From our sister blog, MoFo Tech:
Widely applicable rules regarding consumer privacy disclosures in our increasingly mobile world are only now emerging. Government agencies, individual states, and professional associations are all weighing in on how mobile app developers should disclose how they collect, store, use, and protect the wide range of highly personal data being collected every day.
The Application Privacy, Protection, and Security Act of 2013, better known as the APPS Act, is intended to bring conformity to the unwieldy world of mobile app development. With a divided Congress struggling to pass even mandatory legislation, though, passage of any type of discretionary legislation this year seems unlikely, says D. Reed Freeman Jr., a partner with Morrison & Foerster in Washington, D.C. In the meantime, Freeman says, developers should focus on the Federal Trade Commission, “because even without congressional action, it has broad jurisdiction, and it has already brought cases and issued guidance on mobile privacy and data security.”
Charged with the intentionally broad mandate of guarding consumers from “deceptive” and “unfair” business practices, the FTC has been proactively applying its consumer protection laws across nearly all media, including mobile technology. A recent FTC policy document is especially revealing because it describes how the FTC expects disclosures of material facts to be made on mobile devices, “and privacy disclosures can certainly be material,” Freeman says.
So it’s up to the mobile app company to think carefully about the ways its program could surprise a reasonable user and disclose them appropriately. Freeman offers this rule of thumb: “Would a reasonable consumer, under the circumstances, understand what information is being collected about her while she’s on a mobile device and what it is being used for?” If so, companies need to disclose those facts clearly and not bury them in EULAs or terms of use.
California’s Online Privacy Protection Act, passed in 2003, has taken consumer privacy one step further than the FTC has. It requires companies that operate commercial websites or online services and that collect personal information of any kind—including usernames and passwords—to prominently post a privacy policy somewhere on their homepage, says Andrew Serwin, a partner in Morrison & Foerster’s San Diego office.
And while California’s jurisdiction ends at the state line, its reach is often national, Serwin adds. “Companies with customers in all 50 states have to ask themselves whether they want to develop state-specific programs or apply standards across the board,” he says. Since the mobile world doesn’t recognize geographic boundaries, Serwin recommends that developers work toward the highest standards and beyond. “Privacy isn’t just a legal issue. It’s a brand issue,” he says.
Apart from knowing the law, businesses need to consider their own reputations and their customer relationships when collecting, using, and protecting personal information, Serwin says. For example, how could losing users’ passwords tarnish the company’s image in the market? “Current law doesn’t specifically cover that possibility, but,” he notes, “it may be in the company’s best interest to address these types of issues.”