On February 1, 2013, the FTC
released a new report, Mobile
Privacy Disclosures: Building Trust Through Transparency, setting out
current data protection best practices for mobile operating system (OS)
providers and app-developers.
The report’s guiding principle
is that these providers must work to give mobile device users:
understandings of how her information is being collected, and
to manage and protect access to her data.
The FTC recommends that
app-developers and OS-providers integrate specific privacy designs into their
products, to protect themselves from future FTC actions. It also recommends a general ‘privacy by
design’ approach, which would prioritize data minimization, data security, and
procedural safeguards at every stage of product development.
It also pushes ad networks,
third-party data collectors, and app-industry groups to put a priority on data
protection measures, so that they encourage OS-providers and app-developers to
provide users more notice and controls.
Recommendations for OS-providers
The FTC focuses on OS-providers
as the main stakeholder who can promote data protection. This is because
OS-providers largely determine the users’ experience & awareness of data
privacy, and because they have substantial leverage over app-developers.
The FTC recommends OS-providers
build in privacy alerts and management tools for users, and that they implement
enforceable standards for app-developers. These best practices are:
Privacy Alerts for Users
- Definitely provide ‘just-in-time’ warnings
(i.e., just prior to the collection of information) to the device-owners before
apps can access ‘sensitive content’ — especially geolocation. Ask the user if
she agrees to let the app access the data, and only if she consents, will the
app be granted access.
- Consider providing ‘just-in-time’ consent
interfaces for apps’ collection of semi-sensitive content, including contacts,
photos, calendar entries, and the recording of audio or video.
- Publish a clear policy about how the OS-provider
reviews apps before they are released for download.
Management Tools for Users
- Build a dashboard into the platform, on which
the user can review what types of content certain apps can access, and what
data apps have already accessed.
- Create a set of universal icons that communicate
to the user what data is being accessed by an app.
- Offer users a Do Not Track mechanism, which
would let them choose to prevent tracking by ad networks and other third
parties while using apps, unless apps get their consent.
Supervision of App-Developers
- Require developers to disclose data collection
- Educate developers about best practices in data
- Conduct compliance checks of apps, to determine
if they are in violation of data protection standards. If the standards are not met, then enforce
them by taking action against the developer.
Recommendations for App-Developers
The FTC also focuses on what
app-developers could be doing better regarding data protection. It recommends the following best practices:
Privacy Alerts for Users
they may collect and distribute users’ data.
- If the OS-provider does not do so already,
provide ‘just-in-time’ warnings to users before collecting data, and only
accessing the data if the user explicitly consents to it.
Oversee Ad Networks & 3rd
- Before integrating third-party code into an app
(e.g., for ads or for analytics), first determine what user information the
third-party will be collecting.
- Communicate to the user that this third-party
data collection will occur.
Reach out for Guidance
- Take advantage of self-regulatory programs,
trade associations, and industry organizations to stay up-to-date on what best
- Follow the National
Telecommunications & Information Agency’s upcoming privacy
code of conduct.
Enforcement & consequences
The FTC emphasizes that it will
enforce data protection standards for mobile businesses.
It points to its recent action against
Path for their collection of users’ address book data and collection of
children under 13 without parental consent – and by their action against
Frostwire for a peer-to-peer file-sharing app that would lead to users’
unwitting exposure of personal files on their device.
The FTC has put together this
report of recommendations so that mobile businesses can avoid such actions. If OS-providers and app-developers implement
these designs, and if they comply with the upcoming NTIA privacy code of
conduct, the FTC indicates that this compliance will insulate companies from
law enforcement actions.