Mobile App Privacy Class Action Suit Largely Defeated

By Mike Pfeifer* and Nickolas Milonas

In the latest development of ongoing concerns regarding mobile data privacy, Apple, major app developers, and social media networks (such as Facebook, Twitter, and Electronic Arts) recently succeeded in dismissing all but one of the claims in a data privacy class action lawsuit.  The suit centered on the apps’ alleged data harvesting of consumers’ address books and other mobile data.  The federal court for the Northern District of California tossed out all but one of the various claims in the lawsuit, which included alleged violations of both federal and state consumer protection laws, as well as violations of common law.  The class action combined four suits filed after it was discovered that a mobile photo sharing app, Path, secretly obtained information from consumers’ address books and calendars.  

Apple avoided liability under the California Comprehensive Computer Data Access and Fraud Act (CDAFA), which prohibits companies from, among other things, accessing computer networks in order to facilitate the wrongful harvesting of user data.  Plaintiffs argued, among other things, that Apple was liable because it (i) published certain apps to its App Store, and (ii) encouraged of the development of the certain app features through guidelines and tutorials provided to developers.

With respect to the first theory, the court held that the Communications Decency Act (CDA) preempted the state law claim by shielding Apple from liability as a web publisher.  The CDA protects from liability web publishers that re-post third-party content in a neutral manner.  As for the second theory, the court found that Apple’s guidelines and tutorials amounted to actions that contributed to the development of the alleged illegal content.  This triggered the “information content provider” exception to CDA immunity that applies to companies that create and develop prohibited content, as opposed to simply re-posting it from a third-party.  Nevertheless, Apple escaped liability under this second theory because of a technical subtlety.

Additionally, the court found that the plaintiffs did not rely upon any particular representations or advertising campaigns Apple made about app privacy when purchasing their mobile devices.  Although the court previously ruled in favor of plaintiffs on this issue, on further review, it determined that in order to allow such a claim to proceed, a plaintiff must have done more than simply visit Apple’s App Store.  While the website represented that the apps in question ran in an environment safe from data sharing, there was little evidence that plaintiffs actually saw or relied upon that representation.

The court likewise held that Apple did not have any affirmative duty to disclose the potential danger of privacy infringement stemming from use of the apps in question.  A products liability claim failed because the court found that mobile address books not constitute property for which there can be a physical harm.

The court spared the app developer defendants, including the designer of the popular mobile device game “Angry Birds,” from liability under the Electronic Communications Privacy Act and Texas and California wiretap statutes.  However, the court allowed the plaintiffs’ “intrusion into seclusion” common law claim to proceed, noting that a jury should decide whether the harvesting of data from address books is “highly offensive,” the legal requirement once an individual’s reasonable expectation of privacy has been satisfied.

As more consumers access, create, and store content on mobile devices, issues surrounding data privacy, as well as the legal parameters of accessing mobile data, will necessarily continue and develop.

*Mike Pfeifer is a summer associate in K&L Gates’ Washington, DC office and contributed to this post.

FTC Settles With Fandango, Credit Karma Over Mobile App Security

By Jenny Paul and Marc Martin 

Movie ticket seller Fandango and financial management service Credit Karma have agreed to settle the Federal Trade Commission’s allegations that the companies misrepresented the security of their mobile apps and failed to secure the transmission of millions of consumers’ sensitive personal information from the apps, the agency announced last week.

The FTC accused Fandango and Credit Karma of making security promises on their mobile apps and then failing to take “reasonable” steps to secure the apps.  In particular, the complaints against Fandango and Credit Karma assert that each company disabled a default process called SSL certification validation, which would have secured the apps’ communications and ensured that an attacker could not intercept information submitted by consumers through the apps.  Such information, depending on the app, could have included sensitive personal information such as credit card details, e-mail addresses, passwords, Social Security Numbers, dates of birth, home addresses, and credit report details, according to the FTC.

The settlements require Fandango and Credit Karma to establish “comprehensive security programs” designed to address security risks during the development of their applications and to undergo biennial independent security assessments for 20 years. The settlements also prohibit Fandango and Credit Karma from misrepresenting the level of privacy or security of their products and services.  According to the FTC, the agreements will be subject to public comment through April 28, 2014, after which the FTC will decide whether to make the proposed consent orders contained in the settlements final.

