On February 1, 2013, the Federal Trade Commission (FTC) issued a staff report titled "Mobile Privacy Disclosures: Building Trust through Transparency" and a business guide titled "Mobile App Developers: Start with Security." 

This article provides an overview of this report and this guide as well as other mobile application privacy guidance from and enforcement actions by the FTC and the California Attorney General.

Mobile Privacy Disclosures Report

"Mobile Privacy Disclosures: Building Trust through Transparency" provides best practice recommendations intended to improve mobile privacy disclosures. The FTC staff strongly encourages companies in the mobile ecosystem—platforms, application developers, advertising networks and analytics companies, and application trade associations—to implement these recommendations.

Where this guidance goes beyond existing legal requirements, it is not intended to be a template for law enforcement actions or regulations under laws that the FTC currently enforces. The National Telecommunications and Information Agency of the U.S. Department of Commerce is involved in a multistakeholder process to develop a code of conduct on mobile application transparency. To the extent that strong privacy codes are developed, the FTC views adherence to these codes favorably in connection with its law enforcement work.

Platforms

"Platforms" mean mobile operating systems, such as Apple's iOS, Google's Android, RIM's BlackBerry OS, and Microsoft's Windows Phone, and the application stores they offer, like the Apple App Store, Google Play, BlackBerry App World, and Microsoft's Windows Store. Platforms offer application developers and others access to significant amounts of user data from mobile devices (e.g., geolocation information, contact lists, calendar information, photos, etc.) through their application programming interfaces, and the application stores they offer are the interface between users and numerous applications.

Platforms should:

  1. Provide just-in-time disclosures to consumers and obtain their affirmative express consent before allowing apps to access sensitive content like geolocation.
  2. Consider providing just-in-time disclosures and obtaining affirmative express consent for other content that consumers would find sensitive in many contexts, such as contacts, photos, calendar entries, or the recording of audio or video content. Providing such disclosure at the time when it matters to consumers, just before the collection of this information by applications, will allow users to make informed choices about whether to allow the collection of this information.
  3. Consider developing a one-stop "dashboard" approach to allow consumers to review the types of content accessed by the applications they have downloaded.
  4. Consider developing icons to depict the transmission of user data.
  5. Promote application developer best practices. For example, platforms can require developers to make privacy disclosures, reasonably enforce these requirements, and educate application developers.
  6. Consider providing consumers with clear disclosures about the extent to which platforms review applications before making them available for download in the application stores and conduct compliance checks after the applications have been placed in the application stores.
  7. Consider offering a Do Not Track mechanism for smartphone users for allowing consumers to choose to prevent tracking by advertising networks or other third parties as they navigate among applications on their phones.

Application Developers

Per the Mobile Privacy Disclosures Report, the application developers should:

  1. Have a privacy policy and make sure it is easily accessible through the application stores.
  2. Provide just-in-time disclosures and obtain affirmative express consent before collecting and sharing with third parties sensitive information, such as financial, health, or children's data, where the platforms have not already provided such disclosures and obtained such consent.
  3. Improve coordination and communication with advertising networks and other third parties, like analytics companies, that provide services for applications so the application developers can provide accurate disclosures to consumers. Application developers often integrate third-party code to facilitate advertising or analytics within an application with little understanding of what information the third party is collecting and how it is being used. Application developers need to better understand the software they are using through improved coordination and communication with advertising networks and other third parties.
  4. Consider participating in self-regulatory programs, trade associations, and industry organizations, which can provide guidance on how to make uniform, short-form privacy disclosures.

Advertising Networks and Other Third Parties

According to the Mobile Privacy Disclosures Report, advertising networks and other third parties should:

  1. Communicate with application developers so that the developers can provide truthful disclosures to consumers.
  2. Work with platforms to ensure effective implementation of Do Not Track for mobile.

Application Developer Trade Associations

Application developer trade associations, together with academics, usability experts, and privacy researchers can:

  1. Develop short form disclosures for application developers.
  2. Promote standardized application developer privacy policies that will enable consumers to compare data practices across applications.
  3. Educate application developers on privacy issues.

Mobile Security Guidance for Application Developers

"Mobile App Developers: Start with Security" encourages application developers to aim for reasonable data security and evaluate the application ecosystem before development. This guide also includes the following tips:

  1. Make someone responsible for data security.
  2. Take stock of the data collected and maintained.
  3. Understand the differences between mobile platforms.
  4. Do not rely on a platform alone to protect users.
  5. Generate credentials securely.
  6. Use transit encryption for user names, passwords, and other important data.
  7. Use due diligence on libraries and other third-party code.
  8. Consider protecting data stored on a user's device.
  9. Protect servers.
  10. Do not store passwords in plain text.
  11. Stay aware, and communicate with users.
  12. Make sure to understand applicable standards and regulations when dealing with financial data, health data, or children's data.

Enforcement and Other Guidance

The FTC continues to bring enforcement actions against companies in the mobile area. See:

In August 2012, the FTC issued guidance, "Marketing Your Mobile App: Get It Right from the Start," to help mobile application developers comply with truth-in-advertising standards and basic privacy principles.

Also, in January 2013, the California Attorney General issued guidance titled "Privacy on the Go: Recommendations for the Mobile Ecosystem," containing recommendations for application developers, platform providers, advertising networks, mobile carriers, and operating system developers. According to this guidance, these recommendations offer greater protection than existing law in many places and "… are intended to encourage all players in the mobile marketplace to consider privacy implications at the outset of the design process." The California Attorney General also continues to enforce mobile application privacy.

This article was first published on IRMI.com and is reproduced with permission. Copyright 2013, International Risk Management Institute, Inc.