The FTC Mobile Privacy Staff Report
As reported here, the FTC earlier this month released a staff report on mobile privacy. The report, Mobile Privacy Disclosures: Building Trust Through Transparency, provides privacy practice recommendations to firms operating in the mobile app development "ecosystem." The report's recommendations are geared mainly toward developers and app store operators, such as Apple, Google, or Microsoft.
The report recommendations are not rules or regulations, and its contents do little to concretely signal new enforcement direction. Still, the report is a helpful indicator of agency thinking in general, and of the agency's increased interest in mobile privacy issues.
Distilled, the agency wants mobile app firms to provide:
- Clear, simple privacy policies;
- Complete and accurate disclosures of how information will be used, including just-in-time notice where appropriate; and
- Options for end-user control over the access to and use of private information
Just-in-time notice is notice offered to users immediately before the app accesses sensitive data. For example, users of Apple's iPhone may be familiar with the warning that appears when an app or website is attempting to use the phone's geolocation capabilities:
This is an instance of "just-in-time" notice.
The report's recommendations with respect to "just-in-time" notice are complicated, however, by its recommendation to increased policing by app platforms. Platforms -- the agency's word for app store operators associated with classes of mobile devices -- are in a privileged position to understand the functionality of the apps being offered in their respective app stores. Platforms can typically tell, for example, what parts of the mobile device an app will potentially be accessing. Based on this privileged knowledge, the staff report recommends that platforms develop and offer "platform-level" privacy disclosures that give app-store consumers the ability to understand the privacy-profile of a given app. This capability could be combined with other features such as, for example, allowing consumers access to app privacy policies in advance of downloading and installing a particular app on their mobile device. Platforms could also provide services that compared app privacy policies with the platform's own privileged knowledge about the app.
If recommended platform-level privacy measures like these are put in place, however, then the staff report suggests that "it is important that these app-level disclosures not repeat the platform-level disclosures." Here, the FTC discourages some forms of just-in-time disclosure as duplicative:
For example, an app should be able to rely on the platform's disclosure that geolocation data will be collected by the app . . . and need not repeat the same disclosure and consent process. If the app developer decides to share that geolocation data with a third party, the app developer should provide a just-in-time disclosure and obtain affirmative consent from users for that data sharing.
The agency report also supports "do not track" initiatives that would allow users to restrict ad networks from building targeted consumer profiles of particular users.
Operators in the mobile app development space should keep in mind the overarching emphasis of the staff report on the point of view of the end-user: does he know how his data is being treated? Can he find out easily? Does he have convenient control over that data's use?