Use this button to switch between dark and light mode.

Copyright © 2024 LexisNexis and/or its Licensors.

Mobile App Privacy Considerations

November 09, 2016 (21 min read)

By: Mark W. Brennan, Hogan Lovells US LLP.

AS THE USE OF MOBILE DEVICES SUCH AS SMARTPHONES and tablets has become increasingly prevalent, mobile applications (mobile apps or apps) have also proliferated. Consumers use mobile apps to access social networks, conduct online banking, play games, listen to music, take photos and videos, find nearby restaurants or stores, monitor health and wellness, and perform many other dayto- day activities.

However, mobile apps may pose numerous privacy concerns due to the vast amount of personal information that may be collected, used, and shared by the millions of apps in the marketplace. These concerns are augmented by the nature of mobile devices, which can store sensitive data not typically found on computers (such as geolocation information, contacts, text messages, and call logs) and have small screens that can make it more difficult to communicate privacy practices and user choices effectively.

This article discusses the key privacy issues that app developers and others in the community should take into account when designing, developing, and marketing mobile apps, including:

  • Guidance from the Federal Trade Commission (FTC) and the California Attorney General
  • FTC enforcement actions involving mobile apps
  • Self-regulatory initiatives by organizations such as the National Telecommunications & Information Administration (NTIA), Digital Advertising Alliance (DAA), and Mobile Marketing Association (MMA)
  • Notable privacy laws that may apply in the mobile app context, including the California Online Privacy Protection Act (CalOPPA), Children’s Online Privacy Protection Act (COPPA), Health Insurance Portability and Accountability Act (HIPAA), and Video Privacy Protection Act (VPPA)

FTC Guidance and Enforcement

The FTC has broad authority to regulate and enforce privacy under Section 5 of the Federal Trade Commission Act (FTC Act), which prohibits unfair or deceptive acts or practices in commerce.1 The FTC has issued various guidance documents addressing privacy and data security issues in the mobile app context, including:

The FTC’s guidance, while not legally binding, signals the agency’s views on mobile app privacy and, as such, should be carefully considered by those in the mobile app community (such as app developers, platform providers, advertising networks and other third parties, and stakeholder trade associations). These guidance documents are discussed in further detail below, followed by notable FTC enforcement actions involving mobile apps. For more on the Kids App Reports and Mobile Shopping Apps Report, please go to the full article in Lexis Practice Advisor.

Privacy Report

The FTC’s Privacy Report, issued in March 2012, recommended the following best practices for companies that collect or use consumer data that may be reasonably linked to a specific consumer, computer, or other device:

  • Privacy by design. Companies should incorporate substantive privacy protections into the design of products and services (such as data security, reasonable collection limits, sound retention and disposal practices, and data accuracy) and maintain comprehensive data management procedures throughout the lifecycle of such products and services.
  • Simplification of consumer choice. For data practices not consistent with the context of a transaction or a consumer’s relationship with a business, companies should provide consumers with choices at a relevant time and within a relevant context. For instance, companies should obtain affirmative express consent before (1) using consumer data in a materially different manner than claimed at the time of collection or (2) collecting sensitive data (e.g., a Social Security number or financial, health, children’s, or geolocation information) for certain purposes.
  • Transparency. Privacy notices should be as clear, short, and standardized as possible. Consumers should also have reasonable access to their data (proportionate to the sensitivity of the data and the nature of its use), and all stakeholders should expand their efforts to educate consumers about commercial data privacy practices.

The FTC indicated that these principles do not apply when (1) data is not reasonably linkable or (2) a company collects only non-sensitive data from fewer than 5,000 consumers per year and does not share that data with third parties.

Data is not reasonably linkable if a company:

  • Takes reasonable measures to ensure that the data is de-identified
  • Publicly commits not to try to re-identify the data
  • Contractually prohibits downstream recipients from trying to reidentify the data9

The FTC also encouraged companies in the mobile services sector to work toward improved privacy protections (including developing short, meaningful disclosures). It specifically highlighted mobile privacy as an area on which it would continue its focus.

