FTC Releases Best Practices Report for Mobile Privacy Policy Disclosures
The FTC laid out best practices on how mobile apps should notify users of their data collection and sharing practices, in a Friday report approved by a unanimous vote of commissioners. The report gave privacy-bolstering recommendations for app developers, third parties, such as advertising networks, and app platforms, such as Google Play or the Apple App Store.
Sign up for a free preview to unlock the rest of this article
If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.
The app industry should take the recommendations seriously, departing FTC Chairman Jon Leibowitz told reporters Friday. “Some companies are doing a good job.” If “other companies don’t wake up and do the right thing” they will face “much more prescriptive” legislation from Congress “down the road,” especially considering the bipartisan support online privacy has as a policy issue, he said. Leibowitz leaves Feb. 15. (See separate report below in this issue.)
An FTC May workshop found that “consumers do not know or understand current information collection and use practices occurring on mobile devices,” and without the knowledge that those practices exist, “they do not look for options providing them with control,” the report said (http://xrl.us/bod7it). When consumers are made aware that these practices exist, they “typically are surprised and view the practices as underhanded,” and they do not understand the disclosure, it said. Because of the small screen size of mobile devices, consumers need “shorthand, consistent disclosures,” which would allow them to compare privacy practices across apps, the report continued. It said the disclosures should be just-in-time. That means the caveats are delivered at “an appropriate moment in time,” making it “likely to be of greater relevance,” the agency said Friday.
Platforms should play a bigger role in user privacy disclosures because they act as an intermediary between users and developers and can “set requirements for app developers and even reject apps that fail to meet such requirements,” the report said: Platforms could require their apps to provide disclosures and obtain consent before accessing sensitive user data. Before platforms allow apps to access user data via the application programming interface, the platforms “should provide a just-in-time disclosure ... and obtain affirmative express consent,” the report said. That “will allow users to make informed choices about whether to allow the collection of such information,” it said: These disclosures should “avoid technical jargon” and clearly communicate what data the app can access.
The report also suggested that platforms create “Privacy Dashboards,” such as the ones currently found in the Apple and Google ecosystems. The dashboard would serve as a central place in the device where users can determine which apps are accessing what kind of data, providing “an easy way” to review their data sharing and “to revisit the choices they initially made about the apps,” the agency said. The report encouraged platforms to develop icons to tell users when certain data are being accessed by an app, such as the geolocation icons that appear on Apple and Google devices when apps are accessing their geolocation information. Enacting these privacy-enhancing measures would bolster the reputation of the platforms and educate “small app developers who many not be focused on privacy issues,” the report said.
Platforms are in the best position to develop Do Not Track (DNT) features for users who do not want to be tracked across apps, the commission wrote. “Offering this setting or control through the platform will allow consumers to make a one-time selection rather than having to make decisions on an app-by-app basis.” The report said the DNT system should be “(1) universal, (2) easy to find and use, (3) persistent, (4) effective and enforceable and (5) limit the collection of data, not just its use to serve advertisements."
App developers “should have a privacy policy and make that policy available through the platform’s app store,” the report said. When an app is accessing sensitive data outside the platform’s, it “should provide just-in-time disclosures and obtain affirmative express consent” from users, the report continued. App developers should also work with third parties to better understand how user data gets used once collected through an app and shared with a third party, such as an ad network. Outside of working with app developers, ad networks should cooperate with platforms in their attempts to develop and implement a DNT system, the report said. App trade associations should work to “develop standardized icons to depict app privacy practices” and “badges,” which could use icons and text to inform users of an app’s privacy practices, it said. The agency also recommended associations standardize privacy policies for the apps they represent.
Meanwhile, mobile privacy stakeholders -- including app developers, privacy advocates, members of the online advertising industry and others -- are working to finalize a voluntary mobile privacy code of conduct, which would establish best practices for informing users of data collection through short-form notices. During the discussions -- facilitated by NTIA -- stakeholders have debated the efficacy of icons in giving users meaningful consent. Leibowitz said the FTC is participating in the NTIA stakeholder discussions, but this report was written without consideration of the stakeholder’s code draft. “This was a separate initiative,” he said. “We hope that our report will provide useful input for stakeholders.” The NTIA thinks “the FTC report provides a thoughtful discussion of a wide range of mobile privacy issues and will provide important considerations for stakeholders as they continue to develop a code of conduct regarding mobile application transparency,” said John Verdi, director of privacy initiatives for NTIA.
The Application Developers Alliance welcomed the FTC’s approval of that NTIA-led work, which the alliance participated in, said President Jon Potter in a statement. It’s good the commission’s intent is to look favorably on app developers and publishers that “implement the voluntary mobile app transparency codes that result from the NTIA process,” he said. The Association for Competitive Technology (ACT) “is pleased that the Commission highlighted the Privacy Dashboard as a preferred means to inform users about data usage in a format accessible to smartphone users,” said Executive Director Morgan Reed. “The FTC’s recommended dashboard model received high praise at the NTIA privacy multistakeholder meetings when ACT demoed its version,” he said. “It is time we moved past long privacy policies that are seldom read and give consumers the information they want in a way that they are best able to digest.”