Addressing the mobile ecosystem on three fronts, the Federal Trade Commission simultaneously announced an enforcement action against a mobile app provider, a new report recommending best practices for app developers and other industry stakeholders, and the release of an educational guide for small businesses.
The “mobile revolution” offers consumers enormous benefits, FTC Chairman Jon Leibowitz said at a press conference announcing the news. But it also “presents unique privacy challenges.”
Case in point: the agency filed suit against Path, a social networking application where users can keep journals and share their thoughts with friends. To encourage others to join the site, the app offers users the option to import the contacts from their address book. However, the app collected and stored the information from users’ address books – including their names, addresses, e-mail addresses, phone numbers, and dates of birth – even if they declined to share their information. This collection, the agency alleged, constituted a deceptive practice in violation of the Federal Trade Commission Act. The site also collected data from approximately 3,000 children under the age of 13 without parental consent and notification in violation of the Children’s Online Privacy Protection Act, according to the complaint.
To settle the charges, Path agreed to pay $800,000 for the alleged COPPA violations, establish a comprehensive privacy policy and obtain independent privacy assessments – similar to the settlements with Facebook and Google, Leibowitz noted – for a period of 20 years. The company is also required to delete information collected from children under age 13.
Although many apps collect information from users’ address books, Leibowitz said that Path was targeted because it engaged in “clear deception” and its malfeasance involved children. “That’s a red flag combination for us,” he said.
Reflecting the need to provide guidance to companies engaged in mobile commerce, the agency also released a report calling for better privacy disclosures on mobile devices, Leibowitz said. The report provided guidance for mobile platforms, app developers, advertising networks, and other third parties in the mobile ecosystem.
Companies should offer “just in time” disclosures to consumers and obtain affirmative, express consent before collecting sensitive information such as geolocation data and health or financial information. Smartphone users should be offered a “Do Not Track” option, according to “Mobile Privacy Disclosures: Building Trust Through Transparency.” The report also suggested that mobile platforms develop icons that provide users with information about data practices, and that advertising networks strive for open lines of communication with app developers to provide truthful disclosures to consumers.
“Best practices are better than enforcement actions,” Leibowitz said. The report is intended “to encourage best practices in this ecosystem. But when companies fall below, we will bring enforcement actions.”
Finally, the FTC created an educational guide to the mobile ecosystem: “Mobile App Developers: Start With Security.” Education regarding privacy is particularly important in the app space, where “a number of small developers are rushing to get cool, new technology to the public and not addressing privacy issues,” Leibowitz said.
Speaking generally about the intersection of consumer privacy and mobile devices, Leibowitz emphasized that the industry should “tell consumers what you are doing with their data and don’t mislead them.” Once companies have collected data, they should “be responsible stewards,” he added. Leibowitz also cautioned that privacy is “the quintessential bi-partisan issue in Congress,” and a failure by industry to self-regulate will likely result in prescriptive legislation.
Why it matters: Privacy remains a key issue for the agency, as evidenced by the multifaceted approach of guidance and enforcement action. The FTC’s focus on data collection and use in the mobile ecosystem follows the recent release of a report on children’s data in the context of mobile apps.