Regulators Issue Warnings to Mobile Application Developers—Clearer Privacy Disclosures Are Called For

March 7, 2012
Practice Groups:
Privacy, Data
Protection and
Transactions and
Data Protection
Telecom, Media and
Regulators Issue Warnings to Mobile
Application Developers—Clearer Privacy
Disclosures Are Called For
By Holly K. Towle, Samuel R. Castic, and Marc S. Martin
In recent months, mobile application developers and distributors have faced increasing scrutiny for
privacy practices, primarily around the issue of transparency in those practices. Researchers,
regulators, members of Congress, and litigants have all brought attention to perceived failures of
mobile applications (“apps”) to disclose information collection and sharing practices.
The FTC, too, has weighed in, first by settling its first enforcement proceeding against a mobile app
provider, and just this month, in releasing a “warning” in a staff report that focuses on the failure of
many mobile app developers and distributors to disclose privacy practices in apps targeted at children.
Following the FTC report, California’s Attorney General announced an agreement between the six
leading mobile app platforms that is likely to bring increased pressure on mobile app developers to
disclose their practices in privacy policies.
This alert will address some of the existing law that is being used to compel app developers to create
privacy policies. It will also identify some key considerations in creating mobile app privacy policies.
COPPA Requires Online Services Directed to Children to Post
Privacy Notices
In the above-mentioned FTC staff report, the FTC reviewed the privacy practices of 800 mobile apps
that appear to be directed at children.1 As noted, this report included a “warning” to mobile app
developers that more must be done to provide notice of app privacy practices. The FTC report
indicated that over the next six months it would be reviewing whether to commence Children’s Online
Privacy Protection Act (“COPPA”) actions against mobile app developers.
Among other requirements, COPPA requires websites and online services that are targeted to
children under the age of 13, or that knowingly collect personal information about children under the
age of 13, to post privacy notices.2 Personal information is broadly defined to include names, e-mail
addresses, phone numbers, partial addresses, social security numbers, other identifiers that permit
online or physical contact with the individual, and other information about children or parents that is
collected online and combined with any of the foregoing.3 Although “online service” is undefined in
COPPA, the FTC views app developers as falling within COPPA’s scope.4
“Mobile Applications for Kids: Current Privacy Disclosures Are Disappointing” (Feb. 2012) available here; see also here.
15 U.S.C. § 6502(a)(1); 16 C.F.R. § 312.3.
15 U.S.C. § 6501(8).
See here and here; see also 76 Fed. Reg. 59807 (Sept. 27, 2011) (FTC noting that while undefined in COPPA, the term
“online services” supports a broad reading to encompass new technologies).
Privacy notices must indicate what information websites or other online services collect from children,
how they use such information, and their disclosure practices for such information.5 COPPA also
requires online services to obtain verifiable parental consent before collecting any personal
information about children under the age of 13;6 careful planning is required to obtain such consent in
the mobile app context.
Not all apps are subject to COPPA, but the standards are not as clear as one might hope. Whether an
app is targeted towards children depends on the totality of the circumstances; under the current
regulations, the FTC will look to factors such as the app’s subject matter, visual or audio content, age
of models, language or other characteristics of the app, whether advertising promoting or appearing in
the app is directed to children, competent and reliable empirical evidence regarding audience
composition, evidence regarding the intended audience, and whether the app uses animated characters
and/or child-oriented activities and incentives.7
The FTC regulations implementing COPPA are currently under review, and new regulations are
expected in the upcoming months. Accordingly, it is possible that these criteria, and the other
requirements of the FTC’s COPPA Rule, will change.8
California Law Requires Online Services to Post Privacy Policies
California has a state law that requires websites and online services to post privacy policies when they
collect personally identifiable information about California residents.9 As under COPPA, “online
service” is undefined in the California statute. Unlike COPPA, California’s law applies regardless of
whether the website or online service is directed to, or collects information about, children. However,
the website or online service must be commercial in nature, and must collect personally identifiable
information about consumers residing in California.10 California’s attorney general believes that the
California statute “requires mobile applications that collect personal data from California consumers
to conspicuously post a privacy policy.”11
California’s attorney general recently announced an agreement with six providers of mobile app
platforms to facilitate the distribution of app privacy policies.12 The signing providers (e.g., Apple
Inc., for the iTunes App Store) agreed to change the app submission process for new or updated apps
to make it easier for app developers to include a link to, or the text of, the app’s privacy policy.13 The
signing providers also agreed to create reporting procedures for users to identify apps that do not
comply with applicable terms of service or law.14 While the actual effect that the California
16 C.F.R. § 312.3(a).
15 U.S.C. § 6501(2)(b)(1)(A)(ii).
16 C.F.R. § 312.2.
See here and here.