California Ups Privacy Ante With Passage of Digital Eraser, Do Not Track Laws

By Jenny Paul and Marc Martin


The state of California passed two laws in recent weeks aimed at bolstering the privacy protections offered by websites and mobile apps.  The first, SB 568, gives minors a digital eraser of sorts by requiring the operators of minor-focused websites and mobile apps to provide a mechanism for removing content posted by minors who are registered users.  A website or mobile app can comply with the law by permitting minors to make content removal requests or by giving clear instructions on how a minor user can remove his or her own postings.   

 In addition, affected websites and apps must also provide minor users with notice that deletion will not ensure complete or comprehensive removal of the content in question.  The law, which was signed by Gov. Jerry Brown Sept. 23, also prohibits operators of minor-targeted websites and mobile apps from marketing or advertising to a minor specified types of products or services, including alcoholic beverages, firearms, tobacco and permanent tattoos.  The law takes effect Jan. 1, 2015.

The second privacy-oriented law, AB 370, requires all websites that collect personally identifiable information to disclose how they respond to web browser “do not track” signals or similar mechanisms that allow browser users to make a choice about the collection of information that reveals an individual’s online activities over time and across third-party websites or online services.  A website operator may comply with the law by providing a link in its privacy policy to a description of any protocol the operator follows that offers users the choice to opt out of Internet tracking.  Gov. Brown signed the law Sept. 27, and it takes effect Jan. 1, 2014.  Given California’s prior application of its online privacy requirements to mobile applications, the new tracking law’s requirements likely will apply to mobile applications, although the law does not specifically address that issue.

Mobile App Transparency Group Continues Development of Privacy Code of Conduct

By Nickolas Milonas and Marc Martin

The National Telecommunications and Information Administration recently held another meeting as part of its multistakeholder process regarding mobile app transparency.  In the summer of 2012, the NTIA began an industry-wide effort to develop a voluntary code of conduct for how mobile apps notify users about their personal data collection practices.  Industry representatives and privacy groups have worked together over the past year to develop a draft code of conduct to improve the clarity of privacy disclosures while advancing self-regulation as a preferred option to privacy laws that may be handed down from Congress.

The Obama Administration has praised the process a means to create meaningful self-regulation within the industry, which may also spur industry progress on other technology and privacy issues.  The NTIA’s process is near completion, as the group currently only has one more meeting slated on its docket for this summer. 

FTC's Online Privacy Rules for Children Clarified

By Nickolas Milonas and Marc Martin

The Federal Trade Commission recently released guidance on its December 2012 updates to the Children’s Online Privacy Protection Act (COPPA).  COPPA regulates the collection and use by website operators and application developers of personal information from children under the age of 13.  COPPA also requires website operators and application developers to obtain parental consent before collecting a child’s personal information.  The guidance touches upon several issues, including geolocation data; services directed towards children vs. mixed-audience services; parental access to children’s personal information; and disclosure of information to third parties.

As we previously reported, the December changes to the COPPA regulations are scheduled to take effect this July and contain definitional changes; expand the scope of permitted operations to include the collection of certain personal information through the use of persistent identifies; clarify the use of age screens for content targeting a broad audience vs. content specifically targeting children; heighten parental notification requirements; and implement more-stringent requirements regarding the retention and disposal of personal information.

In advance of the FTC’s guidance, industry groups voiced concerns that the complex changes could deter innovation and asked the FTC to delay implementation until 2014 to ensure compliance.  However, privacy groups advocated rejecting any delays, stating that the changes are necessary to protect children and companies have had plenty of lead time to revise their policies and products.

Updated (5/6/13): In a letter to representatives of the advertising, application, and e-business industries, the FTC confirmed that it will not delay implementation of the new COPPA rules scheduled to take effect this July. The FTC stated that all stakeholders were afforded a sufficient opportunity to raise their concerns with the new rules but did not present any facts to warrant delaying implementation.

