On September 5, 2012, the Federal Trade Commission (FTC) published a brief guide to assist developers of mobile applications, both large and small, in complying with truth-in-advertising, privacy, and data security principles. In publishing this advice, the FTC makes clear that its Section 5 enforcement powers against unfair or deceptive acts or practices apply in the mobile app arena, and with equal force to large and small developers.
The FTC’s guidance briefly lays out the practices developers should follow in order to avoid such enforcement, thereby suggesting that more enforcement is on the horizon. Indeed, it has already started: last August the FTC reached a settlement with W3 Innovations, LLC for alleged violations of the COPPA rule in its apps directed at children.
The guide, called “Marketing Your Mobile App: Get it Right from the Start,” explains general consumer protection principles, and applies them to the context of mobile applications. Although the title of the guide suggests that the advice is primarily about marketing the apps, the FTC also gives advice about the design and implementation of apps.
WHAT IS THIS GUIDE?
This is NOT a new FTC trade regulation carrying the force of law. This is guidance issued by the Commission for how it may apply its Section 5 authority to police deceptive and unfair practices in the app environment. The FTC expects that the industry will review this guidance and take it into account in developing and advertising their apps.
This guidance is also specifically directed at mobile app developers; it does not relate to the “In Short” Dot-Com Disclosures workshop held on May 30, 2012, which relates to proper disclosure techniques in all online commerce. Guidance arising from that workshop, which is expected to be far more fulsome, may be released as early as this fall.
WHAT COMPLIANCE STEPS IS THE FTC LOOKING FOR?
Substantiate Your Claims
The FTC advises that app developers advertise their apps truthfully, and explains that “pretty much anything” a company tells a prospective user about what the app can do, expressly or by implication, no matter the context, is an “advertisement” requiring substantiation for claims as they would be interpreted by the average user.
If Disclosures are Necessary, Make them Clearly and Conspicuously
If developers need to make disclosures to users in order to make their advertising claims accurate, the FTC notes, then those disclosures must be clear and conspicuous. Although this does not require specific type or font sizes, the disclosures must be large enough and clear enough that users both see and understand them. This means, according to the FTC, that disclosures cannot be buried behind vague links or in blocks of dense legal prose.
Incorporate Principles of “Privacy by Design” In Developing Apps
The FTC also gives advice to developers on how to avoid enforcement for violations of user privacy. First, it notes that developers should implement “privacy by design,” meaning that they should consider privacy implications from the beginning of the development process. This entails several elements:
- Incorporate privacy protections into your practices;
- Limit information collection;
- Securely store held information;
- Dispose of information that is no longer needed;
- Make default privacy settings consistent with user expectations; and
- Obtain express user agreement for information collection and sharing that is not apparent.
Incorporate Transparency and Choice into Apps and Honor Users’ Choices
The FTC urges that developers be transparent about their data collection practices, informing users about what information the app collects and with whom that information is shared. Developers should also, according to the FTC, give users choices about what data the app collects, via opt-outs or privacy settings, and give users tools that are easy to locate and use to implement the choices they make.
Importantly, the FTC emphasizes that developers must honor the choices they offer consumers. This includes following through on privacy promises made. This also includes getting affirmative permission from users for material changes to privacy practices—simply editing the privacy policy is not enough, according to the FTC guide.
Apply COPPA Protections Where Appropriate
The FTC notes that there are special rules for dealing with kids’ information. Developers who aim their apps at children under 13, or know that children under 13 are using the app, must clearly explain their information practices and obtain verifiable parental consent before collecting personal information from children. The guide links to further advice for compliance with the Children’s Online Privacy Protection Act (COPPA).
Special Protections for Sensitive Information
Even for adults, the FTC urges developers to get affirmative consent before collecting “sensitive” information, such as medical, financial, or precise location information. For sensitive information, the FTC states that developers must take reasonable steps to ensure that it remains secure. The FTC suggests that developers:
- Collect only the information needed;
- Take reasonable precautions against well-known security risks;
- Limit access to the data to a need-to-know basis; and
- Dispose of data safely when it is no longer needed.
The FTC notes that these principles apply to all information the app collects, whether actively from the user, or passively in the background. In addition, any contractors that work with the developers should observe the same high security standards.