InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FTC Announces Mobile Privacy Enforcement Action, Issues Mobile Privacy Staff Report
On February 1, the FTC announced that it is requiring a social networking application company to pay $800,000 and make certain compliance enhancements to resolve allegations that the firm (i) misled and deceived users by automatically collecting and storing personal information from users’ mobile device address books even if the users had not selected that option and despite claims that the application collected only certain non-personal user information, and (ii) violated the Children’s Online Privacy Protection Act Rule by collecting personal information from approximately 3,000 children under the age of 13 without first getting parents’ consent. Pursuant to the consent decree, in addition to the monetary penalty, the company must establish a comprehensive privacy program, and obtain independent privacy assessments every other year for the next 20 years.
Concurrently, the FTC released a staff report that provides disclosure policy and other guidance to mobile platforms, application developers, advertising networks and analytics companies, and application developer trade associations. For example, the report urges platforms to (i) provide just-in-time disclosures to consumers and obtain affirmative express consent before allowing applications to access sensitive content like geolocation; (ii) consider providing just-in-time disclosures and obtaining affirmative express consent for other content that consumers may find sensitive; and (iii) consider developing icons to depict the transmission of user data. With regard to application developers, the report recommends, for example, that developers (i) provide just-in-time disclosures and obtain affirmative express consent before collecting and sharing sensitive information; and (ii) improve coordination and communication with advertising networks and other third parties that provide services for applications. During a call announcing the report, the FTC explained that the report is intended to influence industry standards, and that the Commission staff will reference the report for future policymaking. The FTC also noted that the National Telecommunications and Information Agency is developing a code of conduct on mobile application transparency, and, if strong privacy codes are developed, the FTC will view adherence to such codes favorably in connection with its law enforcement work.
California AG Issues Mobile Application Privacy Recommendations
On January 10, California Attorney General Kamala Harris (AG) issued recommended privacy practices for mobile application developers, mobile application platform providers, mobile advertising networks, operating system developers, and mobile carriers. The AG recommends a “surprise minimization” approach, which could include measures to (i) avoid collecting personally identifiable data that are not needed for basic functionality, (ii) make an app’s general privacy policy easy to understand and available before download, and (iii) supplement a legally required general privacy policy with enhanced measures to alert users and give them control over data practices that are not related to an application’s basic functionality or that involve sensitive information. Supplemental policies could include “special notices” delivered in context and “just-in-time,” or short privacy statements made readily available within an application and that highlight potentially unexpected practices and allow users to make privacy choices. The issuance of the recommendations is the latest action by the AG as part of a broader privacy initiative and follows the state’s first mobile application privacy suit filed last month.
FDIC Supervisory Insights Focuses on Mobile Payments and High-Yield Checking
On December 17, the FDIC published the Winter 2012 issues of Supervisory Insights. The two featured articles focus on mobile payments and high-yield checking. In “Mobile Payments: An Evolving Landscape,” FDIC staff (i) review mobile payment technology, (ii) provide guidance regarding understanding and managing risks, and (iii) include a chart explaining the applicability of various federal laws to mobile payments. The article states that, going forward, non-bank mobile payment providers may start to capture greater market share from financial institutions and alter bank/customer relationships. The article describes the potential for banks to gradually be pushed out of the payment transaction, and identifies potential impacts of such disintermediation, including loss of access to key customer data. A second article, “High-Yield Checking Accounts: Know the Rules,” reviews the features of high-yield checking accounts and identifies problematic disclosures that may accompany their promotion. The article identifies what examiners look for when examining high-yield account offerings and provides best practices for banks.
FTC Report Urges Mobile Application Developers to Improve Disclosures, Announces Multiple COPPA Investigations
On December 10, the FTC issued a staff report on the privacy disclosures and practices of mobile applications offered for children in certain online application stores. The report provides the results of an FTC survey of the disclosures and links on the promotion page in the application store, on the application developer’s website, and within the application, for hundreds of applications for children. According to the report, most mobile applications failed to give parents any information needed to determine what data is being collected from their children, how it is being shared, and with whom it is being shared. Further, the FTC states that many applications shared certain information with third parties without disclosing that fact to parents, and a number of applications contained interactive features – such as advertising, the ability to make in-application purchases, and links to social media – without disclosing these features to parents prior to download. The report also states that FTC staff is launching multiple nonpublic investigations of certain entities that may have violated the Children’s Online Privacy Protection Act (COPPA) or engaged in unfair or deceptive trade practices in violation of the FTC Act, and the FTC “strongly urges” the mobile application industry to develop and implement best practices to protect privacy, including those recommended in an FTC privacy report issued earlier this year. In a related development, on December 11, the Center for Digital Democracy filed a complaint with the FTC seeking an investigation of one firm for allegedly offering and operating a mobile application in violation of COPPA.
