Gonzalo E. Mon is a partner in the Advertising Law practice at Kelley Drye & Warren LLP and his co-author, John J. Heitmann, is a partner in the firm’s Telecommunications group. Read more on Kelley Drye’s advertising blog, Ad Law Access, or keep up with the group on Facebook or Twitter.
If you work with mobile apps, you may already know that privacy is a hot issue. Regulators are pushing companies to improve their privacy practices, Congress is contemplating new laws, and class action lawyers are suing companies that don’t clearly disclose their practices. In the past few weeks, this focus on privacy intensified as the FTC, the California Attorney General, and even the White House weighed in with new announcements.
Two things are clear from this recent burst of activity. First, regulators are putting pressure on everyone in the mobile app ecosystem to improve their practices, so you can’t just assume that it’s your partner’s responsibility to comply. And with the number of regulators focusing on these issues, it’s going to be a lot harder for companies to hide. No matter what role you play in the mobile app ecosystem, you should pay attention to these developments. Here’s what you need to know.
Increased Focus on App Privacy
In February, the FTC issued a report about mobile apps directed to children. Although these apps can collect a broad range of information, the FTC noted that neither the app stores nor app developers provide enough information for parents to determine what data is collected from their children or how it is used or shared. In some cases, this could be a violation of federal law. The FTC wants all members of the kids app ecosystem to play an active role in making appropriate disclosures to parents.
And the White House also stepped into the debate by announcing a data privacy framework that establishes a “Consumer Privacy Bill of Rights.” Although the framework speaks broadly about privacy issues, several sections discuss issues that are particularly relevant to the mobile space. For example, the White House encourages app developers to collect only as much personal data as they need and to tailor their privacy disclosures to mobile screens.
5 Tips to Stay Ahead of the Regulators
Given the quickly changing legal landscape — and the growing number of government institutions that want to play a role in that landscape — it can be difficult for companies in the mobile app space to understand what is required. The following five tips address concerns that all of these institutions appear to share. Accordingly, they should form the starting point for your legal analysis when you develop and launch an app.
1. Don’t collect more than you need.
Because data can function as the currency of the digital age, there is often a tendency to collect as much data as possible. Companies think that even if they don’t have an immediate use for the data now, they might find a use (or a buyer) for it later on. Although this may be true, resist the temptation to collect more data than you need for your app to work. This is a core principle of the FTC’s “privacy by design” framework, as well as the new White House framework.
2. Disclose your privacy practices.
3. Be careful with children.
If you collect personal information from children under 13, you need to comply with the Children’s Online Privacy Protection Act. Among other things, COPPA generally requires companies to obtain verifiable consent from parents before they collect personal information from their children. The FTC has challenged app developers for violating COPPA, and the agency’s latest report suggests that the FTC expects all members of the kids app ecosystem to play a role in complying.
4. Consider when to get consent.
Although various bills pending in Congress would require companies to get consent before collecting certain types of information, outside of COPPA, getting consent is not a uniformly applicable legal requirement yet. Nevertheless, there are some types of information (such as location-based data) for which getting consent may be a good idea. Moreover, it may be advisable to get consent at the point of collection when sensitive personal data is in play. Work with your legal counsel to determine what makes sense in your context.
5. Protect the information you collect.
Unfortunately, it’s not uncommon to read stories about major companies who experience data breaches. Data breaches can be costly to address and they may result in lasting damage to your brand. If you are collecting information from consumers, you need to ensure you have physical, electronic, and procedural safeguards to protect that information. For example, certain data should be encrypted and you should limit access to it. Moreover, you should properly dispose of data when you no longer need it.
For more Dev & Design coverage:
- Follow Mashable Dev & Design on Twitter
- Become a Fan on Facebook
- Subscribe to the Dev & Design channel
- Download our free apps for Android, Mac, iPhone and iPad