Mobile Privacy Disclosures Report

The FTC’s Mobile Privacy Disclosures Report, issued in February 2013, recommended best practices for:

  • Platforms (i.e., mobile operating systems and the app stores they offer, such as Apple’s iOS/App Store, Google’s Android / Google Play, and Microsoft’s Windows Phone / Windows Store)
  • App developers
  • Advertising networks and other third parties
  • App developer trade associations10

The FTC’s recommendations for each industry participant are discussed in further detail below.


The FTC noted that platforms are the gatekeepers to the app marketplace and are in a unique position to convey privacy information to consumers. It therefore recommended that platforms:

  • Provide just-in-time disclosures to consumers (i.e., just prior to the collection of data) and obtain their affirmative express consent before allowing apps to access sensitive content, such as geolocation information, through an application programming interface (API).
  • Consider taking the above actions for other types of potentially sensitive content (such as photos audio or video recordings, contacts, or calendar entries).
  • Develop a dashboard where consumers can easily view which downloaded apps have access to which data.
  • Use icons to communicate key terms and concepts (e.g., a geolocation icon that signals when an app is accessing a consumer’s geolocation information).
  • Promote app developer best practices (e.g., through contractual provisions and enforcement of such provisions).
  • Disclose the extent to which apps are reviewed before they are made available for download in app stores and any subsequent compliance checks.
  • Offer a Do Not Track mechanism for mobile devices that would allow consumers to prevent tracking by ad networks or other third parties via a one-time selection.

App Developers

The FTC recommended that app developers:

  • Create a privacy policy and make the policy available through the app stores (e.g., by posting the policy or a link to the policy on the app promotion page).
  • Provide just-in-time disclosures and obtain affirmative express consent before collecting and sharing sensitive information such as geolocation, financial, health, or children’s data (to the extent platforms have not already provided such disclosures and obtained such consent).
  • Coordinate and communicate with ad networks and other third parties (such as analytics companies) that provide services for apps so that accurate disclosures can be made to consumers.
  • Participate in self-regulatory programs, trade associations, and industry organizations, which can provide guidance on how to make uniform, short-form privacy disclosures.

Advertising Networks and Other Third Parties

The FTC noted that ad networks and analytic providers typically supply source code to app developers to facilitate advertising or analytics within an app, but developers rarely understand how the code functions. It therefore encouraged greater communication and coordination among these parties so that developers can provide truthful and complete disclosures to consumers. It also recommended working with platforms to ensure effective implementation of a mobile Do Not Track system.

App Developer Trade Associations

The FTC recommended that trade associations:

  • Develop and/or improve short form disclosures for app developers (such as standardized icons or badges).
  • Promote standardized app developer privacy policies.
  • Educate app developers on privacy issues.

Mobile App Security Guide

In February 2013, the FTC issued guidance on mobile app security for app developers. While the FTC acknowledged that there is no one-size-fits-all approach, it indicated that it expects developers to adopt and to maintain reasonable data security practices.

The FTC’s tips for mobile app security include:

  • Designate a person who is responsible for security through all stages of development.
  • Practice data minimization (e.g., do not collect or retain data that is not necessary for the app to function).
  • Understand the security-related differences between mobile platforms, properly implement those features, and take any other necessary security measures.
  • Create credentials (such as usernames and passwords) securely.
  • Use transit encryption (such as HTTPS or another industrystandard method) any time the app transmits usernames, passwords, or other important data.
  • Conduct due diligence before using libraries, software development kits (SDKs), and other third-party code.
  • Encrypt sensitive data that is stored on a user’s device.
  • Take appropriate server security measures (if a commercial cloud provider is used, determine which party is contractually responsible for securing and updating software on the server).
  • Do not store passwords in plaintext (consider using an iterated cryptographic hash function instead).
  • Stay engaged following the release of the app (e.g., communicate with users, follow general and library-specific mailing lists to learn of any post-release security vulnerabilities).
  • Comply with relevant rules and regulations if the app collects children’s data (COPPA), health data (HIPPA Security Rule, Health Breach Notification Rule), or financial data (Gramm-Leach-Bliley Act (GLBA)).11

Mobile App Marketing Guide

The FTC issued its Mobile App Marketing Guide in April 2013, offering general guidelines to app developers on complying with truth-in-advertising and basic privacy principles. Specifically, the FTC recommended that app developers:

