Keywords: mobile technology, privacy, mobile devices

Introduction

Mobile technology raises new and unique privacy concerns due to the unprecedented amounts and types of personal information that a mobile device can collect. As a result, consumer privacy on mobile devices has become an increasingly important issue, and mobile privacy has emerged as one of the key privacy topics this year.

Mobile technology raises new and unique privacy concerns due to the unprecedented amounts and types of personal information that a mobile device can collect.

Numerous agencies and organizations—both public and private—have issued or plan to issue guidance for mobile privacy best practices. Among the most significant of these developments are the mobile privacy reports released in 2013 by both the Federal Trade Commission (FTC) and the office of California Attorney General Kamala Harris. The FTC's report, Mobile Privacy Disclosures: Building Trust Though Transparency, and the California Attorney General's report, Privacy on the Go: Recommendations for the Mobile Ecosystem, both describe best-practice recommendations for mobile privacy. The reports offer specific guidelines for participants in the mobile environment, including platform providers, application developers and third-party service providers.

This article provides an overview of the recommendations provided by both the FTC and the California Attorney General.

What Is Personal Information?

The California Attorney General defines "personally identifiable data" as "data linked to a person or persistently linked to a mobile device," including data that can identify a person via personal information or a device via a unique identifier.1 Generally, personal information in the mobile space includes a mobile device's unique device identifier, geolocation data, a user's name, mobile phone numbers, email addresses, text messages or email, call logs, address books, financial and payment information, health and medical information, photos or videos, web-browsing history and lists of apps downloaded or used.2

In addition, a special subset of personal information called "sensitive information" is now recognized. The FTC views information concerning children, financial and health information, Social Security numbers and precise geolocation data as sensitive and warranting special protection.3 Likewise, the California Attorney General defines "sensitive information" as personally identifiable data about which users are likely to be concerned, such as precise geolocation data, financial and medical information, passwords, stored information such as contacts, photos and videos and information about children.4

Recommendations

Both the FTC and the California Attorney General provide specific recommendations for various participants in the mobile environment:

PLATFORM PROVIDERS

Provide Just-in-Time Disclosures: Platform providers should offer clear and understandable "just-in-time" disclosures to users and obtain a user's affirmative express consent before allowing an app to access the user's sensitive information (such as geolocation data). The FTC believes that providing such just-in-time disclosures at the time it matters to consumers (i.e., just prior to the collection of data by the app), rather than buried in a privacy policy, will allow users to make more informed choices about whether to share such data.5 The California Attorney General also recommends using similar "special notices" that would highlight any unexpected data practices (e.g., apps collecting sensitive information or personal information that is not needed for its basic functionality).6

Use Privacy Dashboards and Icons: Platform providers should consider using dashboards, icons and other visual cues to help users more easily and quickly recognize an app's privacy practices and settings.7 Such privacy icons and graphics are most effective if they are standardized and users are educated about them through an awareness campaign.8

Provide Access to Privacy Policies: Platform providers should offer a way for users to learn about an app's privacy policy prior to the user downloading the app, so that users will be able to make a more informed decision as to whether to download the app or not. Both the FTC and the California Attorney General recommend doing this by making an app's privacy policy conspicuously accessible from the platform itself. 9 The California Attorney General already made advancements in this area with its 2012 agreement with leading platform providers, where the platform providers agreed to include in their app submission process an optional data field for the app developer to add either a link to, a copy of or a short description of the app's privacy policy.10

Platform providers should offer a way for users to learn about an app's privacy policy prior to the user downloading the app, so that users will be able to make a more informed decision as to whether to download the app or not.

