The Federal Trade Commission kicked off the month of February with the release of a staff report on mobile privacy disclosures, a settlement decree with social networking app, Path, and a security education guide for app developers.
In the staff report titled, Mobile Privacy Disclosures: Building Trust Through Transparency, the Commission recommends various ways that key players in the mobile app ecosystem can better inform consumers about their data practices. The Commission offers recommendations for the different parties in the ecosystem based on current initiatives and practices. For app developers, the report specifically recommends:
- Provide just-in-time disclosures and obtain affirmative express consent before collecting and sharing sensitive information;
- Improve coordination and communication with ad networks and other third parties that provide services for apps, such as analytics companies, so the app developers can better understand the software they are using and, in turn, provide accurate disclosures to consumers;
- Consider participating in self-regulatory programs, trade associations, and industry organizations, which can provide guidance on how to make uniform, short-form privacy disclosures.”
The Commission also offers an incentive to developers, stating that it would favorably view adherence to a good NTIA privacy code when considering future enforcement actions.
We found the simultaneous announcement of a consent decree with Path to provide some interesting takeaways for developers. As some of you may know, Path was called out last year for automatically collecting and storing users’ contacts on the iOS version of their app. The app included an “Add Friends” feature that displayed the option of finding friends from your address book. However, as the Commission found in its complaint, Path “automatically collected and stored personal information from the user’s mobile device contacts even if the user had never selected the ‘Find friends from your contacts’ option. As a result, the user had no meaningful choice as to the collection and storage of personal information from the user’s mobile device contacts, and the user interface options were illusory.”
It’s interesting to note that the enforcement action focused only on the iOS version of the app. Android automatically displays the permissions that an app requests at application install time. The Android Path app was therefore not found to be in violation because Android had already taken care of providing notice. In calling for “just-in-time” notices, however, the FTC appears to be favoring the Apple model of triggering pop-ups at the point in time that the particular information is being requested. Indeed, post this snafu, Apple added pop up permissions for contacts as well as four other categories.
As devices add new sensors and collect new types of information, it’s not yet clear whether the Android “declare-it up-front” model or the Apple “just-in-time” model will better serve consumers. Too much transparency in the form of pop ups may be interruptive and intrusive, but inadequate transparency can be considered legally deceptive. The ideal solution will likely be a design that manages to provide a snapshot of key information up front and just-in-time notices in special circumstances. Standardization here will be useful and we are optimistic that the NTIA effort is heading towards a balance of both usability and transparency.