New FTC proposals may force mobile players to rethink how they've been doing business.
Mobile industry players may have to adjust the way they do business in the wake of a new report from the Federal Trade Commission. The report recommends ways that key mobile marketplace players—including mobile platforms, app developers, advertising networks and analytics companies, and app developer trade associations—can better inform consumers about their data practices.
Mobile technology raises unique privacy concerns, the report says, because consumers typically carry the devices with them at all times, which makes it possible to collect unprecedented amounts of data about individuals. And since data collected from any mobile device may be shared among many entities, consumers may wonder where they should turn if they have questions about their privacy, the FTC adds.
To safeguard consumer privacy, the FTC says mobile platform providers should consider offering a "Do Not Track" mechanism for smartphone users. Such a mechanism would allow consumers to choose to prevent tracking by ad networks or other third parties as they navigate sites and apps on their phones.
While privacy advocates are all for giving consumers the ability to stop companies from tracking their mobile behavior, putting that into practice isn't simple. Alan Chapell, a mobile privacy consultant and a member of the Worldwide Web Consortium's, or W3C's, Tracking Protection Group, says that while he appreciates the FTC getting behind a Do Not Track option, the industry, through standards-setting bodies like the W3C, is not yet prepared to implement such an option.
"We are not anywhere near a meaningful Do Not Track standard for the online space, let alone the mobile space," he says. Implementing Do Not Track gets complex because of questions that surround data collection, Chapell says. For instance, although a few ad networks drop an opt-out cookie when they see a valid Do Not Track signal the FTC has said the opt-out cookie approach is not enough because it wants Do Not Track to mean "do not collect," he says. And a "do not collect" policy doesn't work because some collection is essential, for example, for security and fraud prevention purposes.
"Once you open the door for some collection, it begs the question, What types of collection are OK in a Do Not Track regime, and which are not? Is analytics use OK? Is it OK for first-party entities to use data for any reason? Should the rules be the same for first parties and third parties? Is product development use OK? Do any of these answers depend upon the way a browser describes Do Not Track functionality? This gets really complicated really quickly," Chapell says.
In addition to getting behind a consumer opt-out for tracking, the FTC report suggests mobile platforms should provide disclosures to consumers immediately before data would begin to be collected and obtain consumers' affirmative express consent before allowing apps to access sensitive content like the individual's location.