New FTC recommendations target mobile privacy concerns

The agency has shown that it will take enforcement action against companies that fail to protect privacy

Online Exclusive: Read about a recent FTC settlement with a social networking app.

In the past few years, mobile devices have become an integral part of business and personal communications. In a typical day, a consumer may use a mobile device to read files on his company server, review stock quotes and the latest news, email or text colleagues, pay bills, post status updates on LinkedIn and Facebook, check airplane schedules, locate the nearest Starbucks and buy movie tickets.

Such activity creates the potential for companies to collect sensitive personal data, including medical and financial information, as well as purchasing preferences that can be used for advertising and marketing purposes. The devices also track users’ locations and movements. Reflecting growing public concern about the privacy implications, the Federal Trade Commission (FTC) on Feb. 1 issued a report strongly encouraging mobile platform providers and app developers to take steps to safeguard personal information. 

The FTC recommendations in- clude obtaining express consent from consumers before apps access content including geolocation, contacts, photos and calendar entries, as well as developing icons to depict the transmission of such data. The FTC report states that mobile platforms should also consider offering a Do Not Track (DNT) feature for mobile users that would allow them to prevent ad networks or other third parties from tracking the websites they visit. 

“The FTC does not have general rulemaking authority, so the report does not have the force of law, but instead is instructive and influential as to what constitutes best practices in the view of the FTC,” says Christopher Wolf, a Hogan Lovells partner. 

“Wild West” Practices

The FTC and the Obama administration last year issued separate sets of recommendations for safeguarding consumers’ online privacy on computer Internet browsers, but those reports didn’t cover apps for shopping, social networking and other services offered on smartphones and other mobile devices. 

“We‘ve been looking at privacy issues for decades,” Jon Leibowitz, recently retired FTC chairman, told the New York Times. “But this [report] is necessary because so much commerce is moving to mobile, and many of the rules and practices in the mobile space are sort of like the Wild West. These best practices will help to safeguard consumer privacy and build trust in the mobile marketplace, ensuring that the market can continue to thrive.”

The FTC raises several questions in its report: How do companies privy to personal information use it or share it? With so many players collecting and using consumer data, who should provide privacy information to consumers? Given the limited screen space of mobile devices, how can this information be conveyed?

William Baker, of counsel at Wiley Rein, says the main concern of both regulators and legislators is that consumers don’t know how their data is being collected online and sold, and they have no control over it. 

The FTC claims that 57 percent of all app users have either uninstalled an app due to concerns about having to share their personal information or declined to install an app in the first place for similar reasons. 

“Even without such measures [as the FTC is proposing], however, the mobile marketplace has obviously flourished,” Baker counters. 

Whether the market would flourish even more or be hurt by rising costs if the FTC’s suggestions were widely implemented is anyone’s guess.

Enforcement Anticipated 

The FTC has shown it will use Section 5 of the FTC Act, which broadly prohibits “unfair or deceptive acts or practices in or affecting commerce,” to bring enforcement actions against companies that it claims fail to protect privacy and data security, says Michelle Cohen, an Ifrah Law member. 

“The FTC and the states follow a ‘say what you do and do what you say’ approach to privacy,” Cohen says. “If your company says in a privacy policy that it does not share, say, your personal information with third parties, or does not share your contacts, then it has to abide by that.” 

In some cases the FTC has considered data that companies collect online to be consumer reports covered by the Fair Credit Reporting Act and subject to its requirements. It also has used its enforcement powers under the Children’s Online Privacy Protection Act. 

“I anticipate further FTC and state attorney general actions against mobile app providers, with a particular focus on children’s privacy and financial privacy. The FTC has also shown some interest in medical apps,” Cohen says.  

Code of Conduct 

For months before the FTC report was issued, the National Telecomm- unications and Information Administration (NTIA) of the Depart- ment of Commerce sponsored multistakeholder meetings to develop a voluntary code of conduct regarding mobile data privacy. 

“It is reasonable to assume that the FTC released its staff report at this time in an attempt to influence the course of the NTIA process,” Baker says. 

The FTC report comments on the industry effort to develop standards by stating: “To the extent that strong privacy codes are developed, the FTC will view adherence to such codes favorably in connection with its law enforcement work.” 

Baker says the FTC could regard a voluntary code of privacy conduct for the industry as a safe harbor protecting companies from enforcement actions. 

“The question is whether the FTC will regard whatever emerges from the NTIA multistakeholder group as ‘strong,’” he says. “If it does not, then one incentive for the industry to sign on to whatever emerges from the multistakeholder process vanishes.”  n

Michael Kozubek

Bio and more articles

Join the Conversation

Advertisement. Closing in 15 seconds.