keep Privacy Promises (Nov. 29, 2011), available at http://ftc.gov/opa/2011/11/privacysettlement.shtm .
13 See Press Release, F.T.C., FTC Staff Issues Privacy Report, Offers Framework for Consumers, Businesses, and Policymakers (Dec. 1, 2010), available at http://www.ftc.gov/opa/2010/12/privacyreport.shtm ; Press Release, F.T.C., FTC Issues Final Commission Report on Protecting Consumer Privacy (Mar. 26, 2010), available at http://www.ftc.gov/opa/2012/03/privacyframework.shtm .
14 F.T.C., Mobile Privacy Disclosures, supra note 5, at 20-21.
15 See, e.g., Making Sure Companies Keep Their Privacy Promises to Consumers, http://www.ftc.gov/opa/reporter/privacy/privacypromises.shtml (last visited June 16, 2013) (listing several legal actions that the FTC has taken against organizations for misleading them with inaccurate privacy or security promises).
16 Cal. Att'y Gen. Office, supra note 1, at 9.
17 Id. at 11.
18 See, e.g., Kurt Orzeck, Delta Dodges Calif. Privacy Suit Over Smartphone App, Law360 (May 9, 2013, 10:09 PM), http://www.law360.com/california/articles/440392/delta-dodges-calif-privacy-suit-over-smartphone-app .
19 Id. at 24.
20 Cal. Att'y Gen. Office, supra note 1, at 9.
21 Note that the FTC report also provided recommendations for app trade associations and the California Attorney General's report also provided recommendations for operation system developers and mobile carriers. See, e.g., id. at 16.
22 F.T.C., Mobile Privacy Disclosures, supra note 5, at 24.
23 Cal. Att'y Gen. Office, supra note 1, at 15.
24 See, e.g., id. at 4; FTC, Mobile Privacy Disclosures: Building Trust Through Transparency, supra note 5, at 13-14.
Originally published in Summer 2013.
Visit us at mayerbrown.com
Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.
© Copyright 2013. The Mayer Brown Practices. All rights reserved.
This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.