Earlier this week, the U.S. Federal Trade Commission (FTC) introduced guidelines for businesses and mobile application (app) developers. The information is in a new guide titled, "Marketing Your Mobile App: Get It Right from the Start." The guide includes nine recommendations:
"1. Tell the truth about what your app can do. Once you start distributing your app, you become an advertiser... Whether it’s what you say on a website, in an app store, or within the app itself, you have to tell the truth. False or misleading claims, as well as the omission of certain important information, can tick off users and land you in legal hot water... If you make objective claims about your app, you need solid proof to back them up before you start selling. The law calls that “competent and reliable evidence.” If you say your app provides benefits related to health, safety, or performance, you may need competent and reliable scientific evidence."
Businesses that are unsure how to back up their claims with scientific evidence can visit the Business Center Blog for more information.
"2. Disclose key information clearly and conspicuously... your disclosures have to be “clear and conspicuous.” What does that mean? That they’re big enough and clear enough that users actually notice them and understand what they say."
"3. Build privacy considerations in from the start... privacy by design... Incorporating privacy protections into your practices, limiting the information you collect, securely storing what you hold on to, and safely disposing of what you no longer need... For any collection or sharing of information that’s not apparent, get users’ express agreement."
"4. Be transparent about your data practices... be clear to users about your practices. Explain what information your app collects from users or their devices and what you do with their data."
You'd think that following these guidelines was obvious, but researchers at M.I.T. recently documented abuses by mobile apps that tracked users' GPS locations and collected users' browser histories without notice nor consent; sometimes, even when the app was supposedly turned off.
"5. Offer choices that are easy to find and easy to use. Give your users tools that offer choices in how to use your app – like privacy settings, opt-outs, or other ways for users to control how their personal information is collected and shared... Make it easy for people to find the tools you offer, design them so they’re simple to use, and follow through by honoring the choices users have made."
"6. Honor your privacy promises... Chances are you make assurances to users about the security standards you apply or what you do with their personal information. At minimum, app developers — like all other marketers — have to live up to those promises. The FTC has taken action against dozens of companies that claimed to safeguard the privacy or security of users’ information, but didn’t live up to their promises... The FTC also has taken action against businesses that made broad statements about their privacy practices, but then failed to disclose the extent to which they collected or shared information with others – like advertisers or other app developers."
"7. Protect kids’ privacy. If your app is designed for children or if you know that you are collecting personal information from kids, you may have additional requirements under the Children’s Online Privacy Protection Act (COPPA) and the FTC’s COPPA Rule. Specifically, under COPPA, any operator whose app is directed to kids under age 13 or who has actual knowledge that a user is under 13 must clearly explain its information practices and get parental consent before collecting personal information from children. App operators also must keep personal information collected from children confidential and secure."
"8. Collect sensitive information only with consent... get users’ affirmative OK before you collect any sensitive data from them, like medical, financial, or precise geolocation information. It’s a mistake to assume they won’t mind."
"9. Keep user data secure. At minimum, you have to live up to the privacy promises you make. But what if you don’t say anything specific about what you do with users’ information? Under the law, you still have to take reasonable steps to keep sensitive data secure."
This is a good list, but in my view the above guidelines are the minimum app developers should do. Ways for businesses and app developers to do better than the FTC minimums:
- Choices for consumers should be opt-in not opt-out
- Consolidate and simplify whenever possible. There are too many privacy policies: mobile device manufacturers, device operating system developers, app stores, telecommunications providers, and the app developer
- Plain language privacy policies, not lawyer speak
- Consistent, easy access. Prior studies have documented sporadic and inconsistent access to privacy policies before app install, after app install, and while the app is running
- Give users an estimate of the daily or monthly consumption by the app, so users can make informed decisions and avoid data plan surprises and overage fees. Auto manufacturers publish mileage estimates. App developers can easily do the same (and should) about data plan consumption by their apps
It is a sad state of affairs when the first guideline has to be, "tell the truth." What do you think mobile apps should do to protect consumers' privacy?