During the last several years, there has been explosive growth in the use of mobile technologies, fueling a concomitant increase in privacy-related regulatory activity and class action litigation around the globe. In the U.S., the recent regulatory trend began in earnest last year, when the primary privacy regulator in the U.S., the Federal Trade Commission (FTC), concluded its first enforcement action involving mobile apps.
The FTC reached an agreement with a developer of children’s games for the iPhone, requiring the app developer to pay $50,000 to settle charges that it violated the Children’s Online Privacy Protection Act (COPPA) by illegally collecting and disclosing personal information of tens of thousands of children under the age of 13 without their parents’ prior consent. The settlement was one of many recent reminders that even older laws such as COPPA, which was enacted in 1998, have important implications for new mobile technology.
Regulatory activity in the U.S. has since increased. In February, the FTC warned six marketers of background screening mobile apps that they may be violating the Fair Credit Reporting Act. Days later, in a report entitled “Mobile Apps for Kids: Current Privacy Disclosures are Disappointing”, the FTC issued a “warning call to industry that it must do more to provide parents with easily accessible, basic information about the mobile apps that their children use.”
The report was based on the FTC’s investigation of hundreds of mobile apps and their legally inadequate or nonexistent privacy notices. The report indicated that, during the coming months, the FTC would conduct additional review to identify enforcement opportunities. Among the report’s main conclusions were the following:
“Parents should be able to learn what information an app collects, how the information will be used, and with whom the information will be shared. App developers also should alert parents if the app connects with any social media, or allows targeted advertising to occur through the app. Third parties that collect user information through apps also should disclose their privacy practices, whether through a link on the app promotion page, the developers’ disclosures, or another easily accessible method.”
Less than a week later, this call for greater transparency was echoed by the California Attorney General, who announced an initiative to increase compliance with the California Online Privacy Protection Act of 2003 (OPPA). Among other compliance obligations, OPPA requires operators of mobile apps to post a privacy notice that contains a description of the categories of personal information the apps collect and the types of third parties with whom that information is shared. Many mobile apps collect an unexpectedly wide range of data from users’ mobile devices and silently share that data with networks of service providers and other third parties. Development of these apps often is outsourced or handled by an insular group of in-house developers.
Consequently, the company sponsoring the app frequently lacks the information necessary to craft an accurate privacy notice. Because OPPA prohibits the handling of data in a manner that is inconsistent with the privacy notice, the company could incur the risk of both an OPPA violation and damage to the company’s relationship with its consumers. In addition, the company runs the risk of joining the long line of companies against which the FTC has brought enforcement actions for inaccurate representations in privacy notices.
Meanwhile, new privacy issues continue to crop up in the text message arena. Current Federal Communications Commission (FCC) regulations prohibit the automated sending of any kind of non-emergency text message without the recipient’s prior express consent. The statutory damages of $500 per text message predictably have invited the interest of plaintiffs’ counsel, who have extracted millions of dollars in settlements from companies whose only alleged transgression was to send a confirmation message to consumers who opted out of mobile programs in which they previously had enrolled, such as “Your opt-out has been processed”.
The FCC recently sought comment on whether to take the position that the plaintiffs’ theory that the consumer’s opt-out revoked consent to send even the confirmation message should be deemed invalid. Even if the FCC provides some relief, the pressure remains: In February, the FCC announced new regulations that will prohibit companies from sending marketing-oriented text messages without first obtaining the recipients’ consent in the form of signed, written agreements.
For the business community, the message is clear: In the mobile space, companies must closely monitor the rapidly changing privacy landscape to safely navigate this complex terrain.