Provide Transparency About the Platform's App Review Process: The FTC recommends that platform providers clearly disclose the extent to which they review an app before making it available for download, including any compliance checks they perform.11 This recommendation likely stems from the FTC's complaint against Facebook, in which the FTC charged Facebook with deceiving users through Facebook's "Verified Apps" program. Facebook claimed it certified the security of apps participating in the program, when it actually did not.12

Develop a Do Not Track System: The FTC had previously recommended the development of a "do not track" system for web browsers that would enable users to avoid having their actions monitored online.13 Applying this same principle to the mobile space, the FTC recommends that platform providers develop a "do not track" mechanism at the platform level so that users can choose to prevent apps from tracking their behavior across apps and transmitting such information to third parties.14

APP DEVELOPERS

Provide a Clear, Accurate and Conspicuously Available Privacy Policy: App developers should have a clear and accurate privacy policy for their mobile app. The privacy policy should clearly identify the app's data practices, and important terms should not be buried in long agreements or behind vague links. Among the data practices that the privacy policy should cover are how the user's data will be collected, used, shared, disclosed and retained.

An app developer should also ensure that any promises made in the privacy policy are true and accurate. The FTC has taken action against many companies that claimed to safeguard the privacy or security of their users' information but did not fulfill those promises.15

Finally, the privacy policy should be conspicuously available and easy to read on a mobile device. The California Attorney General recommends having the privacy policy available both from the app platform (before the app is downloaded and any data is collected) and from within the app.16 While the small screen of a mobile device presents challenges in displaying privacy policies, app developers can consider using a layered privacy policy format that summarizes the most relevant privacy practices on top.17

In order to provide a complete and accurate disclosure to users, app developers should coordinate with ad networks and other third parties to fully understand the function of any third-party code being used in their apps.

It is important to note that California has a law (the California Online Privacy Protection Act, or CalOPPA) requiring mobile apps that collect personal information to conspicuously post a privacy policy, and the California Attorney General has started enforcing compliance. For example, in late 2012, the California Attorney General filed a lawsuit against Delta Airlines for failing to post a privacy policy for its "Fly Delta" app. Although a California judge recently dismissed the lawsuit on unrelated grounds, the setback is unlikely to deter the attorney general from pursuing other companies that do not comply.18

Understand Any Third-Party Code Included in the App: Even if an app developer provides clear and accurate disclosures about its own privacy practices in its privacy policy, app developers often include third-party code in their apps (e.g., from ad networks or analytics companies) without fully understanding what information that code may be collecting or sharing. In order to provide a complete and accurate disclosure to users, app developers should coordinate with ad networks and other third parties to fully understand the function of any third-party code being used in their apps.19

Limit Collection of Personal Information: App developers should build privacy considerations and protections into their apps from the beginning. This includes limiting the amount of personal information an app collects (e.g., minimizing the collection of information not necessary for the app's basic functionality), collecting or sharing sensitive information only with consent and limiting the retention of data to the time necessary to support the app's functionality or satisfy any legal requirements.20

ADVERTISING NETWORKS AND OTHER THIRD PARTIES21

The FTC recommends that advertising networks and other third parties that provide services for apps improve their communication with app developers (for example, by helping app developers understand what their code does and how it works, or by having a privacy policy and providing it to app developers). App developers would then be able to provide users with more complete and accurate disclosures.22 In addition, the California Attorney General recommends that advertising networks avoid delivering any ads outside of the app, such as by placing icons on the mobile desktop, and use enhanced measures to obtain prior consent before accessing any personal information.23

Conclusion

While all service agreements include a requirement for the service provider to comply with laws, this requirement may not be sufficient when mobile apps are involved. The mobile privacy landscape is rapidly evolving, and what are considered recommendations today are likely to become requirements in the future. In addition, if a service provider is only required to design a mobile app to comply with current laws rather than incorporating privacy protections from the beginning, the adaptation of any future privacy requirements will be unnecessarily difficult. This is especially true if maintenance of the mobile app is transferred from the service provider to the company after the expiration or termination of the service agreement. To resolve this concern, service agreements should require service providers to build in privacy considerations from the beginning and to comply with any best-practice recommendations from major public or private organizations, such as those contained in the reports from the FTC and the California Attorney General. While both the FTC and the California Attorney General have stated that the guidelines in these reports are only best-practice recommendations and not binding law,24 these recommendations are likely a sign of things to come. The recommendations may evolve into standards, and companies that fail to heed them may become subject to investigations and enforcement actions in the future.

