Which Privacy Laws Apply to App Developers?*
To download this document in its entirety click here.
There is no omnibus federal privacy law in the United States, and there is no U.S. privacy law specifically applicable to Applications. However entities that collect, use, share and/or retain personal information – including App Developers – are subject to various privacy laws at both federal and state levels, including those that apply based on the nature of the data involved, such as financial, health or children’s data.[i]
Below is an overview of the privacy laws that apply to App Developers. Also, check out this Mashable article listing four general legal considerations to make when developing a mobile app.
Section 5 of the FTC Act: The Prohibition Against False or Deceptive Practices
Section 5 of the Federal Trade Commission (FTC) Act, 15 U.S.C. § 45(a), prohibits and makes unlawful “unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce.” The FTC enforces against companies that make privacy promises in privacy policies, but fail to keep those promises. That is, the companies collect, use, share or retain personal information in a way that is inconsistent with the representations they made in their privacy policies.[ii] The FTC also has enforced against companies whose privacy policies do not adequately inform consumers about the company’s actual practices.[iii] To the extent mobile Apps similarly contain privacy policies and consumer representations about personal information, the FTC is empowered to take similar enforcement action against App Developers.
Sector Specific Privacy Laws
There is a range of various federal laws governing the privacy of specific kinds of personal information.
The federal Health Insurance Portability and Accountability Act (HIPAA) governing health data collected by covered entities, the Gramm-Leach-Bliley (GLB) Act covering financial data, and the Children’s Online Privacy Protection Act (COPPA) covering data collected by children under 13 are examples of laws applicable to specific kinds of data, and to the extent Apps are covered by such laws because of their functions and collection of data, then these laws are App privacy laws.
State Privacy Laws
In addition to law enacted at the federal level, states also have privacy and data security laws.
Most states have so-called “mini-FTC Acts” under which they have authority similar to that of the FTC to take enforcement actions in response to unfair or deceptive trade practices. This could include tracking consumers without proper notice or when a promise has been made not to track consumer behavior.[iv] A number of state attorneys general have been vigilant in enforcing against entities collecting personal information from consumers.
Some states have specific privacy laws covering particular kinds of data and data collection, such as California.[v] It would appear that many of these specific laws apply to Apps and the companies that operate them.
Forty-six states also have data security breach notification laws that require entities holding personal data to provide notices in the event of breaches of the security of that data, and those laws apply regardless of how the data may have been collected, meaning that data that is collected by Apps that is subject to a security breach will trigger notification obligations. Certain states have specific data security obligations, as well.
Private party litigation is not a significant source of legal rules applicable to App privacy.
As a general matter, plaintiffs class action attorneys attempting to bring civil actions against companies alleged to have violated consumer privacy rights by improperly collecting, using, sharing or retaining personal information have been unsuccessful. The cases either have been settled by defendants for relatively modest amounts to avoid the cost of litigation and/or undue publicity or are unsuccessful because of the absence of legally cognizable damages flowing from the alleged misuse of the personal data.[vi]
A number of privacy lawsuits concerning Apps and privacy are pending, but none have proceeded past the preliminary stage.
Proposals for Improvements to Privacy and Their Impact on Legal Obligations
In December 2010, both the staff of the FTC and the US Department of Commerce (DOC) issued preliminary reports proposing significant improvements in the way businesses handle consumer information and changes in the controls consumers should have over their information. As these reports ripen into final versions, which are expected later in 2011, App Developers should take the contents into account as they implement privacy protections for mobile Apps.
The draft FTC Staff Report, entitled “Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers”[vii] (FTC Report), makes clear that the agency’s existing privacy framework, developed by over forty years of FTC guidance and enforcement (e.g., Fair Information Practice Principles, notice-and-choice models), remains in place. The FTC Report, however, makes equally clear that improvements to the existing framework are necessary given technological advances in the collection, use, sharing, and retention of information about consumers by businesses, and signals the direction that the FTC staff believes privacy protections should move in the future.[viii]
The new framework, which the FTC staff stated should apply to all businesses that collect, maintain, share, or otherwise use consumer data either online or offline, contains three top-level maxims:
- Privacy by Design: Companies should promote consumer privacy throughout their organizations and at every stage of the development of their products and services. This includes incorporating substantive privacy protections – such as data security and retention practices – into business processes and maintaining comprehensive data management procedures throughout the lifecycle of products and services (Note: in the mobile context, the FTC used as an example that if a mobile App is providing traffic and weather information to a consumer based on his or her location information, it does not need to collect contact lists or call logs from the consumer’s device[ix]).
- Increasing Consumer Transparency: Companies should increase the transparency of their data practices, such as by (i) clarifying, shortening, and standardizing privacy notices; (ii) providing reasonable access to the consumer data they maintain; (iii) providing prominent disclosures and obtaining affirmative express consent before using consumer data in a materially different manner than claimed when the data was collected; (iv) obtaining affirmative express consent when sensitive information such as financial information is collected and used for online behavioral advertising; and (v) working to educate consumers about commercial data privacy practices.
