Mobile Apps for Kids: Current Privacy Disclosures are Dis app ointing
This session will lay out the key findings of the FTC’s staff report on kids apps, which recommends that players in the kids mobile app ecosystem provide better information to parents about apps’ data collection practices. We will also discuss the FTC’s recent privacy initiatives and their application to mobile channels.
Patricia Poss, Chief, BCP Mobile Technology Unit, Division of Financial Practices. Bureau of Consumer Protection - Federal Trade Commission
4. Section 5 of the Federal Trade Commission Act broadly
prohibits “unfair or deceptive acts or practices in or
affecting commerce.”
◦ Deception a material representation or omission that is
likely to mislead consumers acting reasonably under the
circumstances
◦ Unfairness practices that cause or are likely to cause
substantial injury to consumers that are not outweighed by
countervailing benefits to consumers or competition and are
not reasonably avoidable by consumers.
Flexible law that can be applied to many different
situations, entities, and technologies.
4
5. W3 Innovations
Frostwire
Google
Facebook
Mobile background screeners - warning
letters
5
6. Complex ecosystem
◦ Operating system providers
◦ Application developers
◦ Handset manufacturers
◦ Carriers
◦ Ad networks
◦ Service providers
6
7. Screen size
Communication channels: texting, mobile web
browser, mobile apps
“On the go” nature of use
Personal
Additional hardware capabilities – camera,
microphone, gyroscope, compass, etc.
GPS & location features
Easy sharing of user information
Rapidly evolving technology
7
8. Who collects what information?
How is it used?
With whom is it shared?
Are consumers being adequately
informed?
Do they have a choice?
8
9. Issued Final Report, March 2012.
Applies to Mobile environment.
Key elements: Privacy by Design,
Simplified Choice, and Greater
Transparency.
9
10. Collection and use of data is ubiquitous and
often invisible.
Consumers lack an understanding of the
nature and extent of this collection.
Many consumers are concerned.
Collection and use has led to significant
benefits.
Traditional distinctions between personally
identifiable and anonymous data are
blurred.
10
11. Make privacy the “default” setting for
commercial data practices.
Give consumers greater control through
simplified choices and increased
transparency.
Implementing will enhance trust and
stimulate commerce.
11
12. Intended to articulate best practices for
companies.
Intended to assist Congress as it considers
privacy legislation.
Not intended to serve as a template for law
enforcement action or regulations.
12
13. “Bake-in” privacy -- Companies should
promote consumer privacy throughout their
organizations.
Companies should incorporate substantial
privacy protections into their practices, such
as data security, reasonable collection limits,
sound retention and disposal, and data
accuracy.
13
14. Limit collection to data they need for a
requested service or transaction.
◦ Ex. Wallpaper app doesn’t need location.
◦ Location data collection heightens need for
reasonable policies for purging data.
◦ Minimize the risk that information could be used in
harmful or unexpected ways.
Calls on mobile entities to establish
standards that address data collection,
transfer, use and disposal, particularly for
location data.
14
15. If data is shared with third parties, work to
provide more prominent notice and choices
about such practices.
Not all companies have adequately disclosed
the frequency or extent of the collection,
transfer, and use of data.
15
16. Provide easy-to-use choice mechanisms that allow consumers to
control whether their data is collected and how it is used.
Companies do not need to provide choice for practices that are
consistent with the context.
◦ Fraud preventions, internal operations, fulfillment, legal compliances and
public purpose, and first-party marketing.
For practices requiring choice, companies should offer the choice
at a time and in a context in which the consumer is making a
decision about his or her data.
Companies should obtain affirmative express consent before:
◦ 1) using consumer data in a materially different manner than claimed or
◦ 2) collecting sensitive data.
16
17. Increase the transparency of data practices.
Privacy notices should be clearer, shorter, and more
standardized to enable comprehension and
comparison.
Calls on mobile participants to develop short
meaningful disclosures.
◦ Urges companies providing mobile services to develop
standard notices, icons, and other means to communicate
with consumers in a consistent and clear way.
◦ Dot Com Disclosure Workshop – May 30, 2012.
17
19. Reviewed kids apps in Apple’s iTunes App Store
and Google’s Market.
Looked for disclosures available in the app stores
or on developers’ websites.
Very little information disclosed prior to download.
Recommendation – app stores, developers and
other ecosystem participants need to improve
disclosures regarding data practices.
19