California AG Files First Mobile Application Privacy Suit
On December 6, California Attorney General Kamala Harris (AG) announced an enforcement action against Delta Airlines for allegedly failing to comply with the state’s Online Privacy Protection Act. This is the first action brought by the AG’s office under this law and follows other efforts by the AG’s office to require enhanced mobile privacy disclosures. In October, the AG’s office sent letters to 30 companies, including Delta, advising those entities that their mobile applications failed to comply with the state privacy law and providing them 30 days to remedy the alleged failure. The complaint alleges that since at least 2010, Delta has operated a mobile application that may be used to, for example, check-in online for an airplane flight, view reservations for air travel, or rebook cancelled or missed flights. The AG claims that the Delta application collections substantial personally identifiable information but does not have a privacy policy. The suit seeks to enjoin Delta from distributing its application without a privacy policy and penalties of up to $2,500 for each violation.
California AG Notifies Mobile Application Developers of Non-Compliance
On October 30, California Attorney General (AG) Kamala Harris announced that her office’s Privacy Enforcement and Protection Unit sent letters to numerous mobile application developers advising those entities of their noncompliance with state privacy law. Specifically, the AG alleges that the targeted mobile application developers failed to post a privacy policy that is reasonably accessible to the consumer, as required by the California Online Privacy Protection Act. Under the state unfair competition law, violation of the Act may result in penalties of up to $2,500 per violation. A violation in this instance is each download of a mobile application that does not properly include a privacy policy. The letters provide thirty-day notice of noncompliance as required by the Act, within which each developer must provide specific plans and a timeline for compliance, or an explanation of why the application is not covered by the Act.
GAO Urges Federal Actions to Protect Mobile Device Users' Privacy
On October 11, the GAO released a report on its examination of how the mobile industry collects location data and the resulting impact on consumers. According to the report, privacy advocates expressed concerns that consumers are generally unaware of how location data is used by third-parties and that consumers could be subject to increased risk of surveillance by law enforcement, identity theft, and threats to personal safety. The GAO examined how companies have applied practices recommended by industry associations and privacy advocates to protect consumers' privacy while using mobile location data. The report reviews actions taken by federal agencies to provide consumer education and develop industry codes of conduct. The GAO recommends, among other things, that NTIA work with stakeholders to develop industry codes of conduct and that the FTC consider issuing guidance on mobile companies' appropriate actions to protect location data privacy.
Nevada's Federal District Court Declines to Enforce Browsewrap Arbitration Agreement
On September 27, the U.S. District Court for the District of Nevada followed other federal courts and held that an arbitration clause within the Terms of Use agreement on Zappos.com was unenforceable given that users were neither provided with notice of the agreement nor an opportunity to affirmatively assent to the agreement. In re Zappos.com, Inc. Customer Data Sec. Breach Litig., No. 12-325, 2012 WL 4466660 (D. Nev. Sep. 27, 2012). Customers sued Zappos in several federal district courts for damages resulting from a security breach of the company’s website. After those actions were consolidated, Zappos filed a motion to compel arbitration based on the argument that by using the website the customers accepted and agreed to its Terms of Use, which included an agreement to arbitrate all claims arising from use of the website, and which were available through a hyperlink on each page of Zappos.com. Such hyperlinked Terms of Use are known as “browsewrap” agreements. The court held that despite the broad federal policy in favor of arbitration, the company had provided no evidence that the customers clicked on, viewed, or expressly manifested assent to the Terms of Use agreement, there was no acceptance of the Terms of Use provisions by customers, and thus those provisions, including the arbitration clause, were unenforceable. Moreover, the court held that because Zappos retained the unilateral right to revise the Terms of Use, the contract was illusory and therefore unenforceable. Accordingly, the court denied Zappos motion to compel arbitration.
FTC Issues Advertising and Privacy Guidelines for Mobile Application Developers
On September 5, the FTC published “Marketing Your Mobile App: Get It Right from the Start,” a guide to assist mobile application developers in complying with federal advertising and privacy requirements. The Guide provides basic guidance and principles related to truthful advertising and consumer privacy protections. For example, the guide urges application developers to (i) disclose key information in advertising materials clearly and conspicuously, (ii) collect sensitive information only with user’s affirmative consent, and (iii) avoid collecting unnecessary data and ensure the security of any sensitive data that is collected.
NTIA Announces First Privacy Stakeholder Meeting
On June 15, the National Telecommunications and Information Administration (NTIA) announced that the first meeting of a privacy multistakeholder process will be held on July 12, 2012. The meeting is the first in a series intended to produce a code of conduct that will provide transparency in the handling of personal data by mobile application and services companies. The multistakeholder process derives from the White House’s Privacy Blueprint released in February 2012, which set forth a Consumer Privacy Bill of Rights and designed the multistakeholder process to develop legally enforceable codes of conduct across diverse business contexts.