  • Ensure that any objective claims are factually supported (e.g., claims that an app provides benefits related to health, safety, or performance should be supported by competent and reliable scientific evidence).
  • Disclose key information clearly and conspicuously.
  • Follow “privacy by design” principles (i.e., incorporate privacy protections into the design of the app, such as data security, reasonable collection limits, and sound retention and disposal practices).
  • Be transparent about data practices.
  • Offer privacy controls (e.g., privacy settings or opt-out mechanisms) that are easy to find and use.
  • Honor any privacy promises.
  • Obtain users’ affirmative consent for material changes in privacy practices (merely revising a privacy policy would not be sufficient). Collect sensitive information (such as medical, financial, or geolocation information) only with consent.
  • Ensure compliance with COPPA and the FTC’s COPPA Rule.
  • Take reasonable steps to keep sensitive data secure, including (1) collecting only necessary data, (2) securing the data by taking reasonable precautions against well-known security risks, (3) limiting access to a need-to-know basis, and (4) safely disposing of data that is no longer needed.12

FTC Enforcement Actions Involving Mobile Apps

The FTC has brought a number of enforcement actions against mobile app developers and others in the industry for unfair or deceptive acts or practices in violation of the FTC Act13 and/or violations of other statutes within the FTC’s authority, such as COPPA14 and the Fair Credit Reporting Act (FCRA).15

The following types of practices have been targeted by the FTC:

  • Failing to adhere to privacy- or security-related representations (e.g., misrepresenting what personal information will be collected and/or how such information will be used and shared)
  • Collecting children’s personal information without first notifying parents and obtaining their consent (if subject to COPPA)
  • Mobile device tracking

Examples of FTC mobile app enforcement actions involving privacy misrepresentations include:

  • Path, Inc. (social networking app—deceptive representations in user interface and privacy policy regarding the collection of personal information from users’ mobile device contacts; also violated COPPA)16
  • Goldenshores Techs., Inc. (flashlight app—failed to adequately disclose that precise geolocation and persistent device identifiers were transmitted to various third parties, including advertising networks, when users ran the app, and misrepresented how much control users had over the collection and use of their data)17
  • Snapchat, Inc. (photo messaging app—deceptive representations about the disappearing nature of messages sent through the app, the amount of personal data collected, the collection of geolocation information, and security measures)18

Examples of FTC mobile app enforcement actions involving security misrepresentations include:

  • Fandango, Inc. (movie ticketing app—deceptive representations about security when, among other things, the developer overrode default SSL certificate validation settings without implementing other security measures)19
  • Credit Karma20 (credit monitoring app—same as above)21
  • Equiliv Investments, LLC (app developer falsely marketed an app as free from malicious software or viruses even though the purpose of the app was to load consumers’ mobile phones with malicious software in order to mine virtual currencies)22

Examples of FTC mobile app enforcement actions involving COPPA violations include:

  • Yelp Inc. (app was subject to COPPA where thousands of users registered for Yelp, the online review site, through its mobile app and were asked to provide their date of birth during the registration process)23
  • LAI Systems, LLC (allowed third-party advertisers to collect children’s personal information, namely, persistent identifiers, without informing the ad networks that the apps were directed to children and failed to comply with COPPA’s parental notice and consent requirements)24

Examples of FTC mobile app enforcement actions involving mobile device tracking include:

  • Nomi Techs., Inc. (analytics company misrepresented that it would provide an in-store mechanism for consumers to opt out of tracking and that consumers would be informed when retail stores were using its tracking technology)25
  • InMobi Pte Ltd. (mobile advertising company misrepresented that its advertising software would only track consumers’ locations and serve geo-targeted ads when they opted in and in a manner consistent with their device’s privacy settings; also violated COPPA)26

Other FTC Developments

The FTC hosted a workshop in November 2015 on crossdevice tracking for advertising and marketing purposes to examine the practice and the potential wide-ranging effects on consumer privacy.27

In May 2016, the FTC issued warning letters to 12 app developers who installed a piece of software, known as Silverpush, in their apps that can monitor a device’s microphone to listen for audio signals that are embedded in television advertisements. The software can then create a detailed log of television content viewed while users’ devices are turned on, for targeted advertising and analytics purposes. Silverpush is not currently in use in the United States.