Apple Settles In-App Purchases Class Action

By Nickolas Milonas and Marc Martin

Earlier this week, Apple agreed to settle a class action lawsuit regarding so-called “bait apps”—mobile apps directed towards children, which are free to download but then charge for in-app purchases. Under the terms of the settlement, Apple agreed to issue $5 in iTunes credit to affected customers. If customers racked up more than $5 in in-app charges, Apple will issue up to $30 in iTunes credit. Apple will issue cash refunds for accounts that spent more than $30.

The size of the class is not yet determined, but Apple will send notices to 23 million potentially affected customers. Customers who were affected during the relevant time period will have to certify that the charges were made by minors and without parental permission. While the final settlement amount may vary, Apple could end up paying in excess of $100 million when all is said and done. The court is scheduled to hear the proposed settlement tomorrow, March 1.

The lawsuit was filed in 2011 by a group of parents who claimed their children made purchases within apps without their consent. The parents alleged that Apple failed to adequately disclose that these apps contained the ability to make in-app purchases. At that time, Apple’s policy required account holders to enter their passwords when downloading a mobile app, but would not require passwords to be re-entered for the next 15 minutes. During that 15 minute window, children could make in-app purchases without entering an account password. Apple has since changed its policy to require a password for every purchase.

The settlement is one piece in the larger puzzle regarding mobile app disclosures and privacy protections. Earlier this year, the FTC released a mobile privacy report and entered into a settlement with Path—a mobile-only social network that was allegedly mining information without users’ consent, including, according to the FTC, the information of minors in violation of the Children’s Online Privacy Protection Act. Late last year, the FTC released another report, highlighting the widespread practice of mobile apps collecting and sharing minors’ information with third parties without disclosing such practices. Also last year, the California Attorney General entered into an agreement with six mobile app platforms to increase consumer privacy protections. It issued a follow-up report earlier this year, Privacy on the Go, which includes recommendations for app developers, platform providers, and mobile carriers.

Data Privacy Update: FTC Releases Mobile Privacy Report and Settles Action against Path; Facebook to Identify Tracking Advertisements

By Nickolas Milonas, Marc Martin, and David Tallman

In a trio of recent data privacy developments, the FTC published mobile data policy recommendations, Path settled an FTC action regarding allegedly unlawful data collection, and Facebook will now tell users which ads are tracking their online activity.

The FTC recently released a staff report calling on mobile services to make their data policies more transparent and accessible to consumers. The report makes recommendations for mobile platform providers, application developers, advertising networks, and other key players in a rapidly expanding marketplace. The recommendations focus on providing consumers clear and timely disclosures about what consumer data is collected and how that data may be used. The report results in part from a May 2012 FTC workshop in which representatives from the industry, academia, and consumer privacy groups examined privacy risks and disclosures on mobile devices. 

Noting the expansive growth of services offered on mobile platforms, the report recognizes unique privacy concerns rooted in the “unprecedented amounts of data collection” possible from a single mobile device. The report also notes consumers are increasingly concerned about their privacy on mobile devices, stating “less than one-third of Americans feel they are in control” of their mobile personal data. 

With those concerns in mind, the report offers recommendations to improve mobile privacy disclosures. These recommendations are consistent with the broad principles previously articulated in the FTC’s prior March 2012 Privacy Report, which generally called upon companies handling consumer data to adhere to the core principles of “privacy by design,” simplified consumer choice, and greater transparency. The staff report elaborates on these general principles by providing guidance to address the unique challenges presented in the mobile environment (e.g., limited screen space, the centrality of platform and operating system providers, etc.) Among other recommendations, the report suggests: 

  • Developing privacy best practices and uniform, short-form disclosures;
  • Providing just-in-time disclosures to consumers requiring affirmative consent before allowing apps to access sensitive content like geolocation, contacts, or photos;
  • Developing a one-stop “dashboard” to review content accessed by apps; and
  • Offering a “Do Not Track” mechanism on smartphones to prevent third-parting tracking at the operating system level.