Cal. Bus. & Prof. Code § 22575.
California Office of the Attorney General, “Joint Statement of Principles” (Feb. 22, 2012) available here.
Id. at No. 2.
Id. at No. 3.
agreement will have on the privacy practices for mobile apps is unknown, it shows that regulators are
increasingly interested in app privacy practices, and it ratchets up the pressure on mobile app
The FTC Act Requires Accuracy in Privacy Policies
Even though there is increasing pressure on mobile app developers to post privacy policies, developers
should not hastily post them. Knowing why one is posting is important—i.e., is it to comply with a
legal requirement, to meet a business need, or for some other reason? The legal basis can make a
difference. Once privacy policies or statements are made, including when done so voluntarily, FTC
powers kick in.
The FTC takes the position that section 5 of the FTC Act, which prohibits deceptive or unfair acts or
practices in trade or commerce, affords it broad authority to redress inaccuracies in privacy policies, or
in characterizing privacy practices.15 Based on this view, the FTC has commenced actions against a
number of companies, alleging that they failed to fully or accurately describe their data collection,
protection, or sharing practices, whether in a privacy policy or otherwise.16 The FTC has also brought
actions against companies for alleged inadequacies in safeguarding information collected, in access
controls, and in authenticating users—all of such inadequacies have been treated by the FTC as
“unfair acts” even if no statement is made.17 Although there is no generally applicable requirement
that the FTC can rely on to require companies to post a privacy policy in connection with a mobile
app, once a privacy policy is posted (such as pursuant to COPPA or California law), the FTC’s
authority under section 5 of the FTC Act is the strongest. States also often have “mini-FTC Acts” that
prohibit unfair or deceptive acts or practices at the state level, with enforcement authority resting in
the hands of state attorney generals and/or private litigants who often can commence class actions.
Before posting a privacy policy, it is important to verify that the policy clearly and accurately
describes the ways in which a mobile app collects, uses, shares, and disposes of information, and the
purposes for which it does so. If the descriptions are incomplete, or if they could mislead, there is
potential legal exposure.
While accuracy and thoroughness in a privacy policy is required to reduce these risks, the FTC staff
also wants privacy policies to be “clearer, shorter, and more standardized.”18 This can be a catch-22,
because if brevity comes at the expense of accuracy, there is increased risk that a privacy policy will
be misleading or deceptive. Further illustrating the catch-22, when brevity omits detail important to
exercise of a right briefly covered, the FTC may allege that there is no right.19 Also complicating the
See Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and
Policymakers (“FTC Framework”), 3-4 (Dec. 2010) available here (Note that this report was characterized as a
“preliminary FTC staff report”; the FTC is soon expected to release its final version of this report.).
See id. at 9 n.17.
See, e.g., Complaint, In the Matter of Reed Elsevier Inc. and Seisint, Inc., FTC File No. 052-3094 (Aug. 1, 2008)
available here; Complaint, U.S.A. v. Rental Research Services, Inc., FTC File No. 072 3228 (Mar. 5, 2009) available here.
FTC Framework, supra note 15 at 70.
See letter from David Vladeck, FTC Director of the Bureau of Consumer Protection, to Michael St. Patrick Baxter,
consumer privacy ombudsman in bankruptcy of Borders Books (Sept. 14, 2011) available here (In order to avoid
deception regarding its statement that it would not “sell” data for marketing, Border’s policy made it clear that the data was
a transferable asset for other purposes, including in connection with sales, mergers, and reorganizations of its business.
The FTC opposed a transfer in connection with a bankruptcy, and took the position that the policy language was not broad
enough to encompass dissolutions.).
issue, presenting privacy policies on a website as opposed to on a smartphone screen poses different
questions about how notices can satisfy these inherently conflicting goals.20
Posting an accurate and concise privacy policy does not end a company’s obligations. When data
collection practices change, privacy policies need to be updated to remain accurate. In short, in
drafting and presenting an accurate and workable privacy policy for a mobile app, there is no one-sizefits-all approach; rather, it requires careful evaluation of legal requirements, voluntary commitments,
and business objectives, which are unique to each app’s features.
Holly K. Towle
holly,[email protected]
Samuel R. Castic
[email protected]
FTC Framework, supra note 15 at 70-71 (The FTC Framework notes that privacy notices in the mobile context are a
“strong illustration” of how such notices are “ineffective” because of “the small size of the device.”).