What Privacy Law Applies to Apps?

8/6/2019 What Privacy Law Applies to Apps?

1/6

1What Privacy Law Applies to Apps?*

There is no across-the-board privacy law in the United States, and there is no United States

privacy law specifically applicable to Apps. Nevertheless, persons or entities that collect, use,

share and or/retain personal information including App Developers are subject to various

privacy laws at the federal and state level, including those that apply based on the nature of thedata involved, such as financial, health or childrens data. i

The information below summarizes the privacy laws App Developers should obey.

Section 5 of the FTC Act: The Prohibition Against False or Deceptive Practices

Section 5 of the Federal Trade Commission (FTC) Act, 15 U.S.C. 45(a), prohibits and makes

unlawful unfair methods of competition in or affecting commerce, and unfair or deceptive acts

or practices in or affecting commerce. The FTC enforces against companies that make privacy

promises in privacy policies, but fail to keep those promises. That is, the companies collect, use,

share or retain personal information in a way that is inconsistent with the representations they

made in their privacy policies.ii The FTC also has enforced against companies whose privacy

policies do not adequately inform consumers about the companys actual practices. iii To the

extent mobile Apps similarly contain privacy policies and consumer representations about

personal information, the FTC is empowered to take similar enforcement action against App

Developers.

Laws Governing Specific Information

There is a range of various federal laws governing the privacy of specific kinds of personal

information.

The federal Health Insurance Portability and Accountability Act (HIPAA) governing health data

collected by covered entities, the Gramm-Leach-Bliley (GLB) Act covering financial data, and

the Children's Online Privacy Protection Act (COPPA) covering data collected by children under

13 are examples of laws applicable to specific kinds of data, and to the extent Apps are covered

by such laws because of their functions and collection of data, then these laws are App privacy

laws.

State Laws

In addition to law enacted at the federal level, states also have privacy and data security laws.

Most states have so-called mini-FTC Acts under which they have authority similar to that of

the FTC to take enforcement actions in response to unfair or deceptive trade practices. This

could include tracking consumers without proper notice or when a promise has been made not to

1


2/6

track consumer behavior.iv A number of state attorneys general have been vigilant in enforcing

against entities collecting personal information from consumers.

Some states have specific privacy laws covering particular kinds of data and data collection, such

as California.v It would appear that many of these specific laws apply to Apps and the

companies that operate them.

Forty-six states also have data security breach notification laws that require entities holding

personal data to provide notices in the event of breaches of the security of that data, and those

laws apply regardless of how the data may have been collected, meaning that data that is

collected by Apps that is subject to a security breach will trigger notification obligations.

Certain states have specific data security obligations, as well.

Private Litigation

Private party litigation is not a significant source of legal rules applicable to App privacy.

As a general matter, plaintiffs class action attorneys attempting to bring civil actions against

companies alleged to have violated consumer privacy rights by improperly collecting, using,

sharing or retaining personal information have been unsuccessful. The cases either have been

settled by defendants for relatively modest amounts to avoid the cost of litigation and/or undue

publicity or are unsuccessful because of the absence of legally cognizable damages flowing from

the alleged misuse of the personal data.vi

A number of privacy lawsuits concerning Apps and privacy are pending, but none have

proceeded past the preliminary stage.

Proposals for Improvements to Privacy and Their Impact on Legal Obligations

In December 2010, both the staff of the FTC and the US Department of Commerce (DOC)

issued preliminary reports proposing significant improvements in the way businesses handle

consumer information and changes in the controls consumers should have over their information.

As these reports ripen into final versions, which are expected later in 2011, App Developers

should take the contents into account as they implement privacy protections for mobile Apps.

The draft FTC Staff Report, entitled Protecting Consumer Privacy in an Era of Rapid Change:

A Proposed Framework for Businesses and Policymakersvii (FTC Report), makes clear that the

agencys existing privacy framework, developed by over forty years of FTC guidance andenforcement (e.g., Fair Information Practice Principles, notice-and-choice models), remains in

place. The FTC Report, however, makes equally clear that improvements to the existing

framework are necessary given technological advances in the collection, use, sharing, and

retention of information about consumers by businesses, and signals the direction that the FTC

staff believes privacy protections should move in the future.viii

The new framework, which the FTC staff stated should apply to all businesses that collect,


3/6

maintain, share, or otherwise use consumer data either online or offline, contains three top-level

maxims:

Privacy by Design: Companies should promote consumer privacy throughout their

organizations and at every stage of the development of their products and services. This

includes incorporating substantive privacy protections such as data security and retentionpractices into business processes and maintaining comprehensive data management

procedures throughout the lifecycle of products and services (Note: in the mobile context,

the FTC used as an example that if a mobile App is providing traffic and weather information

to a consumer based on his or her location information, it does not need to collect contact

lists or call logs from the consumers deviceix).

