IAPP PRIVACY ACADEMY KEEPING UP WITH EMERGING STANDARDS FOR MOBILE PRIVACY Joanne McNabb Julie Mayer Tim Tobin Director of Privacy Staff Attorney Partner Education & Policy Northwest Regional Office Hogan Lovells Office of the Attorney General Federal Trade Commission California Department of Justice October 2, 2013
OVERVIEW US Federal Legal Landscape FTC Regulatory Framework and Enforcement FTC Guidance California: Leading the States California OPPA and Recent Amendment Recommendations Self-Regulatory Initiatives for apps (NTIA, DAA, NAI, FPF/CDT) International treatment of apps (EU) US Text Advertising
FTC REGULATORY FRAMEWORK AND ENFORCEMENT
FTC REGULATORY FRAMEWORK Section 5 of the FTC Act prohibits unfair or deceptive trade practices COPPA Rule - governs online collection of personal information from children (including through apps) Fair Credit Reporting Act requires accuracy in credit reporting information and provides dispute rights for consumers
FTC MOBILE APP ENFORCEMENT: RULES OF THE ROAD 1. Tell the Truth About your product: DermApps About your data practices: Path 2. Secure Consumer Information HTC 3. Comply with COPPA W3 Innovations, dba Broken Thumbs 4. Make Sure Your Credit Reports Are Accurate and Used for Permissible Purposes Filiquarian Publishing
February 2012 Kids Apps Report March 2012 Privacy Report FTC REPORTS March 2013.com December 2012 Kids Apps Report February 2013 Mobile Privacy Disclosures March 2013 Mobile Payments Report Disclosures
MARCH 2012 PRIVACY REPORT 3 Main Principles: All Apply to Mobile Environment Principle #1: Adopt Privacy by Design Principle #2: Simplify Privacy Choices Just-in-time disclosures Do Not Track Principle #3: Improve Transparency Standardize and enhance privacy disclosures to enable better comprehension and comparison of privacy practices
KIDS APP REPORTS 2012 Kids App Reports (2) Examined 400 apps Many apps shared information with third parties without disclosing this fact Found 58% of kids apps include ads, but only 9% tell you so
KIDS APPS STATISTICS
MOBILE PRIVACY DISCLOSURES February 2013 Staff Report Outgrowth of commission s prior work on mobile privacy and workshop discussions and comments Recommended Best Practices for: Platforms App Developers Ad Networks and other Third Parties App Developer Trade Associations
MOBILE PAYMENTS FTC has broad jurisdiction of many of the participants in the mobile payment ecosystem, including: Hardware manufacturers, os developers, data brokers, coupon and loyalty programs, payment card networks, advertising cos, retailers, and merchants Mobile operator engaging in payment functions such as mobile carrier billing
MOBILE PAYMENTS Use of mobile payments raises significant privacy concerns due to: High number of companies involved Large amount of data being collected Ability to consolidate personal and purchase data in new ways versus a traditional credit or debit card purchase
FTC MOBILE GUIDANCE Mobile App Developers: Start with Security (February 2013) Rush to market introduces flaws Security by Design Marketing Your Mobile App: Getting it Right (September 2012) Be truthful Be transparent Sound familiar?
MOBILE PRIVACY IN CALIFORNIA
CalOPPA California Online Privacy Protection Act Operators of commercial website/online service collecting PII on CA residents shall make privacy policy conspicuously available PII broadly defined (identifier that permits contacting) Must comply with the privacy policy AB 370: Disclose response to DNT signals
IT TAKES A VILLAGE OR AN ECOSYSTEM to protect privacy in the mobile sphere
RECOMMENDATIONS FOR APP PLATFORMS/STORES
PLATFORMS FOR PRIVACY Make app privacy policy accessible in the store. Provide means for users to report noncompliant apps. Implement process for responding to such reports Help educate consumers on mobile privacy.
RECOMMENDATIONS FOR APP DEVELOPERS
SURPRISE MINIMIZATION
ENHANCED NOTICE Alert users with enhanced measures For collection of PII not related to app s basic functionality For collection of sensitive information Two approaches recommended Short privacy statement + privacy settings Just-in-time special notices
BASIC PRIVACY PRACTICES Avoid or limit collecting PII not required for app s functionality. Avoid or limit collecting sensitive information. Use app-specific, non-persistent device IDs.
