Register to receive a printed copy(For Lexis Practice Advisor® Subscribers Only)
Lexis Practice Advisor®Free Trial
Learn More AboutLexis Practice Advisor®
By: Mark W. Brennan, Hogan Lovells US LLP.
AS THE USE OF MOBILE DEVICES SUCH AS SMARTPHONES and tablets has become increasingly prevalent, mobile applications (mobile apps or apps) have also proliferated. Consumers use mobile apps to access social networks, conduct online banking, play games, listen to music, take photos and videos, find nearby restaurants or stores, monitor health and wellness, and perform many other dayto- day activities.
However, mobile apps may pose numerous privacy concerns due to the vast amount of personal information that may be collected, used, and shared by the millions of apps in the marketplace. These concerns are augmented by the nature of mobile devices, which can store sensitive data not typically found on computers (such as geolocation information, contacts, text messages, and call logs) and have small screens that can make it more difficult to communicate privacy practices and user choices effectively.
This article discusses the key privacy issues that app developers and others in the community should take into account when designing, developing, and marketing mobile apps, including:
The FTC has broad authority to regulate and enforce privacy under Section 5 of the Federal Trade Commission Act (FTC Act), which prohibits unfair or deceptive acts or practices in commerce.1 The FTC has issued various guidance documents addressing privacy and data security issues in the mobile app context, including:
The FTC’s guidance, while not legally binding, signals the agency’s views on mobile app privacy and, as such, should be carefully considered by those in the mobile app community (such as app developers, platform providers, advertising networks and other third parties, and stakeholder trade associations). These guidance documents are discussed in further detail below, followed by notable FTC enforcement actions involving mobile apps. For more on the Kids App Reports and Mobile Shopping Apps Report, please go to the full article in Lexis Practice Advisor.
The FTC’s Privacy Report, issued in March 2012, recommended the following best practices for companies that collect or use consumer data that may be reasonably linked to a specific consumer, computer, or other device:
The FTC indicated that these principles do not apply when (1) data is not reasonably linkable or (2) a company collects only non-sensitive data from fewer than 5,000 consumers per year and does not share that data with third parties.
Data is not reasonably linkable if a company:
The FTC also encouraged companies in the mobile services sector to work toward improved privacy protections (including developing short, meaningful disclosures). It specifically highlighted mobile privacy as an area on which it would continue its focus.
Mobile Privacy Disclosures Report
The FTC’s Mobile Privacy Disclosures Report, issued in February 2013, recommended best practices for:
The FTC’s recommendations for each industry participant are discussed in further detail below.
The FTC noted that platforms are the gatekeepers to the app marketplace and are in a unique position to convey privacy information to consumers. It therefore recommended that platforms:
The FTC recommended that app developers:
The FTC noted that ad networks and analytic providers typically supply source code to app developers to facilitate advertising or analytics within an app, but developers rarely understand how the code functions. It therefore encouraged greater communication and coordination among these parties so that developers can provide truthful and complete disclosures to consumers. It also recommended working with platforms to ensure effective implementation of a mobile Do Not Track system.
The FTC recommended that trade associations:
Mobile App Security Guide
In February 2013, the FTC issued guidance on mobile app security for app developers. While the FTC acknowledged that there is no one-size-fits-all approach, it indicated that it expects developers to adopt and to maintain reasonable data security practices.
