In recent months, there have been notable developments involving privacy for mobile applications (“apps”), a number of which have important implications for app developers, distributors and marketers. On February 22, the California Attorney General announced an agreement, developed with Apple, Google, Microsoft and three other mobile platform companies, that effectively establishes nationwide, enforceable standard privacy policies for mobile apps. A day later, the White House announced its proposal for a Consumer Privacy Bill of Rights as part of a framework for regulating how private-sector entities handle personal data in commercial transactions involving networked technology.
Both of these initiatives are intended to strengthen consumer data privacy protections in Internet and mobile device commercial transactions. The California AG’s agreement with the mobile platform companies is particularly timely. In recent weeks, the app industry has faced significant criticism over its handling of consumer privacy. First, a blogger discovered that an app for the social network Path had uploaded his contacts from his mobile phone without his permission. Shortly thereafter, photo-sharing service Hipster admitted uploading users’ contacts and then Twitter acknowledged copying the content of users’ address books from their mobile phones and storing the information on its servers.
In a digital economy where mobile apps are downloaded at a rate of two billion per month, where, according to the research company Gartner, worldwide mobile app sales are expected to grow to at least $25 billion by 2015, and where most apps available today do not even have privacy policies, these recent developments will certainly have an effect on future legislation and industry standards.
Consumer Privacy Bill of Rights
The Obama administration’s proposal for a Consumer Privacy Bill of Rights (“CPBR”), which was released as part of its white paper, “Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy,” is intended to give users more control over how their personal information is used in commercial transactions. This framework is directed, among other technologies, at mobile apps, which are capable of copying sensitive information from mobile devices, including device identification numbers, email addresses, location, personal contacts, texts, calendar entries and photos.
The CPBR contains seven core principles relating to all commercial uses of personal data. Under the CPBR, “personal data” is defined broadly as any data, including aggregations of data, that can be linked to a specific individual or specific device. As an example, the CPBR provides that “an identifier on a smartphone or family computer that is used to build a usage profile is personal data.”
Seven Principles of the Consumer Privacy Bill of Rights
The CPBR adopts seven general principles as a guide for future rule-making and legislation. These principles are summarized below:
- “Individual Control: Consumers have a right to exercise control over what personal data companies collect from them and how they use it.” When companies collect personal data from consumers, they should present choices to the consumer “about data sharing, collection, use, and disclosure that are appropriate for the scale, scope, and sensitivity of personal data in question,” including the ability to withdraw or to limit consent to share and collect such data.
- “Transparency: Consumers have a right to easily understandable and accessible information about privacy and security practices.” Mobile apps, which are accessed on mobile devices, will need to present mobile consumers with the most relevant information about what personal data is shared, used and collected in a way that takes into account the small screens and privacy risks that are specific to mobile devices.
- “Respect for Context: Consumers have a right to expect that companies will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data.” If companies will use or disclose personal data for purposes other than those that are consistent with their relationship with the consumer or for which the information was originally disclosed, then they should inform consumers and get their consent before the personal data is collected or before the company seeks to use already-collected data for different purposes.
- “Security: Consumers have a right to secure and responsible handling of personal data.” Companies that collect and keep personal data are required to keep such data secure. For example, data should be encrypted when moving data between a mobile phone and server.
- “Access and Accuracy: Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data is inaccurate.” Not only should companies that handle personal data ensure that the consumer data that they maintain is current and accurate, but they should give consumers reasonable access to the data collected about them and the ability and opportunity to correct inaccurate data or request its deletion or limitation of use.
- “Focused Collection: Consumers have a right to reasonable limits on the personal data that companies collect and retain.” Companies should only collect personal data that they need in order to accomplish the specific purpose for which the data was originally collected. App developers should take into account data and features unique to mobile devices, such as location data and the contents and metadata from phone calls and text messages, and limit access to only the data that is relevant for the app’s intended functionality.
- “Accountability: Consumers have a right to have personal data handled by companies with appropriate measures in place to assure they adhere to the Consumer Privacy Bill of Rights.” Companies should train employees to handle personal data appropriately; evaluate and, if appropriate, audit companies’ treatment of personal data; and enter into contracts or other legally enforceable instruments requiring third parties to handle personal data appropriately.
Enforcement of the Consumer Privacy Bill of Rights
For now, the CPBR is a framework and does not include enforceable rules, but the Obama administration is pursuing implementation through legislation and a multi-stakeholder rule-making process and is seeking enforcement through the Federal Trade Commission (“FTC”).
The administration’s intent of legislating the CPBR is to provide a comprehensive federal standard applicable to all personal data used or disclosed in private sector commercial transactions. Currently, much of the personal data used, shared and collected on the Internet or through mobile devices and technology are subject to federal privacy statutes that regulate specific sectors, such as healthcare, education, communications, financial services and data collection involving children. In implementing the CPBR through legislation, the Obama administration does not intend to modify these existing federal privacy statutes, but instead intends to supplement them with the CPBR legislation and extend privacy regulations to those entities not covered by the existing statutes.
The multi-stakeholder process, intended to include such players as state Attorneys General, law enforcement representatives, individual companies, industry groups, privacy advocates, international partners and other groups, is expected to ultimately produce codes of conduct that implement the seven principles of the CPBR, which companies may choose to adopt voluntarily. It is expected that a company’s public commitment to adhere to a code of conduct will become enforceable under Section 5 of the Federal Trade Commission Act (prevention of deceptive acts or practices), similar to how companies are bound to follow their privacy policies.
In addition, the Obama administration supports further legislation that provides the FTC (and state Attorneys General) with specific authority to enforce the CPBR. It supports giving the FTC explicit authority to review companies’ codes of conduct against the CPBR legislation and to grant a safe harbor from enforcement of the CPBR legislation to companies that follow a code of conduct that the FTC has reviewed and approved. If a company does not adopt a code of conduct, or chooses not to seek FTC review of a code that it chooses to adopt, then it will be subject to the requirements of the legislatively adopted CPBR.
California Online Privacy Protection Act
The California AG believes, regardless of the Joint Statement, that this section of CalOPPA applies to mobile apps and requires them to have privacy policies. The majority of mobile apps do not. In fact, a TrustE and Harris Interactive study found that only 5% percent of all mobile apps have privacy policies. With the requirements of CalOPPA applicable to mobile apps, it appears, given the virtual nature of the product and the technology, that all mobile app providers will have to comply with CalOPPA, with the Joint Statement effectively establishing a nationwide standard for mobile app privacy policies.
The proposal for a Consumer Privacy Bill of Rights and the developments involving CalOPPA present legal and commercial implications for all companies involved in the mobile app industry, as well as for consumers who download or use apps. All stakeholders in the industry should consider the privacy ramifications of the technology involved and proactively incorporate privacy protections into the design and use of apps.