IAPP PRIVACY ACADEMY

KEEPING UP WITH EMERGING

STANDARDS FOR MOBILE PRIVACY

Joanne McNabb Julie Mayer Tim Tobin

Director of Privacy Staff Attorney Partner

Education & Policy Northwest Regional Office Hogan Lovells

Office of the Attorney General Federal Trade Commission

California Department of Justice

October 2, 2013

OVERVIEW • US Federal Legal Landscape

– FTC Regulatory Framework and Enforcement – FTC Guidance

• California: Leading the States – California OPPA and Recent Amendment – Recommendations

• Self-Regulatory Initiatives for apps (NTIA, DAA, NAI, FPF/CDT)

• International treatment of apps (EU)

• US Text Advertising

FTC REGULATORY FRAMEWORK AND

ENFORCEMENT

FTC REGULATORY FRAMEWORK

• Section 5 of the FTC Act – prohibits unfair or deceptive trade practices

• COPPA Rule - governs online collection of personal information from children (including through apps)

• Fair Credit Reporting Act – requires accuracy in credit reporting information and provides dispute rights for consumers

FTC MOBILE APP ENFORCEMENT: RULES OF THE ROAD

1. Tell the Truth – About your product: DermApps – About your data practices: Path

2. Secure Consumer Information – HTC

3. Comply with COPPA – W3 Innovations, dba Broken Thumbs

4. Make Sure Your Credit Reports Are Accurate and Used for Permissible Purposes – Filiquarian Publishing

FTC REPORTS March 2013 .com

Disclosures

February 2013

Mobile Privacy

Disclosures

March 2012

Privacy Report

February 2012

Kids Apps Report

December 2012

Kids Apps Report

March 2013

Mobile Payments

Report

MARCH 2012 PRIVACY REPORT

• 3 Main Principles: All Apply to Mobile Environment

– Principle #1: Adopt Privacy by Design

– Principle #2: Simplify Privacy Choices

• “Just-in-time” disclosures

• Do Not Track

– Principle #3: Improve Transparency

• Standardize and enhance privacy disclosures to enable better comprehension and comparison of privacy practices

KIDS APP REPORTS

• 2012 Kids App Reports (2)

– Examined 400 apps

– Many apps shared information with third parties without disclosing this fact

– Found 58% of kids apps include ads, but only 9% tell you so

KIDS APPS STATISTICS

MOBILE PRIVACY DISCLOSURES

• February 2013 Staff Report – Outgrowth of commission’s prior work

on mobile privacy and workshop discussions and comments

• Recommended Best Practices for: – Platforms – App Developers – Ad Networks and other Third Parties – App Developer Trade Associations

MOBILE PAYMENTS

• FTC has broad jurisdiction of many of the participants in the mobile payment ecosystem, including:

– Hardware manufacturers, os developers, data brokers, coupon and loyalty programs, payment card networks, advertising cos, retailers, and merchants

– Mobile operator engaging in payment functions such as mobile carrier billing

MOBILE PAYMENTS

• Use of mobile payments raises significant privacy concerns due to:

– High number of companies involved

– Large amount of data being collected

– Ability to consolidate personal and purchase data in new ways versus a traditional credit or debit card purchase

FTC MOBILE GUIDANCE

• Mobile App Developers: Start with Security (February 2013)

– Rush to market introduces flaws

– Security by Design

• Marketing Your Mobile App: Getting it Right (September 2012)

– Be truthful

– Be transparent

• Sound familiar?

MOBILE PRIVACY IN CALIFORNIA

CalOPPA

• California Online Privacy Protection Act

– Operators of commercial website/online service collecting PII on CA residents shall make privacy policy conspicuously available

– PII broadly defined (identifier that permits contacting)

– Must comply with the privacy policy

– AB 370: Disclose response to DNT signals

IT TAKES A VILLAGE – OR AN ECOSYSTEM

…to protect privacy in the mobile sphere

RECOMMENDATIONS FOR APP

PLATFORMS/STORES

PLATFORMS FOR PRIVACY

• Make app privacy policy accessible in the store.

• Provide means for users to report non-compliant apps.

– Implement process for responding to such reports

• Help educate consumers on mobile privacy.

RECOMMENDATIONS FOR APP

DEVELOPERS

SURPRISE MINIMIZATION

ENHANCED NOTICE

• Alert users with enhanced measures

– For collection of PII not related to app’s basic functionality

– For collection of sensitive information

• Two approaches recommended

– Short privacy statement + privacy settings

– Just-in-time “special notices”

BASIC PRIVACY PRACTICES

• Avoid or limit collecting PII not required for app’s functionality.

• Avoid or limit collecting sensitive information.

• Use app-specific, non-persistent device IDs.

