Like most innovations, the regulators are not far behind the curve. The recent developments with regard to mobile app compliance are only the most recent example. For entrepreneurs, investors and the like, the lesson is the same. You must consider compliance from early strawman development to release and then in operations. Failing to do so may mean that others (regulators and plaintiff’s counsel) may enjoy the profits of your ideas.
Two weeks earlier, the FTC also settled with a mobile app developer for its failure to comply with the Fair Credit Reporting Act. The settlement with Filiquarian Publishing, LLC, Choice Level, LLC, and Joshua Linsk (the owner of Filiquarian and Choice Level, collectively, the “Companies”), was the first FCRA enforcement action against a mobile app developer. Filiquarian offered mobile apps to consumers for purposes of conducting criminal background checks, and Choice Level provided the criminal background checks used by the apps. The consent order requires these companies to comply with the FCRA and be subject to FTC audits for 20 years to make sure they do so. Having litigated the issue of what data meets the definition of “consumer report” for the past six years, there is no reason to believe that a compliance assessment would have overlooked the need to comply with the FCRA. There is no doubt that Path would have been better off building such compliance into their early development efforts.
California and the FTC have provided businesses with guidance on compliance. On January 30, 2013, California released Privacy on the Go, recommendations addressing privacy in the mobile app marketplace. These guidelines incorporate the main components of the Fair Information Practices Principles – e.g., transparency, limits, choice, security, accountability. There will be practical and technical issues with the compliance requirements. For example, how to use limited real estate is always an issue; it is exacerbated by the further limits of mobile devices. We have worked on creative solutions to comply with the law without diminishing the user experience on the web, and likewise are addressing these issues on mobile apps. A solution is available; compliance is not discretionary.
Likewise, the FTC issued on February 1, 2013, recommendations on mobile app disclosures. The recommendations cite favorably the efforts of the California Attorney General in this space and follow many of the same guiding principles adopted by the FTC in other spaces – notice, choice, security. The report focuses more on specific issues, such as geo-location-tracking and tools that could be used by developers to improve privacy. On the same day the FTC also released a security focused guide for mobile application developers. This guideline again details issues that are fairly well known by individuals that practice in this space.
As I wrote in 2006, while such publications have an educational component, they also have an enforcement aspect. From the regulators perspective, we are on notice. Just as ignorance of the law is no defense, ignorance as to the points made in these guidelines will not be a defense in a regulatory action. The universal message of all these recent events – think early about privacy and data security, bake these concepts into your business plan and product design, and remain vigilant. Otherwise, you may not reap the rewards of your great idea.