FTC Releases Report on Mobile Privacy Disclosures
February 1, 2013. The Federal Trade Commission (FTC) released a report [36 pages in PDF] titled "Mobile Privacy Disclosures: Building Trust Through Transparency".
It enumerates numerous "suggestions" and "recommendations" for the businesses and organizations involved in mobile communications regarding their privacy related practices and disclosures.
Recommendations Contained in the Report. It states that the mobile platforms (that is, the mobile operating systems providers, Google, Apple, Amazon, Microsoft, Blackberry) "should ... Provide just-in-time disclosures to consumers and obtain their affirmative express consent before allowing apps to access sensitive content like geolocation". Platforms should also "Promote app developer best practices."
It also states that platforms should consider "providing just-in-time disclosures and obtaining affirmative express consent for other content that consumers would find sensitive in many contexts, such as contacts, photos, calendar entries, or the recording of audio or video content".
They should also consider "developing a one-stop ``dashboard´´ approach to allow consumers to review the types of content accessed by the apps they have downloaded", "developing icons to depict the transmission of user data", "providing consumers with clear disclosures about the extent to which platforms review apps prior to making them available for download in the app stores and conduct compliance checks after the apps have been placed in the app stores", and "offering a Do Not Track (DNT) mechanism for smartphone users".
It states that app developers should "Have a privacy policy and make sure it is easily accessible through the app stores", "Provide just-in-time disclosures and obtain affirmative express consent before collecting and sharing sensitive information (to the extent the platforms have not already provided such disclosures and obtained such consent);" and "Improve coordination and communication with ad networks and other third parties, such as analytics companies, that provide services for apps so the app developers can provide accurate disclosures to consumers". (Parentheses in original.)
It also states that app developers "should ... Consider participating in self-regulatory programs, trade associations, and industry organizations, which can provide guidance on how to make uniform, short-form privacy disclosures."
The report recommends that advertising networks and other third parties "should ... Communicate with app developers so that the developers can provide truthful disclosures to consumers" and "Work with platforms to ensure effective implementation of DNT for mobile".
The report also recommends that app developer trade association "can ... Develop short form disclosures for app developers", "Promote standardized app developer privacy policies that will enable consumers to compare data practices across apps", and "Educate app developers on privacy issues".
The Association for Competitive Technology (ACT) praised most of the FTC report. However, it added in a statement that it has two areas of concern. First, "The recommendation that platforms provide reports about the scanning they do for privacy in a curated store could actually backfire. Stores may opt to do less or no privacy scanning of apps if they perceive a liability risk created by this report. This would not be a good outcome for app makers or consumers."
Second, the ACT wrote that "the report relies on a technology snapshot and may not represent the where the industry appears to be headed: offering better consumer controls and data isolation."
Legal Consequences of this Report. This report does not state what are the legal consequences of this report. The five member Commission voted 4-0-1 to approve this "report". Commissioner Joshua Wright did not participate. However, this is neither a promulgation of rules, nor a notice of proposed rulemaking.
The FTC does not have a general statutory grant of authority to regulate business practices that impact the privacy interests of their customers. Although, it does have limited authority under the Children's Online Privacy Protection Act (COPPA) to regulate businesses' online activities to protect children's privacy. See, 15 U.S.C. §§ 6501-6506. The COPPA bans operators of web sites and online services that are directed to children from collecting information from children under thirteen without parental consent. Although, FTC rules give it a broader meaning.
Also, the FTC has broad general authority with respect to "unfair or deceptive acts or practices" in interstate commerce. See, Section 5 of the FTC Act, which is codified at 15 U.S.C. § 45. The FTC has promulgated rules under the COPPA. See, story titled "FTC Releases Expanded COPPA Rules" in TLJ Daily E-Mail Alert No. 2,494, December 19, 2012. But, it has not written privacy related rules under Section 5. Rather, it institutes privacy related enforcement actions under Section 5 (which actions place others on notice as to what acts the FTC considers to be violations of Section 5), and it issues reports.
The just released report states that the FTC "is ensuring that it has the necessary technical expertise, understanding of the marketplace, and tools to monitor, investigate, and prosecute deceptive and unfair practices in the mobile arena". However, the report fails to disclose what affect violating the "suggestions" and "recommendations" in this report may or may not have on future FTC decisions to bring enforcement actions.
To date, most of the FTC's enforcement actions under Section 5 of the FTC related to online privacy have alleged that a web site operator's violation of its own published policy constitutes "deceptive" practices. The just released report does not disclose whether or not the FTC will bring enforcement actions, absent violation of a published policy, on the basis, for example, that violation of "suggestions" or "recommendations" contained in this report constitute "unfair" practices within the meaning of Section 5 of the FTC Act.
Outgoing FTC Chairman Jonathan Leibowitz gave a speech with the release of this report. He spoke in vague terms. He said that "Law enforcement remains central to our consumer protection mission". Also, the FTC has a "policy function", and "So on the policy side, we are releasing a report ..."
He added that "Some companies are doing a good job following these principles and protecting consumer privacy, but if other companies don't wake up and do better, industry is more likely to face more proscriptive laws down the road."
Rep. Barton and Rep. Markey. Rep. Joe Barton (R-TX) and Rep. Ed Markey (D-MA), senior members of the House Commerce Committee (HCC), often work together on privacy related issues.
They stated in a joint release that "The FTC is correct to point out that more must be done to protect the privacy of mobile device users. We believe consumers should have notice and give consent before their personal information is collected or shared. Protecting consumer privacy in the mobile environment is crucial, particularly when it comes to children and teens. We plan to reintroduce the Do Not Track Kids Act this Congress to ensure that our children are fully protected when they go online."
The two introduced HR 1895 [LOC | WW], the "Do Not Track Kids Act", on May 13, 2011, early in the 112th Congress. See, story titled "Rep. Markey and Rep. Barton Release Draft of Do Not Track Kids Act" in TLJ Daily E-Mail Alert No. 2,236, May 9, 2011. No committee or subcommittee marked up this bill.
They have not yet reintroduced this bill in the 113th Congress.
(Published in TLJ Daily E-Mail Alert No. 2,519, February 5, 2013.)