Simplifying Consumer Choice: Companies should simplify consumer choice, not just

through notice about privacy practices prior to the use of a product or service in a lengthy

privacy policy, but also by offering choice at a time and in a context in which the consumer

is making a decision about his or her data (such as when the consumer is presented with atargeted online behavioral advertisement).x

Increasing Consumer Transparency: Companies should increase the transparency of

their data practices, such as by (i) clarifying, shortening, and standardizing privacy notices;

(ii) providing reasonable access to the consumer data they maintain; (iii) providing prominent

disclosures and obtaining affirmative express consent before using consumer data in a

materially different manner than claimed when the data was collected; (iv) obtaining

affirmative express consent when sensitive information such as financial information is

collected and used for online behavioral advertising; and (v) working to educate consumers

about commercial data privacy practices.

The Department of Commerce Green Paper entitled Privacy and Information Innovation: A

Dynamic Privacy Framework for the Internet Age,xi (DOC Green Paper) argued that preserving

consumer privacy online and thereby bolstering consumer trust in the Internet is essential for

businesses to succeed online.xii Like the draft staff FTC Report, the DOC Green Paper proposed

increasing protections privacy principles, including by enhancing transparency, encouraging

greater detail in purpose specifications and use limitations, and fostering the development of

verifiable auditing and accountability programs.

As mentioned above, both the draft staff FTC Report and the DOC Green Paper are expected to

affect and influence U.S. privacy law and enforcement in the coming years, including withrespect to mobile Apps.

Selected International Laws


4/6

European Union. Unlike the US, EU privacy regulation stems from a fundamental rights

approach. Rather than regulating practices to avoid specific harms,xiii the EU regulatory

framework is designed to preserve privacy rights outlined in the EU Charter and various

Directives of the European Commission (EC). Individual EU member states promulgate their

own data protection rules but those rules must substantially adopt the principles of the various

EC Directives. For example, Directive 95/46/EC, also known as the Data Protection Directive,focuses on protecting the fundamental rights of individuals to be informed about and exercise

control over the processing of their personal information.xiv It requires each member state to pass

a data protection law adopting the thrust of the Directives principles. The Data Protection

Directive imposes obligations to inform individuals of how their data are being used/processed.xv

Generally speaking, data cannot be used for purposes further than originally specified without

additional consent.xvi

Canada. The basic premise of all Canadian private sector privacy statutes, including PIPEDA,

is that an organization must obtain informed consent from the individual to any collection, use,

or disclosure of personal information unless an exemption from the consent requirement applies.Personal information is defined as information about an identifiable individual; anonymized or

aggregated information is therefore not personal information unless it is reasonably possible that

the information can be de-anonymized or otherwise used to identify an individual person,

whether through combination with other information or otherwise.

Hong Kong. Data protection in Hong Kong is regulated by the Data Protection (Privacy)

Ordinance (PDPO). The essence of the legislation for the purposes of this advice is that personal

data is permitted to be used for the purposes for which it was collected. The data subjects must

be given notice of such purposes at the time of collection. Data can also be used for other

purposes if the data subject subsequently consents to these uses and for incidental purposes as

well.


5/6

*This material is not intended as legal advice and may not be relied on as such. It is presented here to outline the privacy laws potentially

applicable to apps.i The materials here relate only to the privacy law obligations of App Developers (the persons or entities offering

Apps through App platforms) and not the platform providers. Section 230 of the Communications Decency Act,

47 U.S.C. 230, immunizes interactive computer services through which the content of third parties, such as

Apps, are provided. Thus, while the platform providers may have privacy rules for App Developers, they cannot

be held responsible for violations of those rules by the App Developers nor, under current law, are they required

to have privacy rules at all. Note, however, that Californias Online Privacy Protection Act of 2003 requiresoperators of commercial web sites or online services that collect personal information on California residents

through a web site [which is an undefined term] to conspicuously post a privacy policy on the site and to complywith its policy. The privacy policy must, among other things, identify the categories of personally identifiable

information collected about site visitors and the categories of third parties with whom the operator may share the

information. An operator is in violation for failure to post a policy within 30 days of being notified ofnoncompliance, or if the operator either knowingly and willfully or negligently and materially fails to comply

with the provisions of its policy. (emphasis supplied)

http://www.privacyprotection.ca.gov/privacy_laws.htm#six

iiSee, e.g., Gateway Learning Corp., FTC File No. 042-3047 (2004), available athttp://ftc.gov/opa/2004/07/gateway.shtm(settlement of enforcement action against company that shared

information with third parties contrary to statements in its online privacy policy);FTC v. ReverseAuction.com,Inc., FTC File No. 002-3046 (D.D.C. consent decree filed Jan. 6, 2000), available at:http://www.ftc.gov/os/2000/01/reverseconsent.htm (settlement of enforcement action against company that

promised users that it would not sell or share their information without prior consent, but in fact sold users

personal information).

iiiSee, e.g., Sears Holdings Mgmt. Corp., FTC File No. 082-3099 (2009), available at

http://www.ftc.gov/opa/2009/06/sears.shtm(obtaining a consent decree from a company that did not adequately

disclose to consumers participating in a promotion that it would download tracking software onto their

computers that collected extensive amounts of information about them, including sensitive information such as

the contents of encrypted web visits to the websites of their financial institutions);Natl Research Ctr. forCollege & Univ. Admissions, Inc., FTC File No. 022-3005 (2003), available athttp://ftc.gov/opa/2003/01/fyi0308.shtm(settlement of enforcement action against company that claimed it was

only sharing information collected from participating high school students with colleges and universities, when itfact it was also selling the information to commercial entities for marketing purposes).

