Apps — including travel — need to do lot more on privacy or more fines coming, FTC says

Online companies may face action by Congress to toughen U.S. privacy standards if they don’t do a better job of protecting the privacy of mobile device users, Federal Trade Commission Chairman Jon Leibowitz said today.

If some companies “don’t wake up and do the right thing, my sense is that industry is far more likely to face much more prescriptive laws down the road,” Leibowitz, the outgoing FTC head, said on a conference call with reporters (PDF of his transcript). “I don’t think that’s going to be very far down the road because privacy is the quintessential bipartisan issue in Congress.”

The FTC today released a set of mobile-privacy recommendations for application stores, such as those run by Apple Inc. and Google Inc., app developers and online advertising networks. FTC staff “strongly encourages” companies to adopt the non-binding guidelines, the agency said in a news release. (Full PDF of mobile privacy recommendations from FTC embedded below)

The growing popularity of mobile devices and apps that can, for example, track a user’s location and habits has prompted hearings and proposals by U.S. lawmakers for privacy legislation. Mobile application store revenue is expected to reach $74 billion in 2016, from $15 billion last year, according to technology research firm Gartner Inc.

‘Massive’ Data

The FTC report is reminder to industry that the agency is “on the case,” said Jeffrey Chester, executive director of the Center for Digital Democracy, a Washington-based privacy group. At the same time, Chester said the report fell short by focusing on how companies disclose their data practices without looking at the broader issue of how they collect information from users.

“Consumers aren’t aware of the massive amounts of data scooped out of the mobile device that are used, analyzed and sold to the highest bidder,” Chester said.

The FTC also announced a settlement today with Path Inc., the developer of a mobile social-networking application, over complaints that it deceived consumers by collecting personal information from mobile address books.

As part of the settlement, Path will develop a comprehensive privacy program and submit to independent privacy assessments over the next 20 years, according to the FTC. The company will also pay $800,000 to settle charges that it illegally collected data from about 3,000 children without getting their parents’ consent. Path said in a blog post that it has since closed those accounts.

Leibowitz Leaving

The FTC mobile-privacy report is one of the agency’s last actions under Leibowitz, who said that he will leave for the private sector by Feb. 15 after eight years at the commission.

The report contains guidelines for mobile “platforms” such as Apple and Google, recommending that they develop a dashboard for users to see the type of content accessed by apps they have downloaded; tell users to what extent they review apps before making them available; and offer a “do not track” mechanism to let consumers prevent tracking by ad networks and other third parties.

Apple spokesman Tom Neumayr declined to comment. Niki Fenwick, spokeswoman for Google, didn’t immediately respond to an email seeking comment.

The report says app developers should immediately get consumers’ consent before accessing and sharing sensitive information and do a better job of understanding how they integrate with ad networks to provide better disclosure to users about information that’s being collected.

California Effort

“The Commission’s recommendation to make privacy policies a requirement for apps is a sensible step and one that ACT has been advocating to its members for some time,” Morgan Reed, executive director of the Association for Competitive Technology, a group representing 5,000 app developers and technology firms, said in an e-mail message.

California Attorney General Kamala Harris has taken a prominent role in mobile-privacy efforts, warning companies to adhere to a state law requiring apps to have a privacy policy. Harris announced last February that Apple, Google, and other mobile platforms signed an agreement to encourage compliance with the law.

Separate from the FTC, the U.S. Commerce Department is holding a series of meetings involving companies and consumer advocates to hammer out a voluntary code of conduct for informing users about the kinds of personal data their mobile applications collect and how the information is used.

–With assistance from Andrew Zajac in Washington, Sarah Frier in New York, and Peter Burrows and Brian Womack in San Francisco. Editor: Bob Drummond, David Ellis

To contact the reporter on this story: Eric Engleman in Washington at [email protected]

To contact the editor responsible for this story: Bernard Kohn at [email protected]

Download (PDF, 635KB)