Telemarketing? Try Tweeting

The FCC's revised rules for telemarketers and text marketers, taking effect in October, could signal a big shift in how companies direct market, posits Julie O'Neill, a Morrison & Foerster attorney specializing in privacy issues. One section prohibits the use of an autodialer to call or text cell phones for marketing purposes, unless the caller has the called party's signed, written consent. "It's almost impossible to tell which numbers on a call list are cell phones, so [almost] every list will have to be scrubbed," she says.

The new consent obligations also require new disclosures. Because the new rules will apply retroactively, even companies with agreements in place must re-sign every customer if their agreements don't meet the new rules' disclosure and signature requirements. "Companies that want to continue marketing by phone or text message are working hard to come into compliance by the rules' mid-October effective date," she says.

Complying with these rules could prove cumbersome and costly, adds John Delaney, a partner in Morrison & Foerster's New York office. He predicts more companies will ditch the dialup and focus on social media marketing. "It's a natural transition for the industry because social media is a much more engaged interaction with potential customers," he says. —R.McR.

Mobile Apps: No Surprises, Please

By Rebecca McReynolds

A useful privacy rule of thumb for app makers

Widley applicable rules regarding consumer privacy disclosures in our increasingly mobile world are only now emerging. Government agencies, individual states, and professional associations are all weighing in on how mobile app developers should disclose how they collect, store, use, and protect the wide range of highly personal data being collected every day.

The Application Privacy, Protection, and Security Act of 2013, better known as the APPS Act, is intended to bring conformity to the unwieldy world of mobile app development. With a divided Congress struggling to pass even mandatory legislation, though, passage of any type of discretionary legislation this year seems unlikely, says D. Reed Freeman Jr., a partner with Morrison & Foerster in Washington, D.C. In the meantime, Freeman says, developers should focus on the Federal Trade Commission, "because even without congressional action, it has broad jurisdiction, and it has already brought cases and issued guidance on mobile privacy and data security."

Charged with the intentionally broad mandate of guarding consumers from "deceptive" and "unfair" business practices, the FTC has been proactively applying its consumer protection laws across nearly all media, including mobile technology. A recent FTC policy document is especially revealing because it describes how the FTC expects disclosures of material facts to be made on mobile devices, "and privacy disclosures can certainly be material," Freeman says.

So it's up to the mobile app company to think carefully about the ways its program could surprise a reasonable user and disclose them appropriately. Freeman offers this rule of thumb: "Would a reasonable consumer, under the circumstances, understand what information is being collected about her while she's on a mobile device and what it is being used for?" If so, companies need to disclose those facts clearly and not bury them in EULAs or terms of use.

California's Online Privacy Protection Act, passed in 2003, has taken consumer privacy one step further than the FTC has. It requires companies that operate commercial websites or online services and that collect personal information of any kind—including usernames and passwords—to prominently post a privacy policy somewhere on their homepage, says Andrew Serwin, a partner in Morrison & Foerster's San Diego office.

And while California's jurisdiction ends at the state line, its reach is often national, Serwin adds. "Companies with customers in all 50 states have to ask themselves whether they want to develop state-specific programs or apply standards across the board," he says. Since the mobile world doesn't recognize geographic boundaries, Serwin recommends that developers work toward the highest standards and beyond. "Privacy isn't just a legal issue. It's a brand issue," he says.

Apart from knowing the law, businesses need to consider their own reputations and their customer relationships when collecting, using, and protecting personal information, Serwin says. For example, how could losing users' passwords tarnish the company's image in the market? "Current law doesn't specifically cover that possibility, but," he notes, "it may be in the company's best interest to address these types of issues."

All That Glitters

Getting what you pay for—and then some

By Gary Stern

More companies looking to keep pace with the fast-changing mobile market are busily buying up app developers. Google spent almost $1 billion in June to acquire traffic app developer Waze. Apptopia is a growing online marketplace for the buying and selling of rights to apps.

But companies should know that if they acquire an app developer, they may inherit all sorts of consumer data collected by its apps. That can lead to scrutiny from regulators and the media over how that data is used, says D. Reed Freeman Jr., a Morrison & Foerster partner who focuses on privacy and data security. How this data should be used and protected is a new area of law, and there are few statutes to go by, he says. So companies need to follow enforcement decisions by regulators, primarily the FTC, to get a sense of where enforcement is heading.

There have been few major enforcement actions taken so far against companies for improperly using consumer information, but there is reason to believe that this will change, Freeman says. In California, for example, websites that collect personal information from consumers are required to have a privacy policy, and the state AG has taken the position—through litigation—that the law applies to mobile apps. "It has surprised me that some apps we've looked at on behalf of clients have no privacy policy on their website or on the app," Freeman says.

Technology is so sophisticated that it may not be immediately clear what data a startup company has collected or how the data is protected. Companies looking at app developers, therefore, need to collect as much information as possible about what data is collected, with whom it's been shared, and how data is secured, Freeman says. The possibility of security breaches is very real and needs to be evaluated. The misuse or loss of consumer data will be sure to attract media attention.

"App companies often have products that rise and fall in popularity " says Eric McCrath, a Morrison & Foerster partner who advises buyers and sellers on M&A. "It might be that the primary objective of acquiring an app company is less about purchasing a specific app that may be waning in popularity and more about the prospects that the company's employees will offer in finding continuing success in developing future app hits. This often makes it critical to include incentive arrangements for the employees and making a portion of the proceeds of a sale going to employees contingent upon continued employment .

To continue to read this article please click here.

Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Morrison & Foerster LLP. All rights reserved