Following up on a public workshop held earlier this year, today the Federal Trade Commission (FTC) issued a set of truth-in-advertising and privacy guidelines for mobile device application (app) developers. Titled “Marketing Your Mobile App: Get it Right From the Start,” the guidelines provide an overview of key issues for all app developers to consider.
At the outset, the FTC makes clear that these Guidelines are intended to apply to all app developers, large and small, start-up and established. It notes, however, that there is no “one-size-fits-all” approach to advertising and privacy compliance.
The privacy section of the Guidelines includes several key recommendations:
- Build privacy considerations in from the start (i.e., Privacy by Design)
- Be transparent about your data practices;
- Offer choices that are easy to find and easy to use;
- Honor your privacy promises;
- Protect kids’ privacy;
- Collect sensitive information only with consent; and
- Keep user data secure.
- Build privacy considerations in from the start (i.e., Privacy by Design). The Guidelines recommend that parties incorporate privacy protections into their practices, limit the information they collect, securely store collected information, and dispose of it safely when it is no longer needed. They also encourage parties to select default app settings based on what people using the app would expect. For any collection or sharing of information that is not apparent, the Guidelines state that app developers should obtain express agreement from users.
- Be transparent about your data practices. App developers should “be clear to users” about their practices and explain what information is collected and how it is used. Interestingly, the Guidelines also reference an expanded disclosure for third-party sharing – “if you share information with another company, tell your users and give them information about that company’s data practices.”
- Offer choices that are easy to find and easy to use. The Guidelines state that app developers should provide users with tools to exercise control how their personal information is collected and shared. Such tools should also be easy to find and use, and companies should honor users’ choices.
- Honor your privacy promises. App developers must live up to their privacy promises. They also need to obtain affirmative consent to make materials changes to their privacy policies. The Guidelines note that such promises should also be made in clear language; easy to read on a small screen; and use colors, fonts, and other design elements to bring attention to key information.
- Protect kids’ privacy. Apps designed for children or that collect personal information from kids may have additional requirements under the Children’s Online Privacy Protection Act (COPPA) and the FTC’s COPPA Rule.
- Collect sensitive information only with consent. The Guidelines encourage parties to obtain affirmative consent before collecting “sensitive” data such as medical, financial, or precise geolocation information.
- Keep user data secure. The Guidelines state that even if parties do not make specific data security promises, they “still have to take reasonable steps to keep sensitive data secure.” They also recommend that parties: (1) collect only the data they need; (2) secure the data by taking reasonable precautions against well-known security risks; (3) limit access to the data on a need-to-know basis; and (4) safely dispose of data that is no longer needed. App developers that work with contractors and other third parties should “make sure” that the third parties also comply with these standards.
With respect to truth-in-advertising, the Guidelines advise parties to:
- Tell the truth about what your app can do
- Be transparent about your data practices.
The Guidelines encourage app developers to look at their product — and their advertising — from “the perspective of average users, not just software engineers or app experts.” Objective claims need to be backed up with solid proof, also referred to as “competent and reliable evidence.” Health, safety, or performance claims may need competent and reliable scientific evidence. Disclosures need to be “big enough and clear enough that users actually notice them and understand what they say.” In other words, avoid burying important terms and conditions.