The Federal Trade Commission, whose mission includes protecting consumers’ online privacy, has issued a staff report recommending ways that key players in the rapidly expanding mobile marketplace can better inform consumers about their data practices. The players include mobile platforms (such as Amazon.com Inc., Apple Inc., BlackBerry, Google Inc. and Microsoft Corp.), app developers (including retailers with mobile apps), advertising networks and analytics companies, and app developer trade associations. Most of the recommendations involve making sure that consumers get timely, easy-to-understand disclosures about what data the companies and developers collect and how they use the data.
“The mobile world is expanding and innovating at breathtaking speed, allowing consumers to do things that would have been hard to imagine only a few years ago,” says FTC chairman Jon Leibowitz. “These best practices will help to safeguard consumer privacy and build trust in the mobile marketplace, ensuring that the market can continue to thrive.”
The report states that mobile technology raises unique privacy concerns because consumers typically carry the devices with them at all times. This makes it possible to collect unprecedented amounts of data about individuals, the FTC says. In addition, since data collected from any mobile device may be shared among many entities, consumers may wonder where they should turn if they have questions about their privacy, the FTC adds.
Perhaps the biggest recommendation the FTC makes concerns tracking consumers on the mobile web and in apps. It says mobile platform providers should consider offering a “Do Not Track” mechanism for smartphone users. Such a mechanism would allow consumers to choose to prevent tracking by ad networks or other third parties as they navigate among apps on their phones, the FTC says.
Privacy advocates are all for giving consumers the ability to stop companies from tracking their mobile behavior. But it’s not as simple as flipping a switch. Alan Chapell, a mobile privacy consultant and a member of the Worldwide Web Consortium’s, or W3C’s, Tracking Protection Group, says that while he appreciates the FTC getting behind a Do Not Track option, the industry, through standards-setting bodies like the W3C, is not yet prepared to implement such an option.
“Going on two years of deliberation within the W3C Tracking Protection Group working group, we are not anywhere near a meaningful Do Not Track standard for the online space, let alone the mobile space. If all of the collective brainpower harnessed by the W3C over the past two years can’t figure out how to implement Do Not Track, with all due respect I don’t hold out hope that Congress will get it right,” Chapell says. “It’s not as if the W3C working group isn’t trying hard enough. If there’s one thing that everyone in the W3C tracking protection working group can agree on, it’s that Do Not Track implementation is really, really complex.”
Implementing Do Not Track gets complex because of questions that surround data collection, Chapell says.
“A few ad networks drop an opt-out cookie when they see a valid Do Not Track signal. However, the FTC has said the opt-out cookie approach is not enough, partly because the FTC wants Do Not Track to mean ‘do not collect,’” he says. “‘Do not collect’ doesn't work because some collection is essential, for example, for security and fraud purposes. Once you open the door for some collection, it begs the question, What types of collection are OK in a Do Not Track regime, and which are not? Is analytics use OK? Is it OK for first-party entities to use data for any reason? Should the rules be the same for first parties and third parties? Is product development use OK? Do any of these answers depend upon the way a browser describes Do Not Track functionality? This gets really complicated really quickly.”
The FTC runs the risk of creating confusion in the industry by implying there exists a Do Not Track standard for mobile developers and platform providers to adhere to, Chapell says.
“The mere presence of Do Not Track functionality in some mobile browsers is not the same thing as having a sane, thought-out rule set for what actually happens when the Do Not Track signal is switched on,” he says. “The reality is that there won’t be a Do Not Track standard to adhere to until the W3C comes up with a standard.”
But overall, the FTC’s staff report is an important document, Chapell says.
“Anything coming from the FTC is by definition important and should be read carefully,” he says. “Much of the report embraces trends that are already taking place, such as industry self-regulatory programs being developed and standard disclosures being developed by Apple and other mobile platforms. So in that sense, the report could be viewed as a tacit endorsement of the progress being made elsewhere in the mobile privacy space.”
In addition to getting behind a consumer opt-out for tracking, the FTC report suggests mobile platforms—such as Apple, Google, Amazon, Microsoft and BlackBerry—should provide disclosures to consumers immediately before data would begin to be collected and obtain consumers’ affirmative express consent before allowing apps to access sensitive content like the individual’s location, contacts, photos, calendar entries, or the recording of audio or video content.
The National Telecommunications and Information Agency, within the U.S. Department of Commerce, is developing a code of conduct on mobile app transparency. To the extent that strong privacy codes are developed, the FTC will view adherence to such codes favorably in connection with its law enforcement work.