On the heels of the staff report, the FTC also announced a law enforcement action against Path, a mobile-only social network accused of collecting user data without consent. Through its social networking service, Path’s app allows users to upload and share content, including photos, comments, location data, and even the names of songs that the user plays. Among other allegations, the FTC claimed that the Path application automatically collected and stored personal information from users’ mobile device address books without the users’ consent (including names, addresses, phone numbers, email addresses, Facebook and Twitter usernames, and dates of birth). The agency also alleged that Path violated the Children’s Online Privacy Protection Act by collecting personal information from approximately 3,000 children under the age of 13 without parental consent. Path settled with the FTC on the same day that the agency filed its action. Path agreed to pay $800,000 in fines, delete all information for users under 13, and submit a comprehensive privacy plan with updates/assessments every other year for the next 20 years. 

Finally, Facebook recently announced it will alert users to advertisements that are based on or track browsing history. When users are logged in to their Facebook account and hover over ads with their mouse, a new pop-up icon will alert users if they are being tracked. The feature is the product of an agreement between Facebook and the Council of Better Business Bureaus, and users are still able to opt out of brand-specific ads, as well as ad tracking altogether.

These developments highlight the continuing regulatory focus on online privacy issues, particularly in connection with social media and mobile applications.

Facebook App Offers Free Phone Calls Over Wi-Fi

By J. Bradford Currier and Marc Martin

In a move likely to further disrupt the voice services market, Facebook recently announced that it will offer free calls via Wi-Fi for users of its Messenger app on Apple devices in the United States. The Messenger calling feature, tested in Canadian markets earlier this month, allows users to “call” their Facebook friends who have installed the Messenger app and linked their mobile number with Facebook by clicking their contact information. While data charges will still apply for Messenger calls made over a wireless carrier’s 4G or 3G network, there will be no separate charge for calls made over a device connected to the Internet via a Wi-Fi connection. Facebook’s announcement marks another example of the growing trend of using mobile apps to end-run traditional public switched telephone network (“PSTN”)-based voice services.

While Messenger will allow users of Apple’s mobile operating system to call Facebook friends, calls to landlines or devices using non-Apple operating systems are not currently available. The Messenger app can be used to make calls not only on the iPhone, but any device running Apple’s mobile operating system, such as the iPad tablet. Consumers with Messenger already installed on their Apple device will not need to update the app to access the new calling feature, which was automatically downloaded to existing users. Facebook has not indicated when the Messenger calling feature will be available in other countries or for non-Apple operating systems. 

Industry observers praised the new Messenger features as critical for consumers with poor wireless network coverage or who want to conserve cell phone minutes and costs. However, Facebook may face opposition from the wireless industry, which may view the Messenger app as an unfair competitive threat. If the wireless industry attempts to block the Messenger app, it could result in an interesting test of the “no blocking” provisions of the FCC’s Open Internet Order (i.e., net neutrality), which generally prohibit mobile wireless providers from blocking lawful applications that compete with the provider’s voice or video telephony services. In addition, if the Messenger app begins to offer the capability to make calls to and receive calls from the PSTN, it would be subject to the same regulatory requirements applicable to PSTN-interconnected VoIP service. 

Depending on the traction Facebook Messenger gets, the service has the potential to further disrupt markets for traditional landline voice services, which are already facing pressure from the wireless industry and interconnected VoIP providers.

FTC Report Investigates Mobile Apps for Kids

By Samuel Castic

Federal Trade Commission staff recently released a report titled “Mobile Apps for Kids: Disclosures Still Not Making the Grade,” which contained the FTC’s most recent mobile app investigative findings that build upon its report from February of this year. The February report contained four key recommendations, which we summarized in a prior post.

This new report expanded on the FTC’s prior investigation by reviewing mobile app features and comparing them to disclosures made concerning the apps. The FTC found that many apps shared kids’ information with third parties without disclosing such practices to parents. Specifically:

1.      Most apps failed to disclose information collection or sharing practices before the apps were downloaded;

2.      Many apps failed to disclose that they contained advertising content or that the app shared privacy data with third-party advertising networks (including device IDs, geolocation information, and phone numbers);

3.      Some apps failed to disclose that they allowed in-app purchases;

4.      Some apps failed to disclose that they contained social media integrations that allow users to communicate with members of social networks; and

5.      Some app disclosures included false information. For example, certain apps expressly stated that user information would not be shared or that the apps did not contain advertising, when that was not the case.

