February.07.2013
The Federal Trade Commission has emphasized in the past that general privacy protections in the website space apply equally to mobile services, but a new FTC Staff Report released on Friday hones in on some privacy considerations unique to mobile technologies.
Also on Friday, the FTC announced a settlement with Path, Inc. This is the agency’s first public enforcement action against a mobile app addressing the collection and use of a mobile device user’s address book contacts.
Path provides a social network service that allows users to keep journals of special life moments, including written thoughts, photos, the user’s geolocation and music, and to share those journals with up to 150 friends in their network. In version 2.0 of its iOS app, Path offered an “Add Friends” feature that would allow users to locate friends on the service through Facebook, through e-mail or SMS, or through the user’s mobile device address book (or contacts) list.
The FTC alleged that Path automatically collected and stored personal information from the user’s address book even if the user did not select the “find friends from your contacts” option. For each contact in the user’s address book, the Path app collected first and last names, addresses, phone numbers, e-mail addresses, Facebook and Twitter usernames, and dates of birth. This data collection occurred when a user first launched version 2.0 of the app and each time a user signed back into his/her account. The FTC focused on two aspects of consumer deception. First, the FTC believed that the Path app’s user interface was misleading because it implied that address book data would be accessed only if the user selected the “find friends from your contacts” option. Second, the FTC found that Path’s posted privacy policy misled consumers by disclosing that the app automatically collected only user information such as IP address, browser type, etc., but failed to disclose that the app also automatically collected address book information.
The settlement included a commitment to increase privacy safeguards and payment of an $800,000 fine. The regulators focused on the fact that the design of the application was deceptive in that users were made to believe that unless they elected to share address book contacts, the contacts would not be shared. However, legal authority for the fine was based in Path’s violation of the Children's Online Privacy Protection Act (COPPA). Early in the history of Path, the company collected personal information from about 3,000 users who were not yet 13, without their parents' consent, and permitted children to post personal information publicly on the Path social network service.
The FTC has indicated in past statements that it hoped Congress would pass legislation that would actually convey authority to the FTC to issue civil penalties for online privacy violations, but Congress has yet to act. Until then, the FTC will look to violations of other laws, such as COPPA, for authority to issue such fines.
Like the Facebook, Google, and MySpace settlements before, the Path settlement also requires the company to establish a comprehensive privacy program and to obtain independent privacy assessments every other year for the next 20 years.
As mobile apps continue to grow their user bases through invitation and other viral-marketing features, it is imperative that care is taken to conspicuously disclose data collection and use practices and to consider where or when more affirmative forms of user consent might be warranted (for example, where users may include children under the age of 13). The FTC's press release on the Path settlement can be found here.
The FTC’s Mobile Privacy Report observes that mobile technology may raise unique privacy concerns. Enormous amounts of personal data are collected and transmitted by smartphones and tablets. And, to a greater extent than other technologies, mobile devices (and the data they collect) can be tied or connected in some manner to a specific individual. Mobile data is also collected by a diverse set of ecosystem players—for example, operating systems, application developers and advertising networks—and the relatively small screen size of mobile devices makes it more challenging to provide robust, detailed disclosures. Indeed, a May 2012 FTC panel on mobile privacy and associated industry comments point to a lack of consumer awareness and understanding about the data collection and use practices occurring on mobile devices.
The FTC’s Mobile Privacy Report offers suggestions on how industry can improve the current state of affairs. The FTC’s recommendations generally align with those of the California Attorney General, whose January 2012 report on mobile privacy encouraged app developers, platform providers, ad networks, mobile carriers and operating system developers to increase transparency, limit the collection and retention of data, provide meaningful choice to consumers, and improve data security. See our previous coverage of the California AG report here.
The Report notes that mobile platforms, such as those by Apple, Google, Amazon, Microsoft and BlackBerry, serve as the gatekeepers to the app marketplace and, therefore, are potentially in a position to effectuate change with respect to mobile privacy disclosures. The Report recommends that mobile platforms implement or consider:
The Report recommends that mobile app developers:
The Report notes that trade associations and industry participants can play a role in standardizing processes, and recommends that they:
The Report’s recommendations were intended to provide a flexible framework that will accommodate further developments in technology and innovation. The FTC strongly encourages companies to implement the recommendations in the Report and notes that it will continue to closely monitor developments in the mobile space. The text of the Report can be found here.
Concurrently with releasing this Report, the FTC also released guidance on implementing security for mobile applications. This guidance, although fairly high-level, demonstrates the FTC’s continuing focus on prodding industry to adopt data protection and security measures that are appropriate for the type of data collected and processed by the apps, and minimizing the collection and storage of consumer data generally.