5 Tips for Staying Ahead of Mobile Privacy Enforcement

Special from :

5 Tips for Staying Ahead of Mobile Privacy Enforcement

On March 28, 2013, one of the Federal Trade Commission’s privacy division attorneys predicted that the FTC will continue to remain focused on mobile privacy citing it as a “huge priority for the agency.” He also advised that enforcement actions will ensue if companies do not incorporate security, choice and transparency into the app development process.

The FTC has expressly stated that the concept of “privacy by design” applies to mobile apps. Privacy by design calls on companies to incorporate substantive privacy protections into their everyday business practices such as (1) data security, (2) reasonable collection limits, (3) sound retention and disposal practices, and (4) data accuracy. The FTC has also recommended that companies incorporate choice (i.e., affirmative express consent for use of data out of context or for sensitive data); and transparency (i.e., shorter, clearer privacy notices) into their mobile apps before the collection of personal information begins.¹

Mobile marketing is one of the important privacy trends for companies to pay attention to this year. In the last six months, recent activities indicate that regulatory enforcement and class actions are becoming common in the mobile media space. In December 2012, the California attorney general sued Delta Airlines for failing to include privacy notices in its apps. That same month, six class actions were filed against companies for allegedly tracking children through mobile apps in violation of the Children’s Online Privacy Protection Act. On Feb. 1, 2013, the FTC announced an $800,000 “civil penalty” against a mobile app developer.

To avoid such penalties, companies with mobile apps need to address (1) privacy by design, (2) choice, and (3) transparency in all phases of the development and distribution of their mobile apps.

Since January 2013, numerous best practice reports have been issued that companies can consult when developing their apps. For example:

• California AG’s “Privacy on the Go” report (issued Jan. 10, 2013) relating to any app that collects personal information (including behavioral data) from California residents

• FTC’s mobile privacy disclosures report (issued Feb. 1, 2013)

• Article 29 Working Party’s “Opinion on apps on Smart Devices” (adopted Feb. 27, 2013) relating to apps targeted to the European Union

• U.S. Department of Commerce facilitated National Telecommunications and Information Administration multistakeholder process has resulted in a draft “mobile app transparency” document (most recent version circulated on March 29, 2013)

Moreover, there are several federal privacy bills and some 15 bills in the California legislature that will likely have national and international reach.

How can companies that are interested in implementing compliance programs stay ahead of this trend and stay out of regulatory enforcement or class actions?

1) Be aware that class actions and regulatory enforcement go hand in hand and are expensive. Consumer class action plaintiffs and regulators typically seek statutory damages. In the recent case against Delta, the California AG alleged that Delta’s app was downloaded “millions” of times and seeks statutory civil penalties, under California state laws applicable to non-California companies, of $2,500 per download. Furthermore, many consumer class actions relating to targeted advertising allege violations of the Electronic Communications Privacy Act. These class actions often allege hundreds of millions of violations (for each time a consumer’s device is tracked) at $10,000 per violation. Regulators have announced enforcement action settlements involving 15- to 20-year reporting requirements. Reporting requirements can be even more onerous than class actions as they often require annual or biannual audits, for up to 20 years, at considerable expense to the companies facing them.

2) Do not assume that the privacy policy for your website will be sufficient disclosure. All of the guides call for “enhanced” or “special notice” for collection of sensitive information or personal information that is not within the “context” of the app. The enhanced notice is expected to supplement and be outside of the privacy policy. The FTC, California AG and Article 29 Working Party envision that these enhanced/special notices will notify users if information is being collected that they would not expect (e.g., an app for restaurant location also collects stored information such as a user’s contacts or audio data). Further, if a company’s website privacy policy is linked to its app, the company should update its general privacy policy to reflect collection of user data including photographs, unique identifiers, and/or other sensitive information.

3) If your company is tracking user behavior for internal analytics or ad service, you may need consumer consent. The FTC and California AG are moving toward a definition of personally identifiable information that is more like Europe in that it includes persistent identifiers such as mobile device identifiers and unique identifiers within the definition of personal information. These numerical values are not currently contained in any breach notification statutes, however, the Article 29 Working Party (in the EU) and the California AG have specifically attachedsecurity requirements to this type of data—in some instances calling for encryption of behavioral and other data collected via apps as well as “proactive” adherence to beach notification best practices.

4) Know that the recent mobile guides go beyond the law but represent best practices from the regulators’ points of view. (5 Tips For Staying Ahead Of Mobile Privacy Enforcement - Law360 Page 2 of 3 http://www.law360.com/articles/431481/print?section=privacy 4/23/2013) Understand that California’s mobile policy, the FTC mobile guide, the National Telecommunications and Information Administration draft disclosure recommendations and the Article 29 Working Party’s mobile guidance are a source of “best practices.” These guidelines apply to companies that collect personally identifiable information, including behavioral data collected through persistent identifiers, and are intended for nationwide or global reach.

5) Be familiar with the mobile practice guides and use a checklist when developing your app. Currently, many companies are members of self-regulatory groups like the Digital Advertising Alliance, the Interactive Advertising Bureau and others. It is important for companies to understand that compliance with industry self-regulation protocols like the DAA or IAB will not be sufficient to meet the recent guidelines from the FTC, California AG and the Article 29 Working Party. Rather than following any one guide, companies should understand the requirements for each of these documents in order to assess what will work for your company.

—By Dominique R. Shelton, Alan L. Friel and Laurie A. Kamaiko; Edwards Wildman Palmer LLP

Dominique Shelton and Alan Friel are partners in Edwards Wildman's Los Angeles office. Laurie Kamaiko is a partner in the firm's New York office. The opinions expressed are those of the author and do not necessarily reflect the views of the firm, its clients, or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.

All Content © 2003 – 2013, Portfolio Media, Inc. Reprinted with permission.