Government regulatory agencies over the last few years have taken an increasing interest in and concern about the personal data gathered by mobile app developers.
The FTC, the US Federal Trade Commission, has issued new guidance to mobile app developers, and signalled their readiness to take enforcement action where mobile apps violate their guidance.
According to the Association of Corporate Council;
The FTC’s guidance acknowledges that mobile app platforms and mobile operating systems, such as Apple’s iOS and Google’s Android, may or may not have built-in, system-level disclosures that provide information to users about a mobile app’s collection of location data. Regardless of such system-level disclosures, the FTC urges mobile apps that collect users’ location data when the mobile apps are not in use to disclose such data collection in a transparent way. Below are the tips provided by the FTC on ways for mobile apps to explain such data collection practices to users: For a mobile app that is available through the iOS8 system, the system prevents the mobile app from accessing a user’s location data when the mobile app is not in use, unless the user affirmatively allows such collection in response to a system-level prompt. The dialog box for this system-level prompt includes space for the mobile app to provide details on its collection of location data. The FTC recommends that the mobile app use this space to clearly explain why the mobile app wants to access the user’s location data, how the mobile app will use this data, and whether the mobile app shares this data with third parties. For a mobile app that is available through an operating system that does not provide users with system-level disclosures and choices about the collection of their location data, the FTC recommends that the mobile app explain its data collection practices and offer users choices within the mobile app regarding the collection of their data. For example, the FTC recommends that before the mobile app begins collecting a user’s location data when the mobile app is not in use, the mobile app may give users an in-app notification that explains why it wants to access location data and give the user an opportunity to opt in to such data collection. Regardless of what platform consumers use to obtain a mobile app, the FTC recommends that the mobile app’s privacy disclosures and other information pages clearly describe the mobile app’s data collection practices in plain language, so that users will understand whether the mobile app collects their location data when the mobile app is not in use and for what purposes. This recent guidance expands on the FTC’s recommendations included in its “Mobile Privacy Disclosures” report published in February 2013. In that report, the FTC recommended, among other things, that mobile app developers provide just-in-time disclosures and obtain users’ affirmative express consent before collecting and sharing sensitive information, such as location data (to the extent the platforms have not already provided such disclosures and obtained such consent). In the 2013 report, the FTC clarified that, to the extent its guidance goes beyond existing legal requirements, it was not intended to serve as a template for law enforcement actions or regulations under laws currently enforced by the FTC. Read More...
Click here to view a copy of the FTC’s latest guidance on mobile app development.
What does the new FTC rules mean for mobile app developers?
The essence of the rules are very simple. If you are gathering any form of personal information about people who use your mobile apps, such as their location, photographs, or anything else of an identifying or personal nature, you have to ensure mobile app users are fully aware of the information you are collecting, and have approved the collection of that information.
Furthermore, if your app continues to collect personal information, then it is a good idea to remind the user from time to time that the information is being collected. In some cases the mobile OS might do this for you – for example Apple iOS 8 posts a reminder every few days if your mobile app is gathering location information about the user, with an option to shut down the information collection.
What if I don’t live in America?
If you don’t live in America, the rules may still apply to you. As Apple and Google are based in America, there is a tendency for American regulatory agencies to consider the mobile apps to subject to US Law. We have already seen an example of this type of extra jurisdictional reach, with regard to cryptography in mobile apps. If your mobile app project uses strong cryptography, you need approval from US agencies, before your mobile app can be sold from Google Play or Apple App Store – even if your mobile app will not be used in the USA.
And of course, if you live in a part of the world which has its own consumer data protection laws, such as the European Union, you have to respect their laws as well.
What should I do about this?
If you do not have to collect personal information, then don’t do it. If you do not collect personal information, you have nothing to worry about. If your mobile app does have to collect personal information, in order to provide its function, then make very, very sure that your mobile app user is fully informed. Make sure that information is secure. Take steps to securely dispose of that information, as soon as it is no longer required.
If you are developing a mobile app, and have concerns about data collection, I strongly recommend you speak to a lawyer – I am not a legal expert. However, if you would like to explore technical means by which your exposure to these rules can be minimised, please contact me.