The FTC’s tips for mobile app security include:
Mobile App Marketing Guide
The FTC issued its Mobile App Marketing Guide in April 2013, offering general guidelines to app developers on complying with truth-in-advertising and basic privacy principles. Specifically, the FTC recommended that app developers:
FTC Enforcement Actions Involving Mobile Apps
The FTC has brought a number of enforcement actions against mobile app developers and others in the industry for unfair or deceptive acts or practices in violation of the FTC Act13 and/or violations of other statutes within the FTC’s authority, such as COPPA14 and the Fair Credit Reporting Act (FCRA).15
The following types of practices have been targeted by the FTC:
Examples of FTC mobile app enforcement actions involving privacy misrepresentations include:
Examples of FTC mobile app enforcement actions involving security misrepresentations include:
Examples of FTC mobile app enforcement actions involving COPPA violations include:
Examples of FTC mobile app enforcement actions involving mobile device tracking include:
Other FTC Developments
The FTC hosted a workshop in November 2015 on crossdevice tracking for advertising and marketing purposes to examine the practice and the potential wide-ranging effects on consumer privacy.27
In May 2016, the FTC issued warning letters to 12 app developers who installed a piece of software, known as Silverpush, in their apps that can monitor a device’s microphone to listen for audio signals that are embedded in television advertisements. The software can then create a detailed log of television content viewed while users’ devices are turned on, for targeted advertising and analytics purposes. Silverpush is not currently in use in the United States.
In the letters, the FTC warned that, should the software begin to be used in the United States, the developers could be in violation of Section 5 of the FTC Act if their statements or user interface imply that the apps do not collect or transmit television viewing data when in fact they do.28
Many organizations have provided guidance on mobile app privacy issues to app developers and others in the industry (such as mobile ad networks) through various initiatives, including written best practices. While such best practices are voluntary, they may be useful resources in addressing privacy issues in the mobile app context. Examples of organizations that have issued best practices include the following:
The FTC has indicated that, for purposes of enforcement actions, it will look favorably on companies that adhere to NTIA’s code of conduct.30
Digital Advertising Alliance (DAA). The DAA is a consortium of national advertising and marketing trade associations. Participating associations include the American Association of Advertising Agencies (AAAA), the American Advertising Federation (AAF), the Association of National Advertisers (ANA), the Better Business Bureau (BBB), the Direct Marketing Association (DMA), the Interactive Advertising Bureau (IAB), and the Network Advertising Initiative (NAI).
In July 2013, the DAA issued guidance explaining how its previously issued principles31 apply to certain types of data in the mobile website and application environment, including cross-app data, precise location data, and personal directory data.32 The DAA issued additional guidance in November 2015 regarding the use of multisite data and cross-app data across devices.33
The DAA’s principles are enforced by the DMA and the Council of Better Business Bureaus (CBBB) via an independent Accountability Program. Enforcement of the Mobile Guidance began in September 2015, with the first enforcement decision (involving Spinrilla, a mobile app that streams hip-hop music) issued in May 2016.34
Future of Privacy Forum (FPF) and Center for Democracy & Technology (CDT). FPF is a think tank focused on advancing responsible data practices, and CDT is a 501(c)(3) nonprofit organization whose mission is to promote an open, innovative, and free Internet. FPF and CDT co-authored best practices for app developers in building privacy into apps, including the issues of notice and transparency, control and choice, COPPA compliance, data retention and security, and accountability.35
Lookout Mobile Security. Lookout is a mobile security company. It published guidelines to help standardize privacy practices for in-app mobile ads. The guidelines are directed at app publishers/developers and ad providers (i.e., ad networks, mobile ad mediation layers, and ad exchanges).36
Electronic Frontier Foundation (EFF). EFF is a 501(c)(3) nonprofit organization that aims to defend civil liberties in the digital world. Its guidance is primarily directed to app developers and includes (1) a mobile user bill of rights and (2) technical practices that developers should implement to preserve user privacy.37
Mobile Marketing Association (MMA). MMA is a global trade association for the mobile industry. It issued guidelines for app developers to consult when drafting mobile app privacy policies, including (1) annotated guidance on core privacy principles, (2) suggested consumer-friendly language, (3) ways to inform users on how data is collected and used, and (4) guidance on security and confidentiality.38
GSM Association (GSMA). GSMA is a global trade association for the mobile industry. Its guidance is directed to the various stakeholders in the industry, including service or app providers, mobile operators, handset manufacturers, and operating system or other software providers. The guidance contains a set of universal high-level privacy principles that detail how consumers’ privacy should be respected and protected when they use mobile apps and services that access, collect, and use personal information.39
Note that the International Association of Privacy Professionals (IAPP) Westin Research Center has developed a Mobile App Privacy Tool40 that compares some of the guidelines discussed above, as well as guidance from the FTC, California AG, and international authorities.
