On Friday, Feb. 1, 2013, following the now expected series of public workshops and roundtables and well-timed enforcement actions, the Federal Trade Commission Staff issued a new 36-page staff report, Mobile Privacy Disclosures: Building Trust Through Transparency. The Report summarizes past actions and guidance, and makes new recommendations for clearly and transparently informing users about mobile data practices in the “rapidly expanding mobile marketplace.”
The report makes distinct recommendations for meeting fair information practices for mobile operating systems (Apple iOS, Google Android, Windows Phone, along with the App stores for each), ad networks, and app developers, and solicits innovation and support from academia and industry trade associations in developing meaningful, consistent disclosure rules and practices.
The most meaningful disclosures are those which are connected to a user’s primary activity, in real time, the Staff acknowledges. Policies should be available through links in readily available locations (pre- and post-download), but “just-in-time” disclosures, particularly for sensitive items such as location or collection of personal data from the phone (contacts, photos and the like), are an important compliment. A disclosure is best made proximate in time and “place” to a user’s particular goal: whether it be making a purchase or uploading or viewing content or playing a game.
And beyond merely linking out to a full policy, the Report favors accessibility and readability in the small screen environment. Reading a full-size privacy policy on a mobile device can be challenging, particularly if it is presented without (as one participant in the workshop preceding the Report put it) “a clear visual hierarchy to draw attention to the key points of the documents,” such as “numeric outline, bullet points, and icons to help make it clear and digestible.” (The Work shop materials, including slide presentations available at http://www.ftc.gov/bcp/workshops/inshort/index.shtml.)
Although the Report principally highlighted the “transparency” principle (post a policy; just in time disclosures), a closer read indicates the FTC Staff remain very focused on privacy by design concepts articulated in past reports, including reasonable collection limitations and disposal periods. Mobile devices can collect a great deal of data over time, which will “reveal the habits and patterns that mark the distinction between a day in the life and a way of life.” Such data accumulation, even if not sold to or shared with third parties, is as susceptible to theft or inadvertent loss and therefore, long acknowledged consumer harms such as stalking or identity theft. Many a data breach incident – and the attendant expense of disclosures and private party claims and lawsuits – would have been avoided by timely destruction of data after it has served its intended business purposes. Companies collecting data from mobile devices should be very thoughtful (i.e., intentional) in their choices about what data to collect, how long to store it, and with whom it should be shared due to these heightened privacy sensitivities and bear in mind that the FTC is joined in its concern by other regulators (for example the FCC, California AG, the UK’s ICO and China’s MIIT).
For companies collecting unique data elements through their Apps (who often outsource development to third parties), it is more important than ever to have a procedure in place to review the privacy implications of new mobile products and services, new servicing arrangements, and new marketing or other business partner arrangements. In the App space, companies should avoid risks arising from major consumer brands partnering with weak or unsophisticated app development teams who do not understand the operating systems, ad sharing networks, analytics or other necessary technical building blocks to an accurate and fully implemented privacy policy.
Companies should also consider the effectiveness of the management information systems, monitoring procedures, and training programs for staff who are making and implementing decisions about what data elements are collected from smartphones, how they are combined with other profiling data, how they are shared, whether they are monetized in any way, and the role of analytics and ad networks.
To manage risks of litigation or enforcement action, companies need to draft and post a visually appealing, readable privacy policy – backed up by excellent just in time disclosures – that accurately and completely discloses what information is collected, how it is stored, used, disclosed, and secured, and whether end user choices and preferences exist and function as intended. The cornerstone of that effort in large organizations is a core of designated personnel, with assigned duties, well published within the company, who are integrated into all new releases of mobile products and services.
Submit a comment about this post to the editor.