FTC Recommends Best Practices for Mobile Privacy

Screen Shot 2013-02-07 at 4.34.34 PMOn February 1, 2013, the FTC
released a new report, Mobile
Privacy Disclosures: Building Trust Through Transparency
, setting out
current data protection best practices for mobile operating system (OS)
providers and app-developers.

The report’s guiding principle
is that these providers must work to give mobile device users:

(1)  clear
understandings of how her information is being collected, and

(2)  tools
to manage and protect access to her data.

The FTC recommends that
app-developers and OS-providers integrate specific privacy designs into their
products, to protect themselves from future FTC actions.  It also recommends a general ‘privacy by
design’ approach, which would prioritize data minimization, data security, and
procedural safeguards at every stage of product development.

It also pushes ad networks,
third-party data collectors, and app-industry groups to put a priority on data
protection measures, so that they encourage OS-providers and app-developers to
provide users more notice and controls.

Recommendations for OS-providers

The FTC focuses on OS-providers
as the main stakeholder who can promote data protection. This is because
OS-providers largely determine the users’ experience & awareness of data
privacy, and because they have substantial leverage over app-developers.

The FTC recommends OS-providers
build in privacy alerts and management tools for users, and that they implement
enforceable standards for app-developers. These best practices are:

Privacy Alerts for Users

  • Definitely provide ‘just-in-time’ warnings
    (i.e., just prior to the collection of information) to the device-owners before
    apps can access ‘sensitive content’ — especially geolocation. Ask the user if
    she agrees to let the app access the data, and only if she consents, will the
    app be granted access.
  • Consider providing ‘just-in-time’ consent
    interfaces for apps’ collection of semi-sensitive content, including contacts,
    photos, calendar entries, and the recording of audio or video.
  • Publish a clear policy about how the OS-provider
    reviews apps before they are released for download.

Management Tools for Users

  • Build a dashboard into the platform, on which
    the user can review what types of content certain apps can access, and what
    data apps have already accessed.
  • Create a set of universal icons that communicate
    to the user what data is being accessed by an app.
  • Offer users a Do Not Track mechanism, which
    would let them choose to prevent tracking by ad networks and other third
    parties while using apps, unless apps get their consent.


Screen Shot 2013-02-07 at 4.33.26 PM

An Icon on Android OS, notifying the user that the app is accessing her geolocation data



Screen Shot 2013-02-07 at 4.33.13 PM

An Icon on Apple's iOS, notifying the user that her geolocation data is being accessed

Screen Shot 2013-02-07 at 4.34.00 PM

A privacy notice icon, that appears when data is being collected, which the user can expand and read more about


Supervision of App-Developers

  • Require developers to disclose data collection
    to users and have a privacy policy in place, through contract provisions.
  • Educate developers about best practices in data
  • Conduct compliance checks of apps, to determine
    if they are in violation of data protection standards.  If the standards are not met, then enforce
    them by taking action against the developer.

Recommendations for App-Developers

The FTC also focuses on what
app-developers could be doing better regarding data protection.  It recommends the following best practices:

Privacy Alerts for Users

  • Post a privacy policy on the app store about how
    they may collect and distribute users’ data.
  • If the OS-provider does not do so already,
    provide ‘just-in-time’ warnings to users before collecting data, and only
    accessing the data if the user explicitly consents to it.

Oversee Ad Networks & 3rd

  • Before integrating third-party code into an app
    (e.g., for ads or for analytics), first determine what user information the
    third-party will be collecting.
  • Communicate to the user that this third-party
    data collection will occur.

Reach out for Guidance

Enforcement & consequences

The FTC emphasizes that it will
enforce data protection standards for mobile businesses. 

It points to its recent action against
for their collection of users’ address book data and collection of
children under 13 without parental consent – and by their action against
for a peer-to-peer file-sharing app that would lead to users’
unwitting exposure of personal files on their device.

The FTC has put together this
report of recommendations so that mobile businesses can avoid such actions.  If OS-providers and app-developers implement
these designs, and if they comply with the upcoming NTIA privacy code of
conduct, the FTC indicates that this compliance will insulate companies from
law enforcement actions.

One thought on “FTC Recommends Best Practices for Mobile Privacy

Leave a Reply

Your email address will not be published. Required fields are marked *