Certain industry-specific privacy regulations may apply to mobile apps, depending on the industry and the type of information collected. Notable industry-specific laws include:
A brief overview of HIPAA, COPPA, and the VPPA in the mobile app context is provided below.
Health Insurance Portability and Accountability Act (HIPAA)
A mobile app is subject to HIPAA if:
Covered entities are health care providers that conduct certain electronic transactions, health plans, and health care clearinghouses. Business associates are persons or entities that perform certain functions, activities, or services for or on behalf of a covered entity that involve the creation, receipt, maintenance, or transmission of PHI (such as claims processing, billing, and data analysis).42
PHI is individually identifiable health information that is transmitted or maintained in any form or media (e.g., electronic, paper, oral). The information must have been created or received by a covered entity or employer and must relate to either:
Other laws may also apply to mobile health apps, including:
The FTC (in conjunction with other federal agencies) has issued guidance for developers of mobile health apps, including a webbased interactive tool for aiding developers in understanding which federal laws and regulations might apply to their apps.45
Children’s Online Privacy Protection Act (COPPA)
The Children’s Online Privacy Protection Act (COPPA)46 regulates the collection and use of personally identifiable information (PII) of children under the age of 13. The FTC is the primary agency that enforces COPPA and has issued implementing regulations,47 known as the COPPA Rule.
The FTC has confirmed that the language of COPPA is broad enough to apply to mobile apps. Specifically, the agency has held that it views mobile apps as “online services” covered by COPPA because they “send and/or receive information over the Internet.”48 The FTC has also issued guidance on privacy disclosures in kids’ mobile apps.49 COPPA is discussed in detail later in this edition.
Video Privacy Protection Act (VPPA)
The Video Privacy Protection Act (VPPA) restricts videotape service providers (including providers of online video streaming such as Netflix and Hulu) from knowingly disclosing the personally identifiable information (PII) of consumers (i.e., renters, purchasers, or subscribers). Violations of the VPPA may be enforced via a private civil action, with statutory damages of up to $2,500 per violation.50 Courts have disagreed on whether persons who download and use free mobile apps to view freely available content qualify as “subscribers,” and thus “consumers,” under the VPPA.51 Courts have also disagreed as to what constitutes PII for the purposes of the VPPA.52
Mark W. Brennan is a partner in the Washington, D.C. office of Hogan Lovells US LLP, and his practice spans communications technology and privacy issues.
RESEARCH PATH: Intellectual Property & Technology > Privacy & Data Security > Privacy & Data Security Compliance > Practice Notes > Complying with Privacy & Data Security Laws
For additional information on privacy policies and the laws and regulations applicable to such policies, see
> DRAFTING PRIVACY POLICIES
RESEARCH PATH: Intellectual Property & Technology > Privacy & Data Security > Drafting Privacy Policies > Practice Notes > Drafting Privacy Policies
For a detailed discussion on privacy and the Gramm-LeachBliley Act (GLBA), see
> COMPLYING WITH THE PRIVACY REQUIREMENTS OF THE GRAMM-LEACH-BLILEY ACT (GLBA)
RESEARCH PATH: Intellectual Property & Technology > Privacy and Data Security > Privacy &Data Security Compliance > Practice Notes > Complying with Privacy & Data Security Laws
For an overview of the major privacy and data security laws in the United States and their impact on contractual arrangements between technology companies, see
> KEY PRIVACY AND DATA SECURITY CONSIDERATIONS WHEN NEGOTIATING ORREVIEWING A TRANSACTION OR AGREEMENT
RESEARCH PATH: Intellectual Property & Technology > Privacy and Data Security > Privacy & Data Security Compliance > Practice Notes > Complying with Privacy & Data Security Laws