MOBILE APP SELF-REGULATORY GUIDELINES

NTIA CODE OF CONDUCT

• App Developers Focus on “short notice”

– Collection of data types (biometric, location, browser history, user files)

NTIA CODE OF CONDUCT

• App Developers Focus on “short notice”

– Sharing of user data with third parties (ad networks, carriers, government entities)

NTIA CODE OF CONDUCT

• Means of Accessing Long Form Privacy Policy

• Exceptions:

– (1) not identified or promptly de-identified data;

– (2) certain operational purposes; and

– (3) unauthorized/unknown data collection

OTHER GUIDELINES • DAA: Application of OBA and Multi-Site Self-Regulatory

Principles to Mobile Environment (July 2013) – Focuses on “cross-app” data

– Transparency, consumer control, security, consent for material changes and added protections for sensitive information

• NAI Mobile Application Code (July 2013) – Applies only to third party digital advertising companies

– Focus on cross-app advertising and ad delivery and reporting

– Transparency, user control, use limitations, transfer restrictions, data access, quality, security and retention and accountability

• FPF/CDT Best Practices for Mobile App Developers – Transparency and Accessibility

– Address changes

– Use short form notice and enhanced notice

MOBILE APP PRIVACY ABROAD

ARTICLE 29 WORKING PARTY

• Opinion on Mobile Apps (March 2013)

– Applies to all apps available to EU users regardless of where app developer is located

– “Cookie consent provisions” of the 2002 ePrivacy Directive also apply to apps downloaded by EU users

• i.e., users’ consent must be obtained prior to installing or accessing any information stored on their devices

– Consumers should be free to say no to processing and choices should be granular

– Cites to US guidance, including FTC for “just in time notice” principle

WHATSAPP INVESTIGATION

Joint Dutch and Canadian DPA investigation of WhatsApp’s data collection, use, storage, and sharing practices

FCC (TCPA), FTC AND TEXT MARKETING

TCPA AND TEXT MARKETING

• Most Autodialed calls to wireless numbers require prior express consent

– - text messages are “calls”

• - Commercial texts typically sent via autodialers

TCPA AND TEXT MARKETING

• Non-advertisement/telemarketing texts – Prior express consent (written or oral)

• Advertising/telemarketing texts – No primary purpose test (FCC; Chesbro v. Best Buy) – Oct. 16, 2013 - Prior express written consent:

• Signed, written agreement (E-SIGN) with the following “clear and conspicuous disclosures – By signing, person authorizes autodialed

telemarketing calls – Agreement not requirement for purchasing any

property, goods or service

–

TEXT MARKETING

• TCPA Ramifications – Private Right of Action

• Actual damages or $500 per violation (willful/knowing = $1,500)

• Multiple mult-million dollar settlements – FCC enforcement = $16,000 per violation

• FCC also has CAN-SPAM jurisdiction over MSCMs • FTC

– Has filed suits against multiple “text spammers” for various section 5 violations

–

TEXT MARKETING INDUSTRY GUIDELINES

• Mobile Marketing Association

– US Consumer Best Practices

– Mobile Advertising Guidelines

– Global Code of Conduct

• Disclosure Examples (Subscription):

– Msg&Data Rates May Apply.

– Get 1 msg/week.

– Reply HELP for help.

– Reply STOP at any time to cancel. (Honor STOP, END,

CANCEL, UNSUBSCRIBE or QUIT)

– T&Cs avail at [web URL for full Terms and Conditions; if possible, included an embedded link to the URL]

SUMMARY

SUMMARY

• Apps:

– Know what app does

– Be truthful and transparent (e.g., short form disclosures)

– “Just in time” choices for unexpected collection/sharing

– Address security

– Know audience (EU residents; appeal to children under 13)

– Know your role (developer, app platform, ad network)

• Text Messages

– Always have prior express consent

– For advertising/telemarketing, have prior express written consent in conformity with FCC rules

- Honor opt-outs and include disclosure on rates, etc.

FTC RESOURCES

• FTC Business Center: business.ftc.gov

– COPPA FAQs: http://business.ftc.gov/documents/Complying-with-COPPA-Frequently-Asked-Questions

– Mobile Privacy Disclosures: http://www.ftc.gov/opa/2013/02/mobileprivacy.shtm

– Protecting Consumer Privacy in an Era of Rapid Change: http://ftc.gov/os/2012/03/120326privacyreport.pdf

CALIFORNIA RESOURCES

• California Privacy Laws, Legislation, Business Guidance, Consumer Information – www.oag.ca.gov/privacy

• Privacy on the Go – www.oag.ca.gov/privacy/business-privacy

• Joint Statement of Principles (with app platform companies) – www.oag.ca.gov/news/press-releases/attorney-

general-kamala-d-harris-secures-global-agreement-strengthen-privacy

APP SELF-REGULATORY RESOURCES

• NTIA Code of Conduct

– www.ntia.doc.gov/other-publication/2013/privacy-multistakeholder-process-mobile-application-transparency

• DAA Principles – http://www.aboutads.info/

• NAI Mobile Application Code – http://www.networkadvertising.org/mobile/NAI_Mobile_A

pplication_Code.pdf

OTHER RESOURCES

• EU Art. 29 Opinion on Mobile Apps

– http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2013/wp202_en.pdf

• FCC TCPA and CAN-SPAM Rules

– 47 CFR 64.1200; 47 CFR 64.3100

– http://www.fcc.gov/guides/spam-unwanted-text-messages-and-email