In the letters, the FTC warned that, should the software begin to be used in the United States, the developers could be in violation of Section 5 of the FTC Act if their statements or user interface imply that the apps do not collect or transmit television viewing data when in fact they do.28

Self-Regulatory Initiatives

Many organizations have provided guidance on mobile app privacy issues to app developers and others in the industry (such as mobile ad networks) through various initiatives, including written best practices. While such best practices are voluntary, they may be useful resources in addressing privacy issues in the mobile app context. Examples of organizations that have issued best practices include the following:

National Telecommunications & Information Administration (NTIA). NTIA is an agency of the U.S. Department of Commerce that serves as the President’s principal adviser on telecommunications and information policy. It developed a voluntary code of conduct, through a multi-stakeholder process, to promote transparency in mobile apps’ privacy practices. The code of conduct is directed to app developers and publishers. It includes a short form notice on data collection and sharing, specifies how the notice should be implemented, and requires linkage to the app’s data usage policy, terms of use, and/or long form privacy policy.29

The FTC has indicated that, for purposes of enforcement actions, it will look favorably on companies that adhere to NTIA’s code of conduct.30

Digital Advertising Alliance (DAA). The DAA is a consortium of national advertising and marketing trade associations. Participating associations include the American Association of Advertising Agencies (AAAA), the American Advertising Federation (AAF), the Association of National Advertisers (ANA), the Better Business Bureau (BBB), the Direct Marketing Association (DMA), the Interactive Advertising Bureau (IAB), and the Network Advertising Initiative (NAI).

In July 2013, the DAA issued guidance explaining how its previously issued principles31 apply to certain types of data in the mobile website and application environment, including cross-app data, precise location data, and personal directory data.32 The DAA issued additional guidance in November 2015 regarding the use of multisite data and cross-app data across devices.33

The DAA’s principles are enforced by the DMA and the Council of Better Business Bureaus (CBBB) via an independent Accountability Program. Enforcement of the Mobile Guidance began in September 2015, with the first enforcement decision (involving Spinrilla, a mobile app that streams hip-hop music) issued in May 2016.34

Future of Privacy Forum (FPF) and Center for Democracy & Technology (CDT). FPF is a think tank focused on advancing responsible data practices, and CDT is a 501(c)(3) nonprofit organization whose mission is to promote an open, innovative, and free Internet. FPF and CDT co-authored best practices for app developers in building privacy into apps, including the issues of notice and transparency, control and choice, COPPA compliance, data retention and security, and accountability.35

Lookout Mobile Security. Lookout is a mobile security company. It published guidelines to help standardize privacy practices for in-app mobile ads. The guidelines are directed at app publishers/developers and ad providers (i.e., ad networks, mobile ad mediation layers, and ad exchanges).36

Electronic Frontier Foundation (EFF). EFF is a 501(c)(3) nonprofit organization that aims to defend civil liberties in the digital world. Its guidance is primarily directed to app developers and includes (1) a mobile user bill of rights and (2) technical practices that developers should implement to preserve user privacy.37

Mobile Marketing Association (MMA). MMA is a global trade association for the mobile industry. It issued guidelines for app developers to consult when drafting mobile app privacy policies, including (1) annotated guidance on core privacy principles, (2) suggested consumer-friendly language, (3) ways to inform users on how data is collected and used, and (4) guidance on security and confidentiality.38

GSM Association (GSMA). GSMA is a global trade association for the mobile industry. Its guidance is directed to the various stakeholders in the industry, including service or app providers, mobile operators, handset manufacturers, and operating system or other software providers. The guidance contains a set of universal high-level privacy principles that detail how consumers’ privacy should be respected and protected when they use mobile apps and services that access, collect, and use personal information.39

Note that the International Association of Privacy Professionals (IAPP) Westin Research Center has developed a Mobile App Privacy Tool40 that compares some of the guidelines discussed above, as well as guidance from the FTC, California AG, and international authorities.

