The Federal Trade Commission (“FTC”) recently issued a staff report, Mobile Apps for Kids: Current Privacy Disclosures are DisAPPointing, discussing the results of a survey of mobile device applications (“Apps”) for children (the “Staff Report”). According to the FTC, in the majority of cases, the survey reveals that neither the stores through which Apps are made available nor the developers of the apps provide the information parents need to determine what data is being collected from their children, how it is being shared or who will have access to it.
The Staff Report shows how the number of available Apps has increased tremendously over the years. While there were approximately 600 Apps available in 2008, today there are over 500,000 Apps in the Apple App Store and more than 380,000 Android Apps. The Staff Report also contends that numerous children and teens are active App users. In addition to general audience Apps that are of interest to children and teens, there are many Apps that are intended specifically for children, including Apps that provide children with access to memory games, puzzles, flash cards and books, among other features.
In conducting the survey, the FTC randomly selected 200 of each of the top ranked 480 Apple and Android Apps. The FTC examined the types of Apps being made available to children, the disclosures that are made to App users, the extent to which Apps offer interactive features such as connectivity with social media, and the ratings and parental controls offered for such Apps. The FTC concluded that Apps are capable of automatically collecting a very broad range of user information, including the user's precise geo-location, phone number, list of contacts, call logs, unique identifiers and other information stored on the device. While Apps can automatically collect this information, the FTC claims that there is a paucity of information about App data collection and use practices.
As a result of the survey, the FTC made the following recommendations in the Staff Report:
- Stores, developers and third parties providing Apps (in short, all members of the so-called "kids app ecosystem") should play an active role in providing key information and disclosures to parents.
- App developers should provide data practices information in simple and short disclosures.
- Disclosures should address whether the App connects with social media and whether it contains ads. Third parties that collect data through Apps should disclose their privacy practices.
- App stores also should take responsibility for ensuring that parents have basic information. The Staff Report contends that the stores are the gatekeepers and should provide the means for developers to provide information about their data collection and sharing practices.
In the Staff Report, the FTC recognizes the challenges that App developers face in conveying all necessary disclosures in the limited screen space available on smartphones and related devices and asserts that further steps should be taken to identify the best way to communicate privacy policies in plain language and in easily accessible ways on the small screens of mobile devices. The FTC is planning on hosting a public workshop later this year to explore how companies can provide effective online disclosures. It is anticipated that one of the topics to be explored at this workshop will be how to effectively deliver privacy disclosures on mobile devices.
Companies that are involved in any way with mobile Apps, whether through development, distribution and/or marketing of such Apps, should pay close attention to the Staff Report. The FTC has been clear that it considers the Staff Report to constitute a “warning call” to the industry to provide more information about the privacy implications of Apps directed toward children. Specifically, stores, developers and third parties providing Apps should focus on the recommendations outlined in the Staff Report.
- App developers, distributors and marketers must ensure that adequate disclosures are made. Whenever data is collected, it is essential to provide sufficient information about the data collector’s privacy and data security practices. This is particularly important when data is being collected from children, because of the applicability of the Children’s Online Privacy Protection Act, as well as parents’ and regulators’ particular sensitivities about children’s privacy concerns.
- Companies should also pay attention to the format and content of their disclosures. To increase the likelihood that disclosures will be read and understood, companies should focus on providing the relevant information in simple and short disclosures.
- Don’t forget about social media. The integration of websites and mobile Apps with social media has become so commonplace that there is a risk for it to be overlooked in one’s disclosures. However, as the FTC reminds us, App disclosures should inform users the extent to which the App connects with social media and whether the App contains any third-party advertisements.
More generally, developers and providers of general audience Apps should also analyze their data collection and use practices, as well as the privacy policies and disclosures for their Apps. The Staff Report comes at a time of increased focus on Apps across the board. Last month, California State Attorney General Kamala Harris (D) announced an agreement with six mobile App platform providers aimed at encouraging App developers to provide more accessible privacy policies. More recently, the Electronic Frontier Foundation proposed a Mobile Use Privacy Bill of Rights. Lastly, Senator Charles Schumer (D-NY) has asked the FTC to investigate Apple and Google for allowing Apps to access photographs and address books of mobile users.
All of these developments suggest that there will be a continued focus on Apps and privacy in the near future.