Although suggestions in a new Federal Trade Commission staff report do not have the force of law, they do provide guidance on how the agency could enforce American federal laws and regulations to protect the privacy of users of smart phones and tablets.
"When the FTC says something, it's really important to read it and listen," says Jonathan Ezor, director of the Touro Law Center Institute for Business, Law and Technology. "That's because the FTC's enforcement jurisdiction is so broad. The FTC does not need a specific law or regulation to enforce its privacy concerns. It has done so for more than a decade, based on its general consumer protection jurisdiction."
The report, Mobile Privacy Disclosures: Building Trust Through Transparency, makes recommendations for critical players in the mobile marketplace: applications developers, including those in end-user organizations; mobile platforms; advertising networks; and analytics companies, as well as application developer trade associations.
Most of the suggestions in the 36-page report ensure consumers get timely, easy-to-understand disclosures about what information the mobile devices collect and how the data are used.
"The mobile world is expanding and innovating at breathtaking speed, allowing consumers to do things that would have been hard to imagine only a few years ago," FTC Chairman Jon Leibowitz says in a statement accompanying the publication of the report. "These best practices will help to safeguard consumer privacy and build trust in the mobile marketplace, ensuring that the market can continue to thrive."
The staff report outlines areas where the FTC could take action to protect the privacy of individuals using mobile devices, even in sectors that have laws and regulations that govern electronic privacy, such as Federal Financial Institutions Examination Council standards in banking and the Health Insurance Portability and Accountability Act in healthcare. "It's not an either/or; they have to comply with specific requirements," Ezor says. "Consumer protection is a very broad brush."
- Furnish just-in-time disclosures and obtain affirmative express consent before collecting and sharing sensitive information;
- Improve coordination and communication with ad networks and other third parties that provide services for apps, such as analytics companies, so the app developers can better understand the software they are using and, in turn, provide accurate disclosures to consumers;
- Consider participation in self-regulatory programs, trade associations and industry organizations, which can provide guidance on how to make uniform, short-form privacy disclosures.
The FTC says the staff report is based on its enforcement and policy experience with mobile issues and a workshop it held in May, which brought together representatives from industry, trade associations, academia and consumer privacy groups to explore privacy disclosures on mobile devices.
The report describes the fiery growth of mobile services: consumers worldwide bought some 217 million smart phones in the fourth quarter 2012. As the report points out, mobile technology raises unique privacy concerns. More than other types of technology, smart phones and tablets are personal to an individual, almost always on, and with the user. A single mobile device can facilitate data collection and sharing among many entities.
FTC staffers, citing recent studies, contend consumers express increasing concern about their privacy on mobile devices. For instance, the report states, 57 percent of all app users have either uninstalled an app over concerns about having to share their personal information, or declined to install an app in the first place for similar reasons. Less than one-third of Americans feel they are in control of their personal information on their mobile devices.
Security and privacy professionals should heed the FTC staff report. "More than anything else," Ezor says, "what this shows is that mobile privacy is a major priority for the commission in both promoting best practices and punishing those that don't follow them."