Providers of apps for mobile devices are just as responsible as other electronic commerce vendors in terms of protecting the privacy of customers. In a recent enforcement action, the Federal Trade Commission (FTC) signaled that mobile apps fall within the agency’s jurisdiction, and that it will not hesitate to investigate potential privacy violations associated with mobile apps.
The enforcement action involved a complaint against a publisher of electronic games, and it marked the first time the FTC initiated a privacy case involving apps for mobile devices.
W3 Innovations, through its Broken Thumbs Apps unit, developed and distributed mobile apps for the iPhone and iPod touch that allowed users to play games and share information online. Several of the apps were directed to children and were listed in the Games-Kids section of Apple’s App Store. There were more than 50,000 downloads of those apps, according to the FTC.
While the W3 Innovations case was largely based on provisions related to the Children’s Online Privacy Protection Act (COPPA), a key element in the case was FTC’s determination that mobile apps are subject to its jurisdiction regarding privacy protection for all users, regardless of age.
Not Just for Kids
“The case represents the FTC’s first enforcement action against a mobile app developer, and it seems to send a clear message that mobile app developers should follow the same rules as more traditional websites when it comes to consumer privacy issues and privacy policies, especially when marketing to children,” states Wildman, Harrold, Allen & Dixon in an analysis of the case posted online.
“There is no doubt that the evolution of consumer data privacy we are currently experiencing includes mobile,” Alan Friel, a partner with Wildman Harrold, told TechNewsWorld.
The FTC has more than just hinted that mobile apps of all types are on its regulatory radar screen. The W3 Innovations case arose “because we have been paying attention to that area,” Claudia Farrell, a spokesperson for the agency, told TechNewsWorld. Additional mobile app inquiries are in the pipeline at the FTC.
“Although the FTC does not enforce any special laws applicable to mobile marketing, the FTC’s core consumer protection law — Section 5 of the FTC Act — prohibits unfair or deceptive practices in the mobile arena,” David Vladeck, director of FTC’s Bureau of Consumer Protection, said at a Senate hearing last May.
The FTC “is making a concerted effort to ensure that it has the necessary technical expertise, understanding of the marketplace, and tools needed to monitor, investigate, and prosecute deceptive and unfair practices in the mobile arena,” Vladeck added.
The legal basis for FTC action on privacy leans heavily on the agency’s mandate to regulate deceptive practices — rather than a standard that relates to invasion of privacy per se.
“FTC actions to date with regard to adult consumer data privacy and security have dealt with companies that do not follow their own policies, or have misleading policies or no notice of their policies at all,” Friel said. Such deficiencies are considered deceptive practices.
Industry Active on Mobile Front
The issue of mobile apps privacy has suddenly become significant for online businesses. In early September, for example, the Software & Information Industry Association (SIIA) joined the Future of Privacy Forum’s Application Privacy Working Group and became a sponsor of FPF’s Application Privacy project.
SIIA’s participation with FPF is aimed at helping to develop voluntary privacy principles and best practices for mobile software applications. The goal is to lessen the likelihood of burdensome government regulation.
“Mobile app developers have a responsibility to create and disclose their privacy policies when they collect and use personal information. We are joining this effort out of the conviction that the industry does not need government regulation to move us in the direction of providing a trusted environment for our users,” said Mark MacCarthy, vice president of public policy at SIIA.
While the W3 Innovations case highlighted the mobile apps privacy issue, SIIA’s involvement with the FPF project was not solely based on the FTC’s action.
“The W3 case was focused on information about children and is generally applicable to all mobile app providers insofar as they collect information about children. The need for good privacy practices is broader than that, and it was this broader concern for good data protection practices that motivated SIIA to affiliate with the Future of Privacy Forum,” MacCarthy told TechNewsWorld.
“Continued growth and innovation in the vibrant mobile marketplace is dependent on consumer confidence in the privacy protections provided by mobile application providers. While many mobile application developers are transparent about their collection, use, and protection of consumer data, recent reports have indicated that this is not always the case,” MacCarthy said.
Mobile apps providers will need to keep a sharp eye on how privacy eventually is regulated.
Self-Regulation Questioned
“FTC leadership has been fairly vocal in expressing its dissatisfaction with the effectiveness of current self-regulatory efforts. Congress too has grown impatient, and a half dozen bills are under consideration that may result in greater regulatory authority for the FTC and requirements for greater transparency, choice, and security for consumers regarding their data, particularly regarding behavioral advertising, which tracks and targets consumer behavior and mobile,” Friel said.
The class action bar has brought more than 50 lawsuits this year dealing with online and mobile tracking or targeting, he noted. “The issue is not going away soon.”
In the W3 Innovations case, the apps developed by the company encouraged children to email their comments — such as “shout-outs” to friends and requests for advice — to a company-generated site. The FTC alleged that the publisher collected and maintained more than 30,000 email addresses in violation of federal regulations, including parental notice.
In addition, the FTC alleged that the defendants allowed children to publicly post comments, including personal information, on message boards.
Without admitting to the allegations, the company settled the case with the FTC on August 12. The firm consented to pay a US$50,000 penalty. The settlement also bars the company from future violations of the COPPA rule and requires the publisher to delete all personal information collected in violation of the FTC’s rules.
W3 “did not ask for or collect information about the age of our users because there was no technical or functional need for this information,” the company said in a statement provided to TechNewsWorld by Barry Reingold, an attorney with Perkins Coie.
W3 Innovations maintained that “any violations were inadvertent.”