Big news for privacy last week: the FTC (Federal Trade Commission) fined Path $800,000 for privacy violations (Path settled the fine after a long FTC investigation started from a post on Hacker News). At the same time they issued a long set of guidelines for pretty much everybody in the mobile app space.
Wait, what happened?
Path was fined for two reasons:
- “Address-book gate”: They said they weren’t collecting certain types of information when, in fact, they were. While it’s normal for an app to ask permission to access third party information on your phone, like address book info for example, what you collect and how you use it is crucial. Think twice before taking third-party personal information from your users’ phones, and try to avoid storing it on your servers.
- COPPA violation: COPPA says you must obtain “verifiable parent consent” if children under 13 use your app. Since Path collected birth dates, they knew for a fact they had kids using the app, and never did much about it. Result: $800,000 to the FTC. Not peanuts. Takeaway: if you know that you have kids on your website, call your lawyer and find out how to comply with COPPA. If you don’t really know, make sure you say something like:
We do not use the Application to knowingly solicit data from or market to children under the age of 13. If a parent or guardian becomes aware that his or her child has provided us with information without their consent, he or she should contact us at firstname.lastname@example.org. We will delete such information from our files within a reasonable time.
What about these new guidelines from the FTC?
In the words of the Bureau of Consumer Protection:
The default mindset about data collection used to be to gather as much as possible whenever possible. We’ve said it before, but that approach is [Valley Girl voice] like soooo 20th Century [/Valley Girl voice]>. As savvy companies know, the wiser approach — and a central tenet of “Privacy by Design” — is to think through your needs and ask only for information you have a legitimate reason to collect. Gathering data “just ‘cuz” doesn’t cut ice with consumers anymore.
The FTC wants app developers to use a (relatively) new approach: Privacy by Design. “Companies should build in privacy at every stage when developing their products.” This means a number of things:
- Before building an app or a feature, think of the privacy implications;
- If you collect information, protect it. Follow the security recommendations of the FTC (with special attention paid to third party software you used) and be careful not to over promise or make generic reassuring statements;
What does it mean for app developers?
There are known best practices, some of them coming from the California Attorney General, that give you some legal protection and prevent problems and lawsuits. But this is what the FTC actually says developers should do (followed by some ideas on how to do it)
2) You should provide “just-in-time disclosures” and obtain affirmative express consent when collecting sensitive information outside the platform’s API. For example, iOS pops up a notification that a certain app is requesting access to the user’s location. In this case, the disclosure and the consent are taken care by Apple. But your app might also collect other important stuff. The FTC names financial, health, and children’s data, (but also a generic “sharing sensitive data with third parties’).
For example, I was playing Clash of Clans the other day, and after an update an in-app notification popped up:
Clash of Clans is completely free to play, however some game items can also be purchased for real money. If you don’t wan’t to use this feature, please disable in-app purchases in your device’s settings.
This is already stated in the game description. But few people read that, and Supercell chose to repeat it via a separate notification. While this is not related to “sensitive information”, it’s a thoughtful way to inform users of something important that they should know about your app.
3) Know the legal implications of code you’re using. It’s normal for app developers to use third-party packages from github, SDK an the like. You should make sure this code is secure and know exactly what information it pulls, because you’re ultimately responsible for it. There’s a long list of questions to ask yourself here, including:
- Does this library or SDK have known security vulnerabilities?
- Has it been tested in real-world settings?
- Have other developers reported problems?
- Adopt our open source standard
- Read the FTC Guidelines
- Read the California Attorney General Guidelines
- Read the California Business And Professions Code
- Read the FPF Best Practices for Mobile App Developers
This is not legal advice. It’s good advice. KTL (Know The Law).