On February 1, the Federal Trade Commission (FTC) issued a staff report entitled Mobile Privacy Disclosures: Building Trust Through Transparency. By releasing this report, the FTC’s goal was to put in place “best practices” for mobile privacy disclosures. The FTC recognized several key themes arising from issues surrounding mobile privacy:
The lack of consumer awareness and understanding relating to “current information collection and use practices occurring on mobile devices.”
The importance of design of privacy disclosures to address the limitations of small screens.
The key role of platforms in deciding how information is conveyed to consumers and control they have over application developers.
The FTC organized their best practice recommendations by industry participant—platforms, app developers, third parties, and app trade associations—which is the order in which I will summarize the findings here.
A mobile platform, also called a mobile OS (mobile operating system), is the virtual base on which mobile devices operate. As the FTC states, “platforms such as Apple, Google, Amazon, Microsoft, and Blackberry are gatekeepers to the app marketplace and possess the greatest ability to effectuate change with respect to improving mobile privacy disclosures.” In this report, the FTC advanced four recommendations for consideration by platforms:
-Platforms have developed individual API’s (application programming interfaces), which allow applications to “access standard categories of content on a mobile device,” and put platforms in a position to easily allow for consistent disclosures across apps. The FTC further recommends that the disclosures should be made at multiple points in time:
Platforms should provide “Just-in-Time Disclosures” and obtain affirmative express consent from consumers. A “Just-in-Time” disclosure would occur just before the time when the information would be collected by the application.
Platforms should provide a “Privacy Dashboard” to allow consumers to determine “which apps have access to which data and to revisit the choices they initially made about apps.”
Platforms should explore the use of icons, so that consumers can clearly see when data is being collected.
-Platforms should oversee the privacy practices of applications. The FTC recommends adding “provisions to their contracts with app developers requiring them to provide just-in-time disclosures and obtain affirmative express consent before collecting or sharing sensitive data,” and reasonably enforcing these provisions.
-Platforms should disclose to consumers the review process an application undergoes before it is available in the application store.
-Platforms should provide a DNT (Do Not Track) option for consumers so that the decision does not have to be made on an “app-by-app basis.”
The FTC provides an outline of recommendations for application developers as follows:
-Application developers should provide “just-in-time” disclosures and obtain affirmative express consent when collecting “sensitive information outside the platform’s API.”
-Application developers “should improve coordination with ad networks and other third parties that provide services for apps” in order to provide consumers with more accurate and truthful disclosures.
-Application developers “should consider participating in self-regulatory programs” and other like organizations, so that uniform short-form privacy disclosures can be drafted.
Advertising Networks and Other Third Parties:
The FTC points out that advertising networks and other third parties that provide services for applications need to work with the developers in order to provide consumers with more accurate disclosures.
App Trade Associations:
The FTC believes that application trade associations can serve to promote transparency within the field of mobile privacy. The recommendations here include:
-Developing standardized icons to depict application privacy practices.
-Work on developing “badges” (or short standard disclosures, in general) that can appear within advertisements for applications or the application itself.
-Develop “ways to have more standardization within app privacy policies.”
The FTC recognizes that the mobile technology field is rapidly expanding, and with this expansion comes risks to consumer privacy. In my opinion, these guidelines have an overarching theme: standardization. I believe that the FTC’s emphasis on standardization within mobile industry will soon allow consumers to make more educated decisions regarding the information they provide (willingly or not) on their mobile devices.