The FTC has taken the position that mobile apps are online services for purposes of the Children’s Online Privacy Protection Act (“COPPA”), which prohibits the online collection of personal information concerning children under age 13, except in certain circumstances. As we have noted in prior posts, this area is fraught with risk and legal exposure. Indeed, the report indicates that the FTC staff plans to launch “multiple nonpublic investigations” to determine whether certain players in the mobile app space have violated COPPA or engaged in unfair acts or deceptive practices in violation of the FTC Act.

The report concludes by urging the mobile app industry to carry out the recommendations from the FTC’s recent privacy report—most notably, to:

1.      Incorporate privacy protections into the design of mobile products and services;

2.      Offer parents easy-to-understand choices about data collection and sharing through kids’ apps; and

3.      Provide greater transparency about how data is collected, used, and shared through kids’ apps.

Stay tuned in the upcoming weeks as the FTC is expected to announce new COPPA regulations that could impose further compliance challenges for mobile apps.

FTC Releases Mobile App Privacy and Advertising Guide

By J. Bradford Currier, Marc Martin, and Samuel R. Castic

Developers of mobile applications are urged to adopt truthful advertising practices and build in basic privacy principles into their products under guidance recently issued by the Federal Trade Commission. The guidance is aimed at providing mobile app start-ups and independent developers with marketing recommendations designed to ensure compliance with federal consumer protection regulations. The guidance follows recent actions by the Federal Communications Commission, the White House, states, private stakeholders, and the FTC itself to establish mobile privacy codes of conduct and safeguard consumer information. The FTC guidance focuses on two key regulatory compliance areas for mobile app developers: (1) truthful advertising and (2) consumer privacy.

(1)        Truthful Advertising – The guidance recommends that mobile app developers always “[t]ell the truth about what your app can do.” The FTC cautions mobile app developers that anything a developer tells a prospective buyer or user about their app can constitute an advertisement subject to the FTC’s prohibitions on false or misleading claims. As a result, mobile app developers are encouraged to carefully consider the promises made concerning their apps on websites, in app stores, or within the app itself. Specifically, the guidance reminds mobile app developers that any claim that an app can provide health, safety, or performance benefits must be supported by “competent and reliable” scientific evidence. The FTC notes that it has taken enforcement action against mobile app developers for suggesting that their apps could treat medical conditions and recommends app developers review the FTC’s advertising guidelines before making any claims to consumers.

The guidance also advises mobile app developers to disclose key information about their products “clearly and conspicuously.” While the guidance recognizes that FTC regulation does not dictate a specific font or type size for disclosures, mobile app developers are encouraged to develop disclosures that are “big enough and clear enough that users actually notice them and understand what they say.” The FTC warns mobile app developers that it will take action against mobile app developers that attempt to “bury” important terms and conditions in long, dense licensing agreements. 

(2)        Consumer Privacy – The guidance calls upon mobile app developers to build privacy considerations into their products from the start, also known as “privacy by design” development. The FTC suggests that mobile app developers establish default privacy settings which would limit the amount of information the app will collect. The FTC also recommends that app developers provide their users with conspicuous, easy-to-use tools to control how their personal information is collected and shared. The guidance pushes mobile app developers to get users’ express agreement to: (1) any collection or sharing of information that is not readily apparent in the app; (2) any material changes to an app’s privacy policy; or (3) any collection of users’ medical, financial, or precise geolocation information. At all times, mobile app developers should be transparent with consumers about their data collection and sharing practices, especially when the app shares information with other entities. 

The FTC also advocates that mobile app developers install strong personal information security protections in their products. In order to keep sensitive data secure, the guidance suggests that mobile app developers: (1) collect only the data they need; (2) secure the data they keep by taking reasonable precautions against well-known security risks; (3) limit access to a need-to-know basis; and (4) safely dispose of data they no longer need. Mobile app developers are also encouraged to establish similar standards with any independent contractors.

