FTC Issues Mobile Privacy Guidelines, Encourages Development Of Platform-Level “Do Not Track” Capability

Following its earlier report on privacy and mobile apps for kids, the FTC has released a sweeping report on mobile privacy in general. It’s based on the Commission’s work for several years, as well as a compilation of third party and stakeholder recommendations and proposed policies developed through FTC workshops.

The report includes a host of detailed recommendations for each sector of the mobile ecosystem, including developers, ad networks and platform providers. The recommendations are framed as suggestions and aren’t ‘mandatory. However, the agency strongly implies that some of these will eventually take on the force of law:

Many companies in the mobile ecosystem have already begun addressing the challenge of developing effective privacy disclosures, and FTC staff applauds these efforts. The National Telecommunications and Information Agency (“NTIA”), within the U.S. Department of Commerce, has initiated a multistakeholder process to develop a code of conduct on mobile application transparency. To the extent that strong privacy codes are developed, the FTC will view adherence to such codes favorably in connection with its law enforcement work. Staff hopes that this report will provide important input for all participants in that process as well as stakeholders developing guidance and initiatives in this area. 

The recommendations are sure to frustrate some “in the industry” who will regard them as too burdensome or challenging to implement. Some will also see them as getting in the way of mobile advertising. Along those lines, among the most controversial recommendations is sure to be a platform-level, global do not track (DNT) capability. That’s because large numbers of consumers, if given and made aware of such a capability, would likely use it.

Here’s what the FTC says about DNT:

Accordingly, Commission staff continues to call on stakeholders to develop a DNT mechanism that would prevent an entity from developing profiles about mobile users. A DNT setting placed at the platform level could give consumers who are concerned about this practice a way to control the transmission of information to third parties as consumers are using apps on their mobile devices. The platforms are in a position to better control the distribution of user data for users who have elected not to be tracked by third parties.

Offering this setting or control through the platform will allow consumers to make a one-time selection rather than having to make decisions on an app-by-app basis. Apps that wish to offer services to consumers that are supported by behavioral advertising would remain free to engage potential customers in a dialogue to explain the value of behavioral tracking and obtain consent to engage in such tracking.

The following is a verbatim list of the majority of the FTC’s privacy recommendations contained in the report:

While some platforms have already implemented some of the recommendations below, those that have not should:

• Provide just-in-time disclosures to consumers and obtain their affirmative express consent before allowing apps to access sensitive content like geolocation;
• Consider providing just-in-time disclosures and obtaining affirmative express consent for other content that consumers would find sensitive in many contexts, such as contacts, photos, calendar entries, or the recording of audio or video content;
• Consider developing a one-stop “dashboard” approach to allow consumers to review the types of content accessed by the apps they have downloaded;
• Consider developing icons to depict the transmission of user data;
• Promote app developer best practices. For example, platforms can require developers to make privacy disclosures, reasonably enforce these requirements, and educate app developers;
• Consider providing consumers with clear disclosures about the extent to which platforms review apps prior to making them available for download in the app stores and conduct compliance checks after the apps have been placed in the app stores;
• Consider offering a Do Not Track (DNT) mechanism for smartphone users. A mobile DNT mechanism, which a majority of the Commission has endorsed, would allow consumers to choose to prevent tracking by ad networks or other third parties as they navigate among apps on their phones.

App developers should:

• Have a privacy policy and make sure it is easily accessible through the app stores;
• Provide just-in-time disclosures and obtain affirmative express consent before collecting and sharing sensitive information (to the extent the platforms have not already provided such disclosures and obtained such consent);
• Improve coordination and communication with ad networks and other third parties, such as analytics companies, that provide services for apps so the app
• Consider participating in self-regulatory programs, trade associations, and industry organizations, which can provide guidance on how to make uniform, short-form privacy disclosures.

Advertising networks and other third parties should:

• Communicate with app developers so that the developers can provide truthful disclosures to consumers;
• Work with platforms to ensure effective implementation of DNT for mobile.

App developer trade associations, along with academics, usability experts and privacy researchers can:

• Develop short form disclosures for app developers;
• Promote standardized app developer privacy policies that will enable consumers to compare data practices across apps;
• Educate app developers on privacy issues.

Below is the full FTC report. Anyone involved in the mobile ecosystem should read the report because at least some of these recommendations are likely to be enacted as enforceable privacy rules at some point in the not-too-distant future.