The Federal Trade Commission (FTC) released a report this morning with their "recommendations" on protecting mobile users' privacy and providing greater transparency in mobile data privacy and security practices -- including survey, opinion and marketing research.
The FTC staff report, "Mobile Privacy Disclosures: Building Trust Through Transparency," comes amid slow and steady progress in the White House's multistakeholder process for mobile apps privacy (run by the National Telecommunications and Information Administration (NTIA) and in which MRA participates), as well as a similar mobile privacy report put out by the California Attorney General's office in January.
Legislation in Congress is also in play: Congressman Hank Johnson's draft "APPS Act" would demand notice and opt out in mobile apps; and the "Location Privacy Protection Act" from Senator Al Franken would restrict the collection and use of geolocation data in the mobile space.
So what is the FTC recommending -- and what will it mean for the research profession?
The FTC's "recommendations"
The report recommends that mobile "Platforms, or operating system providers":
- Provide just-in-time disclosures to consumers and obtain their affirmative express consent before allowing apps to access sensitive content like geolocation;
- Consider providing just-in-time disclosures and obtaining affirmative express consent for other content that consumers might consider sensitive;
- Consider developing a one-stop "dashboard" approach to allow consumers to review the types of content accessed by the apps they have downloaded;
- Consider developing icons to depict the transmission of user data;
- Promote app developer best practices, such as requiring app developers to make privacy disclosures (and enforcing those requirements);
- Consider providing consumers with clear disclosures about the extent to which platforms review apps prior to making them available for download in the app stores and conduct compliance checks after the apps have been placed in the app stores; and
- Consider offering a Do Not Track (DNT) mechanism for mobile users that would allow consumers to choose to prevent tracking by ad networks or other third parties as they navigate among apps on their phones.
App developers are recommended to:
- Provide just-in-time disclosures and obtain affirmative express consent before collecting and sharing sensitive information (to the extent the platforms have not already provided such disclosures and obtained such consent);
- Improve coordination and communication with ad networks and other third parties that provide services for apps, such as analytics companies, so the app developers can better understand the software they are using and, in turn, provide accurate disclosures to consumers;
- Consider participating in self-regulatory programs, trade associations, and industry organizations.
Advertising networks and other third parties should:
- Communicate with app developers so that developers can provide truthful disclosures to consumers; and
- Work with platforms to ensure effective implementation of a mobile DNT solution.
App developer trade associations are told to work with "academics, usability experts and privacy researchers" to:
- Develop short form disclosures for app developers;
- Promote standardized app developer privacy policies that will enable consumers to compare data practices across apps;
- Educate app developers on privacy issues.
Additional FTC actions today
In addition to the staff report on mobile privacy, the FTC released a guide to data security for mobile app developers, asking them "to aim for reasonable data security" and "evaluate the app ecosystem before development." The agency also announced a settlement of an enforcement acation against the Path social networking app for COPPA and other privacy violations.
And, FTC Chairman Jon Leibowitz announced his long-expected resignation, effective February 15. He has chaired the agency since 2009, and been a sitting Commissioner since 2004.
What the FTC mobile privacy report means for the research profession
According to the FTC report, "To the extent the guidance goes beyond existing legal requirements, it is not intended to serve as a template for law enforcement actions or regulations under laws currently enforced by the FTC." The report calls back to last year's FTC workshop on this subject, at which industry groups like the Association for Competitive Technology (ACT), which represents mobile app developers, said that, "developers want to continue to innovate but need clear guidance in order to do so," and the Retail Industry Leaders Association commented that, "Businesses need clear rules regarding privacy disclosures."
Unfortunately, "recommendations" from the FTC in many cases can be as enforceable as specific regulatory rules, given the agency's broad enforcement powers against unfair or deceptive practices under Section 5 of the FTC Act. Survey, opinion and marketing research companies need to be especially wary, given the FTC's recent enforcement action against research company Compete.
That is why MRA is concerned by this report. While much of it is in line with what the NTIA multistakeholder process is working towards, MRA feels that privacy enforcement agencies, like the FTC and the California Attorney General's office, should step back and allow the process to work. Moving regulations or legislation impacting mobile apps privacy before the multistakeholder process can coalesce around a workable code of conduct for mobile apps privacy and create workable transparency measures that could be implemented across the mobile space and that consumers might actually understand and find useful, could easily derail the process and scuttle a key pillar of the White House's Consumer Privacy Bill of Rights initiative. Just at yesterday's multistakeholder meeting, the stakeholders were laying out plans for usability testing, to see what kinds and manner of disclosures would work well for real consumers. MRA does not think the FTC wants to short-circuit such advances in practical understanding, so we hope they try not to do so.
Aside from process implications, there are also specifics within the report that could be troublesome. For instance, while MRA's Government Affairs staff recommend that researchers get opt in before collecting geolocation data, we do not want to see innovation in mobile marketing research strangled by regulatory or legislative accident (such as we fear could happen under the Location Privacy Protection Act). Similarly, "affirmative express consent" for "sensitive" data is a good idea, when it is feasible and workable, but consumers, academics, legislators and regulators can't agree on what makes data "sensitive" at this point -- a debate that continues, along with issues of de-identification and personal identifiability.
The FTC report's demand for a mobile Do Not Track solution makes sense in context, since the FTC continues to hold a sword of Damocles over the ongoing World Wide Web Consortium (W3C) trying to come up with an online Do Not Track standard, with the threat that it may eventually write its own standard if the consortium fails to produce one the FTC can stomach within a reasonable amount of time. However, MRA and other research associations are already scrambling to ensure that the W3C process protects online behavioral marketing research. MRA feels that the FTC should give the W3C more time to do its work, which may result in a standard that works in the mobile space as well.
The FTC acknowledges that there are both benefits and risks in mobile technologies and the massive explosion in their use by consumers and businesses. MRA will continue to advocate for the research profession's interests in mobile privacy with the FTC, and other regulators and legislators, as well as within the NTIA multistakeholder process, to ensure that potential risks do not drown out the potential benefits.