Over the past week, the FTC has announced two settlements involving mobile applications and has released guidelines for mobile application security and privacy. All of this activity comes in the wake of efforts by the California Attorney General to raise accountability for mobile apps using the California Online Privacy Protection Act. The California Attorney General has sued Delta Airlines for its failure to have a privacy policy and the issuance of the On the Go guidelines for mobile app privacy. For those offering mobile apps, now is the time to pay attention.
Like most innovations, the regulators are not far behind the curve. The recent developments with regard to mobile app compliance are only the most recent example. For entrepreneurs, investors and the like, the lesson is the same. You must consider compliance from early strawman development to release and then in operations. Failing to do so may mean that others (regulators and plaintiff’s counsel) may enjoy the profits of your ideas.
This is precisely what Path said in a blog after its settlement with the FTC was announced on February 1, 2013. The “smart journal” site paid $800,000 to the FTC in fines for its collection of personal information from mobile devices without the consumer’s consent. Path also will establish a privacy program that the FTC will monitor for 20 years. The FTC alleged that Path’s mobile application downloaded the user’s entire contact list without consent and in violation of its privacy policy. Despite requesting the user’s birth date, Path also failed to comply with the Children’s Online Privacy Protection Act – the cause of the $800,000 fine.
Two weeks earlier, the FTC also settled with a mobile app developer for its failure to comply with the Fair Credit Reporting Act. The settlement with Filiquarian Publishing, LLC, Choice Level, LLC, and Joshua Linsk (the owner of Filiquarian and Choice Level, collectively, the “Companies”), was the first FCRA enforcement action against a mobile app developer. Filiquarian offered mobile apps to consumers for purposes of conducting criminal background checks, and Choice Level provided the criminal background checks used by the apps. The consent order requires these companies to comply with the FCRA and be subject to FTC audits for 20 years to make sure they do so. Having litigated the issue of what data meets the definition of “consumer report” for the past six years, there is no reason to believe that a compliance assessment would have overlooked the need to comply with the FCRA. There is no doubt that Path would have been better off building such compliance into their early development efforts.
These issues are made even more complicated by the 2012 effort of the California Attorney General to extend the application of the California Online Privacy Protection Act to mobile apps. The Attorney General has taken the position that the CalOPPA privacy policy requirements apply to mobile apps. Indeed, California filed suit against Delta Airlines for its failure to have such a policy. So what are the implications in light of all of the above? Mobile apps will be required to have privacy policies or be in violation of California law. And if you fail to abide by those policies, expect enforcement actions from the FTC and the state Attorneys General. Ignorance will not be tolerated.
California and the FTC have provided businesses with guidance on compliance. On January 30, 2013, California released Privacy on the Go, recommendations addressing privacy in the mobile app marketplace. These guidelines incorporate the main components of the Fair Information Practices Principles – e.g., transparency, limits, choice, security, accountability. There will be practical and technical issues with the compliance requirements. For example, how to use limited real estate is always an issue; it is exacerbated by the further limits of mobile devices. We have worked on creative solutions to comply with the law without diminishing the user experience on the web, and likewise are addressing these issues on mobile apps. A solution is available; compliance is not discretionary.
Likewise, the FTC issued on February 1, 2013, recommendations on mobile app disclosures. The recommendations cite favorably the efforts of the California Attorney General in this space and follow many of the same guiding principles adopted by the FTC in other spaces – notice, choice, security. The report focuses more on specific issues, such as geo-location-tracking and tools that could be used by developers to improve privacy. On the same day the FTC also released a security focused guide for mobile application developers. This guideline again details issues that are fairly well known by individuals that practice in this space.
As I wrote in 2006, while such publications have an educational component, they also have an enforcement aspect. From the regulators perspective, we are on notice. Just as ignorance of the law is no defense, ignorance as to the points made in these guidelines will not be a defense in a regulatory action. The universal message of all these recent events – think early about privacy and data security, bake these concepts into your business plan and product design, and remain vigilant. Otherwise, you may not reap the rewards of your great idea.