ivSee, e.g., Connecticut Unfair Trade Practices Act, CONN. GEN. STAT. 42-110a 42-110q (specifically noting

42-110b, Unfair trade practices prohibited which resembles 15 U.S.C. 45(a)).

vSeehttp://www.privacyprotection.ca.gov/privacy_laws.htm.

viSeehttp://www.mediapost.com/publications/?fa=Articles.showArticle&art_aid=150728.

vii FTC STAFF REPORT: PROTECTING CONSUMERPRIVACYINAN ERAOF RAPID CHANGE, available at

http://ftc.gov/os/2010/12/101201privacyreport.pdf.

viii The FTC also supported a "Do Not Track" mechanism that could be advanced either by legislation or

enforceable industry self-regulation. Such a mechanism would require businesses to comply with a consumer'scentralized opt-out of online behavioral tracking.

ix FTC Report at 46.

x The FTC also sought further comment on effective ways to obtain informed consent in the mobile context,

given the multiple parties involved in the data collection and the smaller screen. Id. at 60-61, 70-72, A-3, A-5.

xi U.S. DEPTOF COMMERCE INTERNET POLY TASKFORCE, COMMERCIAL DATA PRIVACYAND INNOVATIONINTHE INTERNET

ECONOMY: A DYNAMIC POLICY FRAMEWORK(Dec. 16, 2010), available athttp://ntia.doc.gov/reports/2010/IPTF_Privacy_GreenPaper_12162010.pdf.
http://www.privacyprotection.ca.gov/privacy_laws.htm%23sixhttp://ftc.gov/opa/2004/07/gateway.shtmhttp://www.ftc.gov/os/2000/01/reverseconsent.htmhttp://www.ftc.gov/opa/2009/06/sears.shtmhttp://ftc.gov/opa/2003/01/fyi0308.shtmhttp://ftc.gov/opa/2003/01/fyi0308.shtmhttp://www.privacyprotection.ca.gov/privacy_laws.htmhttp://www.mediapost.com/publications/?fa=Articles.showArticle&art_aid=150728http://www.mediapost.com/publications/?fa=Articles.showArticle&art_aid=150728http://www.mediapost.com/publications/?fa=Articles.showArticle&art_aid=150728http://ftc.gov/os/2010/12/101201privacyreport.pdfhttp://ntia.doc.gov/reports/2010/IPTF_Privacy_GreenPaper_12162010.pdfhttp://ntia.doc.gov/reports/2010/IPTF_Privacy_GreenPaper_12162010.pdfhttp://www.privacyprotection.ca.gov/privacy_laws.htm%23sixhttp://ftc.gov/opa/2004/07/gateway.shtmhttp://www.ftc.gov/os/2000/01/reverseconsent.htmhttp://www.ftc.gov/opa/2009/06/sears.shtmhttp://ftc.gov/opa/2003/01/fyi0308.shtmhttp://www.privacyprotection.ca.gov/privacy_laws.htmhttp://www.mediapost.com/publications/?fa=Articles.showArticle&art_aid=150728http://ftc.gov/os/2010/12/101201privacyreport.pdfhttp://ntia.doc.gov/reports/2010/IPTF_Privacy_GreenPaper_12162010.pdf


6/6

xii The Green Paper was authored by the Internet Policy Task Force at DOC a joint effort of the Office of

Commerce Secretary Gary Locke, the National Telecommunications and Information Administration (NTIA),

the International Trade Administration, and the National Institute of Standards and Technology.

xiiiSee US Legal Analysis memorandum (Part 2 of 4), III.A.2.c.i.(a).

xivSee, e.g., 1995 O.J. (L 281) 32, available athttp://ec.europa.eu/justice_home/fsj/privacy/law/index_en.htm

(Directive 95/46/EC) ([w]hereas the object of the national laws on the processing of personal data is to

protect the fundamental rights and freedoms, notably the right to privacy . . .).

xvSee Directive 95/46/EC at 33 (. . . in the right conferred on individuals, the data on whom are the subject of

processing, to be informed that processing is taking place, to consult the data, to request corrections and even to

object to processing in certain circumstances);see also Directive 95/46/EC at 42 (Member States shall

guarantee every data subject the right to obtain from the controller . . . confirmation as to whether or not data

relating to him are being processed . . . .).

xviSee Directive 95/46/EC at 34 (whereas the purposes of processing further to collection shall not be

incompatible with the purposes as they were originally specified).
http://ec.europa.eu/justice_home/fsj/privacy/law/index_en.htmhttp://ec.europa.eu/justice_home/fsj/privacy/law/index_en.htm

What Privacy Law Applies to Apps?

Documents

Transcript of What Privacy Law Applies to Apps?