1. Dear App Developers, Time to Get a Privacy Policy

    Big news for privacy last week: the FTC (Federal Trade Commission) fined Path $800,000 for privacy violations (Path settled the fine after a long FTC investigation started from a post on Hacker News). At the same time they issued a long set of guidelines for pretty much everybody in the mobile app space.

    The big takeaway is: you better have a privacy policy, and you better do what it says.

    FTC Guidelines

    Wait, what happened?

    Path was fined for two reasons:

    1. “Address-book gate”: They said they weren’t collecting certain types of information when, in fact, they were. While it’s normal for an app to ask permission to access third party information on your phone, like address book info for example, what you collect and how you use it is crucial. Think twice before taking third-party personal information from your users’ phones, and try to avoid storing it on your servers.
    2. COPPA violation: COPPA says you must obtain “verifiable parent consent” if children under 13 use your app. Since Path collected birth dates, they knew for a fact they had kids using the app, and never did much about it. Result: $800,000 to the FTC. Not peanuts. Takeaway: if you know that you have kids on your website, call your lawyer and find out how to comply with COPPA. If you don’t really know, make sure you say something like:

    We do not use the Application to knowingly solicit data from or market to children under the age of 13. If a parent or guardian becomes aware that his or her child has provided us with information without their consent, he or she should contact us at privacy@applicationsite.com. We will delete such information from our files within a reasonable time.

    What about these new guidelines from the FTC?

    In the words of the Bureau of Consumer Protection:

    The default mindset about data collection used to be to gather as much as possible whenever possible. We’ve said it before, but that approach is [Valley Girl voice] like soooo 20th Century [/Valley Girl voice]>. As savvy companies know, the wiser approach — and a central tenet of “Privacy by Design” — is to think through your needs and ask only for information you have a legitimate reason to collect. Gathering data “just ‘cuz” doesn’t cut ice with consumers anymore.

    The FTC wants app developers to use a (relatively) new approach: Privacy by Design. “Companies should build in privacy at every stage when developing their products.” This means a number of things:

    • Before building an app or a feature, think of the privacy implications;
    • If you collect information, protect it. Follow the security recommendations of the FTC (with special attention paid to third party software you used) and be careful not to over promise or make generic reassuring statements;
    • Keep your policy updated! Every time you roll out a new update to the app store, stop for a second and think if you’ve added something that has an impact on your privacy statements. Added a new analytics script? It should go in there. Added “find friends via Facebook”? Go and edit the privacy policy.

    What does it mean for app developers?

    There are known best practices, some of them coming from the California Attorney General, that give you some legal protection and prevent problems and lawsuits. But this is what the FTC actually says developers should do (followed by some ideas on how to do it)

    1) You should have a privacy policy and it must be accessible from the app store. The simple way to accomplish this is just link it when you submit the app. But this means the privacy policy should live on your website. You could also provide the full text of the policy within the app, or a short statement describing the app’s privacy practices. The easiest thing to do here is to branch a policy on Docracy, modify it, then link to it in the app store.

    2) You should provide “just-in-time disclosures” and obtain affirmative express consent when collecting sensitive information outside the platform’s API. For example, iOS pops up a notification that a certain app is requesting access to the user’s location. In this case, the disclosure and the consent are taken care by Apple. But your app might also collect other important stuff. The FTC names financial, health, and children’s data, (but also a generic “sharing sensitive data with third parties’).

    For example, I was playing Clash of Clans the other day, and after an update an in-app notification popped up:

    Clash of Clans is completely free to play, however some game items can also be purchased for real money. If you don’t wan’t to use this feature, please disable in-app purchases in your device’s settings.

    This is already stated in the game description. But few people read that, and Supercell chose to repeat it via a separate notification. While this is not related to “sensitive information”, it’s a thoughtful way to inform users of something important that they should know about your app.

    3) Know the legal implications of code you’re using. It’s normal for app developers to use third-party packages from github, SDK an the like. You should make sure this code is secure and know exactly what information it pulls, because you’re ultimately responsible for it. There’s a long list of questions to ask yourself here, including:
    - Does this library or SDK have known security vulnerabilities?
    - Has it been tested in real-world settings?
    - Have other developers reported problems?

    4) Participate in self-regulatory programs, educate yourself. We are great fans of self regulation and we open sourced a standard mobile privacy policy that has already been adopted by hundreds of apps.


    Path was fined $800,000. While this was in connection with COPPA violations, it’s the start of broader policing of privacy practices. Time for app developers to lawyer up and get a privacy policy. FTC is encouraging the adoption of public standards and tightened integration among app developers, trade associations, ad networks and mobile platforms. There’s a lot to do. Here are some ideas:

    This is not legal advice. It’s good advice. KTL (Know The Law).


  1. legalstuff reblogged this from docracy
  2. docracy posted this