FTC’s Recommended Best Practices for Mobile Privacy Disclosures

By: Faith D. Kasparian
November 14, 2013

Earlier this year, the Federal Trade Commission (“FTC” or the “Commission”) released a report with privacy recommendations for the mobile industry, Mobile Privacy Disclosures: Building Trust Through Transparency. The report describes the rapid expansion of the mobile marketplace and the unique privacy issues raised by consumers’ growing and pervasive use of mobile devices.

As an initial matter, the report notes that the three core principles set forth in the FTC’s Final Privacy Report, released in March of 2012, apply to mobile companies. Those core principles are:

  • Privacy by design: promoting consumer privacy at every stage of product and service development
  • Simplified consumber choice: for practices requiring consumer choice, offering choice at a time and in a context in which the consumer is making a decision about his or her data
  • Transparency: disclosing details about collection practices and use of consumer information in a clear manner.

Focusing on promoting the institution of these principles into current mobile privacy disclosure practices, the report notes that the “FTC staff strongly encourages companies in the mobile ecosystem to work expeditiously to implement the recommendations in this report.” Even outside the privacy context, the FTC emphasizes the importance of clear and transparent mobile and online disclosures, as evidenced by the Commission’s updated guidance for mobile and online advertisers titled .com Disclosures: How to Make Effective Disclosures in Digital Advertising. This updated guide, released shortly after the mobile privacy report, directs advertisers to ensure that required advertising disclosures are clear and conspicuous on all devices and platforms a consumer may use to view an ad.

The privacy report similarly focuses on such principles, providing best practice recommendations for the four types of “key players” in the mobile industry: (1) platforms or operating system providers (such as Amazon, Apple, BlackBerry, Google, and Microsoft); (2) app developers; (3) advertising networks, analytics companies, and other third parties; and (4) app developer trade associations, along with academics, usability experts, and privacy researchers. Discussed below are the report’s recommendations for each of these four key groups.

Mobile platforms should:

  • Provide just-in-time disclosures to consumers and obtain their affirmative express consent before allowing apps to access sensitive content such as geolocation;
  • Consider providing just-in-time disclosures and obtaining affirmative express consent for other content that consumers would find sensitive in many contexts, including contacts, photos, calendar entries, and the recording of audio or video content;
  • Consider developing a one-stop “dashboard” approach to allow consumers to review the types of content accessed by the apps they have downloaded;
  • Consider developing icons to depict the transmission of user data;
  • Promote app developer best practices. For example, platforms can require developers to make privacy disclosures, reasonably enforce these requirements, and educate app developers;
  • Consider providing consumers with clear disclosures about the extent to which platforms review apps prior to making them available for download in the app stores and conduct compliance checks after the apps have been placed in the app stores; and
  • Consider offering a Do Not Track (“DNT”) mechanism for smartphone users. A mobile DNT mechanism, which a majority of the Commission has endorsed, would allow consumers to choose to prevent tracking by ad networks or other third parties as they navigate among apps on their phones.

App developers should:

  • Have a privacy policy and make sure it is easily accessible through the app stores;
  • Provide just-in-time disclosures and obtain affirmative express consent before collecting and sharing sensitive information (to the extent the platforms have not already provided such disclosures and obtained such consent);
  • Improve coordination and communication with ad networks and other third parties that provide services for apps, such as analytics companies, so that app developers may better understand the software they are using and, in turn, provide accurate disclosures to consumers. For example, app developers often integrate third-party code to facilitate advertising or analytics within an app with little understanding of what information the third party is collecting or how it is being used; and
  • Consider participating in self-regulatory programs, trade associations, and industry organizations, which can provide guidance on how to make uniform, short-form privacy disclosures.

Advertising networks and other third parties should:

  • Communicate with app developers so that developers can provide truthful disclosures to consumers; and
  • Work with platforms to ensure effective implementation of DNT mechanisms for mobile phones.

App developer trade associations, along with academics, usability experts, and privacy researchers can:

  • Develop short form disclosures for app developers;
  • Promote standardized app developer privacy policies that will enable consumers to compare data practices across apps; and
  • Educate app developers on privacy issues.

For further information on the FTC’s mobile disclosure requirements, please contact Faith D. Kasparian.