MOBILE APP SELF- REGULATORY GUIDELINES
NTIA CODE OF CONDUCT App Developers Focus on short notice Collection of data types (biometric, location, browser history, user files)
NTIA CODE OF CONDUCT App Developers Focus on short notice Sharing of user data with third parties (ad networks, carriers, government entities)
NTIA CODE OF CONDUCT Means of Accessing Long Form Privacy Policy Exceptions: (1) not identified or promptly de-identified data; (2) certain operational purposes; and (3) unauthorized/unknown data collection
OTHER GUIDELINES DAA: Application of OBA and Multi-Site Self-Regulatory Principles to Mobile Environment (July 2013) Focuses on cross-app data Transparency, consumer control, security, consent for material changes and added protections for sensitive information NAI Mobile Application Code (July 2013) Applies only to third party digital advertising companies Focus on cross-app advertising and ad delivery and reporting Transparency, user control, use limitations, transfer restrictions, data access, quality, security and retention and accountability FPF/CDT Best Practices for Mobile App Developers Transparency and Accessibility Address changes Use short form notice and enhanced notice
MOBILE APP PRIVACY ABROAD
ARTICLE 29 WORKING PARTY Opinion on Mobile Apps (March 2013) Applies to all apps available to EU users regardless of where app developer is located Cookie consent provisions of the 2002 eprivacy Directive also apply to apps downloaded by EU users i.e., users consent must be obtained prior to installing or accessing any information stored on their devices Consumers should be free to say no to processing and choices should be granular Cites to US guidance, including FTC for just in time notice principle
WHATSAPP INVESTIGATION Joint Dutch and Canadian DPA investigation of WhatsApp s data collection, use, storage, and sharing practices
FCC (TCPA), FTC AND TEXT MARKETING
TCPA AND TEXT MARKETING Most Autodialed calls to wireless numbers require prior express consent - text messages are calls - Commercial texts typically sent via autodialers
TCPA AND TEXT MARKETING Non-advertisement/telemarketing texts Prior express consent (written or oral) Advertising/telemarketing texts No primary purpose test (FCC; Chesbro v. Best Buy) Oct. 16, 2013 - Prior express written consent: Signed, written agreement (E-SIGN) with the following clear and conspicuous disclosures By signing, person authorizes autodialed telemarketing calls Agreement not requirement for purchasing any property, goods or service
TEXT MARKETING TCPA Ramifications Private Right of Action Actual damages or $500 per violation (willful/knowing = $1,500) Multiple mult-million dollar settlements FCC enforcement = $16,000 per violation FCC also has CAN-SPAM jurisdiction over MSCMs FTC Has filed suits against multiple text spammers for various section 5 violations
TEXT MARKETING INDUSTRY GUIDELINES Mobile Marketing Association US Consumer Best Practices Mobile Advertising Guidelines Global Code of Conduct Disclosure Examples (Subscription): Msg&Data Rates May Apply. Get 1 msg/week. Reply HELP for help. Reply STOP at any time to cancel. (Honor STOP, END, CANCEL, UNSUBSCRIBE or QUIT) T&Cs avail at [web URL for full Terms and Conditions; if possible, included an embedded link to the URL]
SUMMARY
SUMMARY Apps: Know what app does Be truthful and transparent (e.g., short form disclosures) Just in time choices for unexpected collection/sharing Address security Know audience (EU residents; appeal to children under 13) Know your role (developer, app platform, ad network) Text Messages Always have prior express consent For advertising/telemarketing, have prior express written consent in conformity with FCC rules - Honor opt-outs and include disclosure on rates, etc.
FTC RESOURCES FTC Business Center: business.ftc.gov COPPA FAQs: http://business.ftc.gov/documents/complying-with- COPPA-Frequently-Asked-Questions Mobile Privacy Disclosures: http://www.ftc.gov/opa/2013/02/mobileprivacy.shtm Protecting Consumer Privacy in an Era of Rapid Change: http://ftc.gov/os/2012/03/120326privacyreport.pdf
CALIFORNIA RESOURCES California Privacy Laws, Legislation, Business Guidance, Consumer Information www.oag.ca.gov/privacy Privacy on the Go www.oag.ca.gov/privacy/business-privacy Joint Statement of Principles (with app platform companies) www.oag.ca.gov/news/press-releases/attorneygeneral-kamala-d-harris-secures-globalagreement-strengthen-privacy
APP SELF-REGULATORY RESOURCES NTIA Code of Conduct www.ntia.doc.gov/otherpublication/2013/privacy-multistakeholderprocess-mobile-application-transparency DAA Principles http://www.aboutads.info/ NAI Mobile Application Code http://www.networkadvertising.org/mobile/nai_mobile_a pplication_code.pdf
OTHER RESOURCES EU Art. 29 Opinion on Mobile Apps http://ec.europa.eu/justice/data- protection/article- 29/documentation/opinionrecommendation/files/2013/wp202_en.pdf FCC TCPA and CAN-SPAM Rules 47 CFR 64.1200; 47 CFR 64.3100 http://www.fcc.gov/guides/spam-unwantedtext-messages-and-email