The Department of Commerce “Green Paper” entitled “Privacy and Information Innovation: A Dynamic Privacy Framework for the Internet Age,”[xi] (DOC Green Paper) argued that preserving consumer privacy online and thereby bolstering consumer trust in the Internet is essential for businesses to succeed online.[xii] Like the draft staff FTC Report, the DOC Green Paper proposed increasing protections privacy principles, including by enhancing transparency, encouraging greater detail in purpose specifications and use limitations, and fostering the development of verifiable auditing and accountability programs.
As mentioned above, both the draft staff FTC Report and the DOC Green Paper are expected to affect and influence U.S. privacy law and enforcement in the coming years, including with respect to mobile Apps.
Selected International Privacy Laws
Reference: For a full list of EU Data Protection Commissioners click here.
Unlike the US, EU privacy regulation stems from a “fundamental rights” approach. Rather than regulating practices to avoid specific “harms,”[xiii] the EU regulatory framework is designed to preserve privacy rights outlined in the EU Charter and various Directives of the European Commission (EC). Individual EU member states promulgate their own data protection rules but those rules must substantially adopt the principles of the various EC Directives. For example, Directive 95/46/EC, also known as the Data Protection Directive, focuses on protecting the fundamental rights of individuals to be informed about and exercise control over the processing of their personal information.[xiv] It requires each member state to pass a “data protection” law adopting the thrust of the Directive’s principles. The Data Protection Directive imposes obligations to inform individuals of how their data are being used/processed.[xv] Generally speaking, data cannot be used for purposes further than originally specified without additional consent.[xvi]
The basic premise of all Canadian private sector privacy statutes, including PIPEDA, is that an organization must obtain informed consent from the individual to any collection, use, or disclosure of personal information unless an exemption from the consent requirement applies. Personal information is defined as information about an identifiable individual; anonymized or aggregated information is therefore not personal information unless it is reasonably possible that the information can be de-anonymized or otherwise used to identify an individual person, whether through combination with other information or otherwise.
Data protection in Hong Kong is regulated by the Data Protection (Privacy) Ordinance (PDPO). The essence of the legislation for the purposes of this advice is that personal data is permitted to be used for the purposes for which it was collected. The data subjects must be given notice of such purposes at the time of collection. Data can also be used for other purposes if the data subject subsequently consents to these uses and for “incidental purposes” as well.
* This material is not intended as legal advice and may not be relied on as such. It is presented here to outline the privacy laws potentially applicable to apps.
*This material is not intended as legal advice and may not be relied on as such. It is presented here to outline the privacy laws potentially applicable to apps.
[iii] See, e.g., Sears Holdings Mgmt. Corp., FTC File No. 082-3099 (2009), available at http://www.ftc.gov/opa/2009/06/sears.shtm (obtaining a consent decree from a company that did not adequately disclose to consumers participating in a promotion that it would download tracking software onto their computers that collected extensive amounts of information about them, including sensitive information such as the contents of encrypted web visits to the websites of their financial institutions); Nat’l Research Ctr. for College & Univ. Admissions, Inc., FTC File No. 022-3005 (2003), available at http://ftc.gov/opa/2003/01/fyi0308.shtm (settlement of enforcement action against company that claimed it was only sharing information collected from participating high school students with colleges and universities, when it fact it was also selling the information to commercial entities for marketing purposes).
[iv] See, e.g., Connecticut Unfair Trade Practices Act, Conn. Gen. Stat. §§ 42-110a – 42-110q (specifically noting § 42-110b, “Unfair trade practices prohibited” which resembles 15 U.S.C. § 45(a)).
[viii] The FTC also supported a “Do Not Track” mechanism that could be advanced either by legislation or enforceable industry self-regulation. Such a mechanism would require businesses to comply with a consumer’s centralized opt-out of online behavioral tracking.
[ix] FTC Report at 46.
[x] The FTC also sought further comment on effective ways to obtain informed consent in the mobile context, given the multiple parties involved in the data collection and the smaller screen. Id. at 60-61, 70-72, A-3, A-5.
[xi] U.S. Dep’t of Commerce Internet Pol’y Task Force, Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework (Dec. 16, 2010), available at http://ntia.doc.gov/reports/2010/IPTF_Privacy_GreenPaper_12162010.pdf.
[xii] The Green Paper was authored by the Internet Policy Task Force at DOC – a joint effort of the Office of Commerce Secretary Gary Locke, the National Telecommunications and Information Administration (NTIA), the International Trade Administration, and the National Institute of Standards and Technology.
[xiii] See US Legal Analysis memorandum (Part 2 of 4), § III.A.2.c.i.(a).
[xiv] See, e.g., 1995 O.J. (L 281) 32, available at http://ec.europa.eu/justice_home/fsj/privacy/law/index_en.htm (“Directive 95/46/EC”) (“[w]hereas the object of the national laws on the processing of personal data is to protect the fundamental rights and freedoms, notably the right to privacy . . .”).
[xv] See Directive 95/46/EC at 33 (“. . . in the right conferred on individuals, the data on whom are the subject of processing, to be informed that processing is taking place, to consult the data, to request corrections and even to object to processing in certain circumstances”); see also Directive 95/46/EC at 42 (“Member States shall guarantee every data subject the right to obtain from the controller . . . confirmation as to whether or not data relating to him are being processed . . . .”).
[xvi] See Directive 95/46/EC at 34 (“whereas the purposes of processing further to collection shall not be incompatible with the purposes as they were originally specified”).