On Friday, Feb. 1, 2013, following the now expected series of public workshops and roundtables and well-timed enforcement actions, the Federal Trade Commission Staff issued a new 36-page staff report, Mobile Privacy Disclosures: Building Trust Through Transparency. The Report summarizes past actions and guidance, and makes new recommendations for clearly and transparently informing users about mobile data practices in the “rapidly expanding mobile marketplace.”
The report makes distinct recommendations for meeting fair information practices for mobile operating systems (Apple iOS, Google Android, Windows Phone, along with the App stores for each), ad networks, and app developers, and solicits innovation and support from academia and industry trade associations in developing meaningful, consistent disclosure rules and practices.
The most meaningful disclosures are those which are connected to a user’s primary activity, in real time, the Staff acknowledges. Policies should be available through links in readily available locations (pre- and post-download), but “just-in-time” disclosures, particularly for sensitive items such as location or collection of personal data from the phone (contacts, photos and the like), are an important compliment. A disclosure is best made proximate in time and “place” to a user’s particular goal: whether it be making a purchase or uploading or viewing content or playing a game.
Although the Report principally highlighted the “transparency” principle (post a policy; just in time disclosures), a closer read indicates the FTC Staff remain very focused on privacy by design concepts articulated in past reports, including reasonable collection limitations and disposal periods. Mobile devices can collect a great deal of data over time, which will “reveal the habits and patterns that mark the distinction between a day in the life and a way of life.” Such data accumulation, even if not sold to or shared with third parties, is as susceptible to theft or inadvertent loss and therefore, long acknowledged consumer harms such as stalking or identity theft. Many a data breach incident – and the attendant expense of disclosures and private party claims and lawsuits – would have been avoided by timely destruction of data after it has served its intended business purposes. Companies collecting data from mobile devices should be very thoughtful (i.e., intentional) in their choices about what data to collect, how long to store it, and with whom it should be shared due to these heightened privacy sensitivities and bear in mind that the FTC is joined in its concern by other regulators (for example the FCC, California AG, the UK’s ICO and China’s MIIT).
Companies should also consider the effectiveness of the management information systems, monitoring procedures, and training programs for staff who are making and implementing decisions about what data elements are collected from smartphones, how they are combined with other profiling data, how they are shared, whether they are monetized in any way, and the role of analytics and ad networks.