Sector-Specific Privacy Regulations

Certain industry-specific privacy regulations may apply to mobile apps, depending on the industry and the type of information collected. Notable industry-specific laws include:

  • Health Insurance Portability and Accountability Act (HIPAA)— health information
  • Children’s Online Privacy Protection Act (COPPA)—child-directed content
  • Gramm-Leach-Bliley Act (GLBA)—financial products or services
  • Fair Credit Reporting Act (FCRA)—consumer credit reports41
  • Video Privacy Protection Act (VPPA)—videotape service providers (including providers of online video streaming)

A brief overview of HIPAA, COPPA, and the VPPA in the mobile app context is provided below.

Health Insurance Portability and Accountability Act (HIPAA)

A mobile app is subject to HIPAA if:

  • The owner or operator of the app is a covered entity or business associate.
  • The app collects and/or stores protected health information (PHI).

Covered entities are health care providers that conduct certain electronic transactions, health plans, and health care clearinghouses. Business associates are persons or entities that perform certain functions, activities, or services for or on behalf of a covered entity that involve the creation, receipt, maintenance, or transmission of PHI (such as claims processing, billing, and data analysis).42

PHI is individually identifiable health information that is transmitted or maintained in any form or media (e.g., electronic, paper, oral). The information must have been created or received by a covered entity or employer and must relate to either:

  • The past, present, or future physical or mental health or condition of an individual
  • The provision of health care to an individual
  • The past, present, or future payment for the provision of health care to an individual43

Other laws may also apply to mobile health apps, including:

  • The Federal Food, Drug, and Cosmetic Act (which regulates the safety and effectiveness of medical devices, including certain mobile medical apps)
  • The FTC’s Health Breach Notification Rule
  • The FTC Act44
  • State health privacy laws (e.g., the California Confidentiality of Medical Information Act)

The FTC (in conjunction with other federal agencies) has issued guidance for developers of mobile health apps, including a webbased interactive tool for aiding developers in understanding which federal laws and regulations might apply to their apps.45

Children’s Online Privacy Protection Act (COPPA)

The Children’s Online Privacy Protection Act (COPPA)46 regulates the collection and use of personally identifiable information (PII) of children under the age of 13. The FTC is the primary agency that enforces COPPA and has issued implementing regulations,47 known as the COPPA Rule.

The FTC has confirmed that the language of COPPA is broad enough to apply to mobile apps. Specifically, the agency has held that it views mobile apps as “online services” covered by COPPA because they “send and/or receive information over the Internet.”48 The FTC has also issued guidance on privacy disclosures in kids’ mobile apps.49 COPPA is discussed in detail later in this edition.

Video Privacy Protection Act (VPPA)

The Video Privacy Protection Act (VPPA) restricts videotape service providers (including providers of online video streaming such as Netflix and Hulu) from knowingly disclosing the personally identifiable information (PII) of consumers (i.e., renters, purchasers, or subscribers). Violations of the VPPA may be enforced via a private civil action, with statutory damages of up to $2,500 per violation.50 Courts have disagreed on whether persons who download and use free mobile apps to view freely available content qualify as “subscribers,” and thus “consumers,” under the VPPA.51 Courts have also disagreed as to what constitutes PII for the purposes of the VPPA.52

Mark W. Brennan is a partner in the Washington, D.C. office of Hogan Lovells US LLP, and his practice spans communications technology and privacy issues.

To find this article in Lexis Practice Advisor, follow this research path:

RESEARCH PATH: Intellectual Property & Technology > Privacy & Data Security > Privacy & Data Security Compliance > Practice Notes > Complying with Privacy & Data Security Laws

Related Content

For additional information on privacy policies and the laws and regulations applicable to such policies, see


RESEARCH PATH: Intellectual Property & Technology > Privacy & Data Security > Drafting Privacy Policies > Practice Notes > Drafting Privacy Policies

For a detailed discussion on privacy and the Gramm-LeachBliley Act (GLBA), see


RESEARCH PATH: Intellectual Property & Technology > Privacy and Data Security > Privacy &Data Security Compliance > Practice Notes > Complying with Privacy & Data Security Laws

For an overview of the major privacy and data security laws in the United States and their impact on contractual arrangements between technology companies, see


RESEARCH PATH: Intellectual Property & Technology > Privacy and Data Security > Privacy & Data Security Compliance > Practice Notes > Complying with Privacy & Data Security Laws

