Kids’ Apps Still Not Providing Adequate Information and FTC Plans Investigations, Agency Report Says
An FTC survey of children’s apps “paint[s] a disappointing picture of the privacy protections provided by apps for children” (http://xrl.us/bn5qda). The survey, a followup to a report on the same topic from February (http://xrl.us/bn5qdc), said mobile apps don’t give parents information about what information the apps will collect from children or who that information will be shared with. The “study shows that kids’ apps siphon an alarming amount of information from mobile devices without disclosing this fact to parents,” FTC Chairman Jon Leibowitz said in a statement.
Sign up for a free preview to unlock the rest of this article
If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.
"More must be done to arm parents with the most effective tools to protect their children when they are online,” said Reps. Ed Markey, D-Mass, and Joe Barton, R-Texas, in a joint statement about the FTC report. The pair introduced the “Do Not Track Kids Act” last year to “to ensure that children and teens are protected and that sensitive personal information isn’t collected or used without express permission,” they said in the statement. “We look forward to the FTC’s update of [Children’s Online Privacy Protection Act] regulations and encourage the Commission to continue its aggressive enforcement of COPPA violations,” the two wrote. During a press teleconference, the agency’s Associate Director of the Financial Practices Division, Jessica Rich, said the FTC has “recommended that there be general privacy legislation."
The survey was done during the summer of 2012 and found apps by searching the word “kids” in the Apple and Google Play app platforms, collecting the first 480 results -- sorted in the app platforms by popularity -- and randomly selecting 200 from each platform, according to the report. FTC staff then downloaded the apps and compared their stated data collected and use practices to their actual practices.
"What we found is cause for concern,” Rich said. Apps “generally failed to provide the critical information that parents need,” she said, including what information they will collect from children, such as geolocation, device identifiers and phone number, and who that information will be shared with, such as third party advertisers. According to the report, “only 20% (81) of the apps reviewed disclosed any information about the app’s privacy practices.” Additionally, the survey found that apps would include “interactive features” -- including in-app advertising or connections with social media accounts -- without notice prior to downloading the app. While app platforms notify users when apps contain in-app purchases, “these indicators are not always prominent and, even if noticed, may be hard for parents to understand.” Among those app developers that provided parents with “simple and short disclosure,” -- which were “far from the norm” -- “some of these app developers engaged in practices that contradicted their ’short and simple’ disclosures,” the report said.
The study’s findings “are very interesting in light of the COPPA proposals,” Rich said. The FTC is scheduled to release a rulemaking update to the 1998 law by the end of the year. FTC proposals from earlier this year have included expanding the definition of personal information to include IP addresses and device identifiers (CD Oct 10 p11). Apps and third parties that collect users’ device identifiers can potentially develop “a detailed profile” for each user, Rich said. According to the report, one company -- either an ad network, analytic company or “other third party” -- collected data from 100 of the apps that were reviewed, another collected data from 80 of the reviewed apps, and another collected data from 66 of the apps included in the survey. While the report doesn’t conclude what the collected data is being used for, “we do know device [identifiers] are being used to develop profiles of people,” Rich said.
Developers are moving away from using device identifiers, Morgan Reed, executive director of the Association for Competitive Technology said in a statement. App platforms are “introducing alternatives to limit tracking that are app-specific for sharing with advertisers and other [third] parties,” he said, making “it very difficult to combine information based on these ID’s across multiple apps or the web.” The platforms are also giving parents “very granular tools” so they can control what kind of data that apps can access, he continued, “regardless of app settings."
The FTC “is launching multiple nonpublic investigations to determine whether certain entities in the mobile app marketplace” have violated either COPPA or Section 5 of the FTC Act, which prohibits unfair and deceptive practices, as a result of the survey, the report said. In a separate statement, Commissioner Thomas Rosch wrote that enforcement actions should be brought under the “deception,” rather than the “unfair,” provision of Section 5. Investigating deceptive practices “would not only offer more certainty in the privacy area,” he wrote, but “would also be in alignment with the promises the Commission has made to Congress in terms of pursuing ‘unfairness.'” During a press teleconference on the report, Rich repeatedly declined to comment on the number or names of the apps being investigated. “Enforcement actions alone, while vitally important, are not enough to ensure that the privacy of consumers and their children are adequately protected, the report said, calling on “app stores, app developers, and third-parties that interact with apps” to develop industry standards. “They all play an important role in data collection, and they should play a role too” in developing standards, Rich said.
In the report, FTC staff suggested that members of the mobile app industry develop best practices that include “privacy by design,” giving parents accessible information about what information kids’ apps will collect and share and be more transparent about how apps collect, use and share information. “These standards should be developed expeditiously to ensure that consumers have confidence in the growing mobile apps marketplace,” staff wrote.
The report should “light a fire under” ongoing industry and multistakeholder-led efforts to develop best practices and codes of conduct, Rich said, pointing to private companies’ actions, efforts from the California Attorney General’s office (CD Nov 2 p14) and the multistakeholder process being facilitated by the NTIA to develop a code of conduct for mobile privacy. “Little or no progress has been made” in these efforts, the report said, and the FTC will follow up on this survey once those efforts “have had a reasonable time to develop.”
Some participants in the NTIA multistakeholder discussions have recently called for a larger role for the NTIA in the process (CD Dec 3 p3). Rich said the FTC supports the NTIA process as it currently stands. “If the NTIA’s stakeholder process is to succeed, it has to show real leadership,” Center for Digital Democracy Executive Director Jeff Chester, said in a statement. The NTIA should bring in scholars and civil rights groups to make sure the multistakeholders have the information they need and “to make sure the process is diverse and reflects what’s at stake for the public,” he said. Jim Halpert, technology lawyer with DLA Piper, said the NTIA multistakeholder discussion has “been a somewhat chaotic process” but he hopes to have results “relatively soon.” Stakeholders have “at least agreement now to the text” of a draft of the code of conduct, he said, and the report “is likely to influence” the discussions. App operators need more direction from the FTC, Halpert said. “There’s not a lot of clarity as to what app providers should be doing,” he said.