The Federal Trade Commission and the California Attorney General have recently published reports focused on mobile privacy. The FTC’s “Mobile Privacy Disclosures” staff report, released on February 1, 2013, followed the California AG’s “Privacy on the Go” report issued in January 2013.
Both reports make recommendations on mobile privacy disclosures to three different audiences: providers of mobile app marketplaces, mobile app developers, and mobile advertising networks. For companies that offer mobile apps as part of their consumer products and services (or permit another company to license their brand name(s) for a mobile app), the reports’ most important recommendations are those concerning a mobile app’s design.
Privacy Considerations When Designing a Mobile App
The California AG report takes a very practical approach to designing a mobile app that ensures users are informed about how their privacy may be affected. The AG recommends starting with a comprehensive analysis that identifies each piece of data collected by the app that contains personally identifiable information (including unique device identified, mobile phone number, and geolocation) and, for each piece, considers the following questions:
- Is the data type necessary for the app’s basic function?
- Is the data type necessary for business reasons?
- How will the data be used?
- Will the data be stored on the device?
- If the data will be stored in servers, how long will it be retained?
- Will the data be shared with third parties (including advertising networks and analytics companies)?
- How will such third parties use the data?
- Within the company, who will have access to the data?
- Will the app access other parts of the mobile device? If so, can users control such access by modifying permissions?
Further, if an app uses personally identifiable information in a way that would surprise the consumer, a “just-in-time” disclosure should also be given. For example, a consumer would likely expect an ATM locator app to use his or her location to identify nearby ATMs. But the same consumer may be surprised that an ATM locator app is also using his or her location to identify discounts at nearby retailers, and consequently should receive a “just-in-time” disclosure about such use.
A “just-in-time” disclosure is intended to serve as a decision point for consumers. This means that it should give consumers the immediate opportunity to decide whether to allow their information to be collected, used, or shared by the app in a particular way, before such collection, use, or sharing occurs. If the data is necessary to the app’s basic function, the disclosure should also allow the consumer to discontinue the app’s use.
Other Mobile Privacy Considerations
Finally, both reports address concerns regarding mobile advertising networks. The FTC recommends that such networks develop a mechanism consumers could use to prevent network tracking of their use of apps. The California AG specifies that mobile advertising networks should avoid delivering ads outside the context of the app and use enhanced measures to obtain prior consent from users before accessing personal information.
Why This Matters
Ballard Spahr attorneys regularly advise financial institutions and other companies on developing financial services in the mobile channel to ensure compliance with consumer financial services laws, as well as related data security and privacy laws. The firm's Consumer Financial Services Group is nationally recognized for its guidance in structuring and documenting new consumer financial services products as well as its experience with the full range of federal and state consumer credit laws.
Members of the Consumer Financial Services Group who are also part of the Privacy and Data Security Group focus on financial privacy by design—evaluating new products and services and communications channels to ensure that financial institutions are meeting their privacy and data security obligations.