1. Federal Trade Commission Act (FTC Act), 15 U.S.C. § 45(a). 2. 5. Federal Trade Commission, Protecting Consumer Privacy In An Era Of Rapid Change: Recommendations For Businesses And Policymakers (Mar. 2012), 10. Federal Trade Commission, Mobile Privacy Disclosures: Building Trust Through Transparency (Feb. 2013), 11. Mobile App Developers: Start with Security, FTC (Feb. 2013), 12. Marketing Your Mobile App: Get it Right from the Start, FTC (Apr. 2013), 13. FTC Act, 15 U.S.C. § 45(a). 14. COPPA, 15 U.S.C. §§ 6501–6506. 15. FCRA, 15 U.S.C. § 1681. 16. 17. 22. 24. 25. See FTC, Press Release, FTC Announces Final Agenda, Panelists for Nov. 16 Cross-Device Tracking Workshop,, (Nov. 3, 2015). 28. FTC, Press Release, FTC Issues Warning Letters to App Developers Using ‘Silverpush’ Code,, (Mar. 17, 2016). 29. NT IA, Short Form Notice Code of Conduct to Promote Transparency in Mobile App Practices (July 2013), 30. Federal Trade Commission, Mobi le Privacy Disclosures: Buildi ng Trust Through Transparency (Feb. 2013), 31. Self-Regulatory Principles for Online Behavioral Advertising, and Self-Regulatory Principles for Multi-Site Data, DAA, Application of Self-Regulatory Principles to the Mobile Environment (July 2013), (Mobile Guidance). 33. DAA, Application of the Self-Regulatory Principles of Transparency and Control to Data Used Across Devices (Nov. 2015), 34. Spinrilla LLC, Case No. 61-2016, Decision (May 4, 2016), 35. FPF and CDT, Best Practices for Mobile Application Developers (July 2012), 36. Lookout Mobile Security, Mobile App Advertising Guidelines (June 2012), 37. EFF, Mobile User Privacy Bill of Rights (Mar. 2012), 38. MMA, Mobile Application Privacy Policy Framework (Jan. 2012), 39. GSMA, Mobile Privacy Principles (Jan. 2011), 40. Mobile App Privacy Tool, 41. The Gramm-Leach-Bliley Act (GLBA) and Fair Credit Reporting Act (FCRA) are discussed further in the complete version of this article in Lexis Practice Advisor. 42. 45 C.F.R. § 160.103. 43. Id. 44. Federal Trade Commission Act (FTC Act), 15 U.S.C. § 45(a). 45. FTC, Mobile Health App Developers: FTC Best Practices (Apr. 2016),, and FTC, Mobile Health Apps Interactive Tool (Apr. 2016), 46. Children’s Online Privacy Protection Act (COPPA), 15 U.S.C. §§ 6501–6506. 47. 16 C.F.R. § 312.1. 48. W3 Innovations Complaint, (mobile app developer violated COPPA and the FTC’s COPPA Rule by collecting and disclosing children’s personal information without prior parental consent). 49. Federal Trade Commission Mobile Apps for Kids: Current Privacy Disclosures are Disappointing (Feb. 2012),, and Federal Trade Commission, Mobile Apps for Kids: Disclosures Still Not Making the Grade (Dec. 2012), 50. 18 U.S.C. § 2710. 51. Compare Ellis v. Cartoon Network, Inc., 803 F.3d 1251 (11th Cir. 2015) (finding that people who download and use free mobile apps to view freely available content are not subscribers, even though monetary payment is not a necessary element of subscription, because “there is no ongoing commitment or relationship between the user and the entity which owns and operates the app”), with Yershov v. Gannett Satellite Info. Network, Inc., 2016 U.S. App. LEXIS 7791 (1st Cir. Apr. 29, 2016) (reaching the opposite conclusion and also holding that the GPS coordinates of a mobile device constitute PII). 52. Compare Ellis v. Cartoon Network, Inc., 803 F.3d 1251 (11th Cir. 2015) (finding that an Android ID was PII in the context of a fact-based analysis coupled with statutory interpretation), with In re Nickelodeon Consumer Privacy Litig., 2016 U.S. App. LEXIS 11700 (3d Cir. June 27, 2016) (concluding that information is only PII if an ordinary person can identify the specific watcher of a video).