The guidance also pays special attention to the issue of mobile app protection of children’s privacy under the Children’s Online Privacy Protection Act (“COPPA”). The guidance reminds mobile app developers that they must clearly explain their information practices and get parental consent before collecting personal information from children if their apps are “directed to” kids under age 13 and keep such information confidential and secure. The FTC’s recommendations parallel its recently proposed rules designed to clarify the responsibilities under COPPA when third parties (such as advertising networks or downloadable “plug-ins”) collect personal information from users on child-directed websites. Mobile app developers are encouraged to contact the FTC or review the Bureau of Consumer Protection’s business resources when developing their privacy policies.

Obama Administration Pursues Mobile Privacy Code of Conduct

By J. Bradford Currier and Marc Martin

The National Telecommunications and Information Administration (“NTIA”) will hold its first meeting on July 12, 2012 aimed at developing voluntary codes of conduct designed to provide consumers with clear information regarding how personal data is handled by companies which develop and offer applications for mobile devices. The NTIA’s planned meetings with stakeholders were first announced in February 2012 as part of the White House’s proposed Consumer Privacy Bill of Rights. The NTIA meeting comes as both the Federal Trade Commission and Federal Communications Commission have recently taken action to improve consumer transparency and privacy safeguards for personal information collected by mobile apps.

A number of stakeholders have already filed comments expressing their support for improving the clarity and comprehensiveness of privacy disclosures provided to mobile app consumers. However, a number of commenters noted that the rapid pace of innovation in the mobile app market and the relatively small screen sizes of current mobile devices will make long-term, definitive disclosure rules difficult to develop. While NTIA hopes to tackle a number of Internet policy topics, including copyright and cybersecurity issues, the organization chose mobile app privacy as the first meeting topic because it believes consensus on a code of conduct can be reached “in a reasonable timeframe.” NTIA expects the mobile app privacy meeting will serve as a useful precedent for later discussions involving other online consumer protection concerns.

The NTIA meeting is open to all interested stakeholders and a venue should be announced before the end of the month. Interested stakeholders are asked to inform NTIA online in advance if they plan to attend the meeting.

FCC Seeks Comment on Mobile Phone Privacy Protections

By J. Bradford Currier and Marc Martin

The Federal Communications Commission recently released a Public Notice seeking comment on, among other things, how mobile wireless service providers safeguard customer information stored on user devices. The Public Notice was accompanied by an FCC Staff Report, discussing the privacy issues presented by location-based mobile applications, which collect and transmit information about a user’s physical location to the service provider in order to provide real-time services. The Public Notice requests comment on the types of customer information collected by wireless service providers, the steps that should be taken by wireless service providers to secure such data, and the scope of wireless service providers’ obligations relative to the device manufacturer or software developer, as set forth below.

The Public Notice seeks to update the record developed in response to a 2007 Further Notice of Proposed Rulemaking concerning the obligations of wireless service providers under the Communications Act to protect their users’ customer proprietary network information (“CPNI”). The Public Notice invites input on whether current data security practices meet consumer needs and whether developments in the past five years pose new risks to protecting CPNI. The FCC also request comment on the importance of certain factors when assessing a wireless service provider’s compliance with the CPNI rules, including:

  • Whether the device is sold by the service provider;
  • Whether the device only works on a single service provider’s network;
  • The degree of control that the service provider exercises over the design, integration, installation, or use of the software that collects and stores information;
  • The service provider’s role in selecting, integrating, and updating the device’s operating system, preinstalled software, and security capabilities;
  • The manner in which the collected information is used;
  • Whether the information pertains to voice service, data service, or both; and
  • The role of third parties in collecting and storing data.

The Public Notice asks whether the FCC should adopt a declaratory ruling clarifying the application of these factors and the regulatory obligations of wireless service providers that collect sensitive consumer data. Comments will be due 30 days after publication of the Public Notice in the Federal Register, with reply comments due 45 days after Federal Register publication.