Footnotes

1  Cal. Att'y Gen. Office, Privacy on the Go: Recommendations for the Mobile Ecosystem 6 (Jan. 2013), available at http://www.gsma.com/publicpolicy/mobile-andprivacy/mobile-privacy-principles .

2 Cal. Att'y Gen. Office, supra note 1, at 8.

3 F.T.C., Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers 59 (Mar. 2012), available at http://www.ftc.gov/os/2012/03/120326privacyreport.pdf .

4 Cal. Att'y Gen. Office, supra note 1, at 6. The European Union also recognizes certain "special categories of data" requiring extra restrictions, including data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and health or sex life. See EU Directive 95/46/EC art. 8 (1995), available at http://www.dataprotection.ie/viewdoc.asp?DocID=93&m= .

5 F.T.C., Mobile Privacy Disclosures: Building Trust Through Transparency 15, 16 (Feb. 2013), available at http://www.ftc.gov/os/2013/02/130201mobileprivacyreport.pdf .

6 Cal. Att'y Gen. Office, supra note 1, at 9.

7 F.T.C., Mobile Privacy Disclosures, supra note 5, at 17-18.

8 Cal. Att'y Gen. Office, supra note 1, at 11.

9 Id. at 14; F.T.C., Mobile Privacy Disclosures, supra note 5, at 22.

10 Press Release, Cal. Att'y Gen. Office, Joint Statement of Principles (Feb. 22, 2012), available at https://oag.ca.gov/news/press-releases/attorney-general-kamala-d-harris-secures-global-agreement-strengthen-privacy .

11 Id. at 20.

12 See Press Release, F.T.C., Facebook Settles FTC Charges That It Deceived Consumers by Failing to Keep Privacy Promises (Nov. 29, 2011), available at http://ftc.gov/opa/2011/11/privacysettlement.shtm .

13 See Press Release, F.T.C., FTC Staff Issues Privacy Report, Offers Framework for Consumers, Businesses, and Policymakers (Dec. 1, 2010), available at http://www.ftc.gov/opa/2010/12/privacyreport.shtm ; Press Release, F.T.C., FTC Issues Final Commission Report on Protecting Consumer Privacy (Mar. 26, 2010), available at http://www.ftc.gov/opa/2012/03/privacyframework.shtm .

14 F.T.C., Mobile Privacy Disclosures, supra note 5, at 20-21.

15 See, e.g., Making Sure Companies Keep Their Privacy Promises to Consumers, http://www.ftc.gov/opa/reporter/privacy/privacypromises.shtml (last visited June 16, 2013) (listing several legal actions that the FTC has taken against organizations for misleading them with inaccurate privacy or security promises).

16 Cal. Att'y Gen. Office, supra note 1, at 9.

17 Id. at 11.

18 See, e.g., Kurt Orzeck, Delta Dodges Calif. Privacy Suit Over Smartphone App, Law360 (May 9, 2013, 10:09 PM), http://www.law360.com/california/articles/440392/delta-dodges-calif-privacy-suit-over-smartphone-app .

19 Id. at 24.

20 Cal. Att'y Gen. Office, supra note 1, at 9.

21 Note that the FTC report also provided recommendations for app trade associations and the California Attorney General's report also provided recommendations for operation system developers and mobile carriers. See, e.g., id. at 16.

22 F.T.C., Mobile Privacy Disclosures, supra note 5, at 24.

23 Cal. Att'y Gen. Office, supra note 1, at 15.

24 See, e.g., id. at 4; FTC, Mobile Privacy Disclosures: Building Trust Through Transparency, supra note 5, at 13-14.

Originally published in Summer 2013.

Visit us at mayerbrown.com

Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.

© Copyright 2013. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.