FTC Staff Report Outlines Best Practices for Mobile App Industry

Agency provides disclosure guidelines to protect consumer privacy.

In a mobile industry growing at what former Federal Trade Commission (FTC) Chair Jon Leibowitz described as “breathtaking speed,” the FTC staff issued a new report setting forth guidelines to ensure that consumer privacy protection keeps pace with technological innovation.

Today, a majority of Americans with cell phones use smartphones, turning to mobile phone applications—commonly termed “apps”—for entertainment, browsing the news, and even for highly sensitive tasks such as personal banking and managing health conditions.

As apps continuously run in the background on consumers’ phones and tap into stored information, they provide a seamless experience for the user but may also pose serious privacy concerns. Many mobile apps automatically collect information such as a person’s location, contact list, social media username, and personal photos. In recent years, regulators have increasingly focused their attention on these collection processes.

The FTC has closely monitored the development of the mobile industry for over a decade. The agency appears to be worried that apps may continuously track consumers’ personal information without their consent. According to Leibowitz, “many of the rules and practices in the mobile space are sort of like the Wild West.”

Years of industry research and findings from an FTC workshop held last year have culminated in a new FTC staff report—entitled “Mobile Privacy Disclosures: Building Trust Through Transparency.” The report outlines several strategies for making consumers better aware of the information they provide by using mobile apps.   The guidelines address all major players in the “mobile ecosystem,” including app developers, advertising companies, operating system providers, and industry trade groups.

The agency hopes to increase transparency by enforcing a more rigorous system of disclosures. The report encourages mobile app creators to provide more “just-in-time disclosures,” which would solicit consumer consent to access sensitive data, such as geolocation information, immediately before this information is collected. Another suggestion encourages mobile platforms to develop an icon that would be visible to the user during all transmissions of personal data. Additionally, to make consumers more aware of the range of data collected, the FTC has asked operating system providers to consider creating a privacy “dashboard” through which users could view all data accessible by each downloaded app.

The FTC staff report also included strong support for the development of a Do Not Track mechanism for mobile users. “Tracking” refers to the ability of advertisers and other content providers to monitor what a person views on line. While most traditional computer users are able to opt out of tracking, mobile users typically do not have such opportunities, though some individual apps may ask for consumers’ tracking preferences.

The release of the guidelines follows the publication of a Government Accountability Office (GAO) report calling for increased mobile privacy regulation.  The FTC staff report attempts to respond to both the GAO report and to several studies describing consumers’ desire for increased protection. One such study revealed that over half of mobile users have opted to uninstall an app because of privacy concerns. Another study showed that less than one third of respondents indicated that they felt “in control of their personal information on their mobile devices.”

Despite the report’s suggestions, app developers will face challenges when trying to address privacy concerns. For example, the report cites the screen size of mobile devices as a physical constraint on disclosure. It also explores ways to overcome the difficulty of communicating complex technological information to consumers that may be unfamiliar with industry jargon. To maximize transparency, the report suggests that industry participants adopt uniform terminology and simple language, drawing from the Commission’s experience formulating more accessible language for mortgage disclosures and financial privacy notices.

Because the suggestions are included in a staff report, they are not binding upon actors within the mobile industry and do not constitute official agency policy. However, according to industry observers, the report may signal to the market that the Commission is closely monitoring industry practices to protect consumers.   As the former chief privacy officer for the Department of Homeland Security explained, the report may suggest that “if you’re outside the recommended behavior, you’re at a higher risk of enforcement action.”

Industry professionals have expressed concern that regulations proposed by the FTC may result in “unintended consequences.”   In particular, some have argued that self-regulatory measures may be a preferable approach to managing the unique privacy concerns posed by new technology.