Mobile App Platforms Reach Voluntary Agreement with California State Attorney General

By Samuel R. Castic and J. Bradford Currier

Californians who download mobile applications on their smartphones, tablets and other mobile devices should soon have greater knowledge of how their personal information is collected and used under a non-binding Joint Statement of Principals recently reached between six mobile app platforms, such as Apple, Inc., and the California Office of the Attorney General. The California announcement comes just days after the Federal Trade Commission warned app developers to improve privacy disclosures for mobile apps directed at children and within hours of the White House’s announcement of a Consumer Privacy Bill of Rights to protect citizens online.

Although the agreement does not create any new legal obligations for app providers, the parties agreed to voluntarily abide by five privacy principles: 

(1) Any app that collects personal data from a user, regardless of age, “must conspicuously post a privacy policy or other statement describing the app’s privacy practices” that informs the user how the data will be used and shared. California law already requires websites and online services to post privacy policies when they collect personally identifiable information about users. Despite this obligation, the California Attorney General reported that only 5 percent of mobile apps currently offer a privacy policy, although other parties suggest that the figure is approximately 33 percent. The agreement makes clear that the California Attorney General views mobile applications as online services subject to this law. 

(2) The agreement modifies the app submission process to make it easier for app developers to include a link to, or the text of, the privacy policy governing the app. However, the agreement contains no commitment by app platforms to notify users when a privacy policy changes. 

(3) The app platforms will create reporting procedures for users to identify apps that do not comply with applicable terms of service or applicable law. 

(4) The app platforms agreed to implement a response process to handle reported violations of app privacy policies. 

(5) The parties agreed to work together to develop “best practices” for mobile privacy policies. 

While no timetable exists for implementation of the agreement, the parties agreed that they will reassess the state of app privacy policies in within six months.

FTC Warns Mobile App Developers About Privacy Practices

By Samuel Castic, J. Bradford Currier, and Lauren B. Pryor

In another example of its recent efforts to step up enforcement on a variety of privacy-related issues, the Federal Trade Commission released a staff report on privacy disclosures for mobile applications used by kids. The report follows a recent FTC enforcement action against a mobile app developer for children and a notice of proposed rulemaking to amend the Children’s Online Privacy Protection Act (“COPPA”). The staff report represents a “warning call” to the app industry to provide parents with easily accessible, basic information about the mobile apps that their children use.

Under COPPA, operators of mobile apps directed at children under the age of 13 must provide notice and obtain parental consent before collecting personal information from children. The report surveyed approximately 1,000 apps designed for children and reviewed the types of privacy disclosures currently available to parents and kids. The FTC found that users frequently received the privacy disclosures only after downloading the app, limiting parents’ ability to “pre-screen” apps for their children. Additionally, the FTC reported that app websites often failed to provide meaningful notice regarding the data collection features of the app such that parents were not informed as to whether the app collecteddata from their children, the type of data collected, the purpose for such collection, and what parties may access such data. The FTC found this lack of disclosure troubling, especially in light of current technologies that allow mobile apps to access a child’s information with the click of a button and to transmit it invisibly to a wide variety of entities. 

In light of these concerns, the report offered four key recommendations:

  • App developers should provide “simple and short” privacy disclosures that are easy to find and understand on a mobile device screen;
  • App developers should “alert parents if the app connects with any social media, or allows targeted advertising to occur through the app”;
  • Third parties obtaining user information through apps should make their privacy policies “easily accessible” through a link on the app promotion page or in the app developer’s disclosures; and
  • Companies that provide platforms for downloading mobile apps should take action to help better protect kids and inform parents (e.g., develop a uniform practice for developers to disclose data collection practices).

The FTC plans to conduct additional reviews over the next six months to determine whether to take enforcement action against app developers that violate COPPA. The FTC also plans to hold a workshop on mobile privacy issues later this year.

Mobile App Rating System Adopted by Wireless Industry

By Marc Martin and J. Bradford Currier

Many mobile applications will soon carry age-appropriateness ratings under a voluntary program recently announced by the mobile wireless trade association CTIA and the Entertainment Software Rating Board. The program will mirror the age-ratings currently issued by ESRB for video games and will range from apps appropriate for “early childhood” to “adults only” content. CTIA members AT&T, Microsoft, Sprint, T-Mobile USA, U.S. Cellular and Verizon Wireless will include the new ratings on the apps offered through their online storefronts, although actual deployment dates will vary by company. Apple and Google, which are not wireless carriers or members of CTIA, have not adopted the ESRB ratings systems. Apple and Google currently provide their own proprietary app ratings systems. 

Under the new program, app providers will enter information regarding the app’s content as part of the app storefront submission process known as onboarding. ESRB will consider whether the app includes violence, sexual content or profanity as well as whether the app allows the sharing of user-generated content or a user’s location and personal information. After receiving the information from the app provider, ESRB will automatically assign an age rating that will be displayed across the participating storefronts. App ratings will be continually monitored by ESRB and will be adjusted in response to consumer complaints. Unless the app developer resubmits an app to ESRB, the new system will not apply to apps already available on participating storefronts. App developers will also have the ability to appeal allegedly inaccurate ratings. Ratings may also change if the developer adds content that would alter the original app classification.

The announcement follows an increase in agency enforcement activities against mobile app developers and inquiries from lawmakers related to privacy protections for apps directed at children. Tech observers suggest that the app industry’s voluntary adoption of the ESRB rating system will allow developers to avoid a mandated system imposed by Congress. Proponents of the new system claim that the ratings will give parents better tools to monitor app content as more children and young adults access their entertainment on mobile devices. The ratings systems also received praise from lawmakers and Internet watchdog groups as a sensible method of safeguarding children from inappropriate content in a rapidly expanding app marketplace.

FTC Settles First Privacy Case Involving a Mobile Application

By Samuel Castic

The FTC announced a consent decree and order on Monday settling the civil action that was commenced against W3 Innovations, LLC, and Justin Maples—the entity and person respectively behind the Broken Thumbs Apps brand—for alleged violations of the Children’s Online Privacy Protection Act (“COPPA”). Broken Thumbs Apps developed Apple Store Apps including Emily’s Girl World, Emily’s Dress Up, Emily’s Dress Up & Shop, and Emily’s Runway High Fashion, which were collectively reported to have more than 50,000 downloads. The FTC announcement indicated that this is the FTC’s first case involving mobile applications, or “apps.”

The FTC found that the apps at issue contained “subject matter, visual content, and language” that was directed at children under the age of 13, which directly implicated the COPPA requirements. The allegations in the complaint suggest that the FTC was most concerned with two aspects of the apps’ operation. First, the FTC took issue with the apps’ invitation for users to “e-mail Emily,” the fictional namesake of the apps, and the developer’s subsequent collection and maintenance of e-mail addresses from individuals who were likely to be children, even though those e-mail addresses were not publicly displayed. Second, the FTC called out the blog feature of several of the apps, which permitted users to submit comments (which could include personal information), and required users to provide a name when submitting a comment.  The app developer was thus alleged to collect personal information from children under the age of 13, but it did not comply with the COPPA by: (i) providing required notices, including parental notices, about how such information was collected or used; or (ii) obtaining verifiable parental consent before collecting, using, or disclosing personal information about children.

In settling the action, the developers agreed to, among other things: (i) a civil penalty of $50,000; (ii) an obligation to promptly respond to FTC compliance monitoring inquiries and consenting to broad FTC investigatory powers; (iii) reporting obligations for three years on changes in the app developers’ address, employment status, name, or corporate structure and on the app developer’s practices and compliance with the COPPA; (v) detailed record keeping obligations for six years; (vi) a three year obligation to report the consent decree requirements to specified types of third party entities that the app developer deals with; and (vii) a mandatory requirement to delete all personal information that was collected without complying with the COPPA. The details of the consent decree provide a continuing set of compliance obligations, and failure to comply in any respect can subject the app developer to further penalties. 

This FTC settlement comes several months after a hearing on the COPPA was held by the U.S. Senate Committee on Commerce, Science, and Transportation. This past spring, the chairman of that committee, Senator Jay Rockefeller, made inquiries of companies like Apple and Google to ascertain what efforts they undertake to verify that app developers comply with the COPPA. Significantly, this consent decree may foreshadow continuing FTC interest in COPPA compliance for mobile application developers and content providers.