FTC Disappointed with Privacy on Kids' Mobile Apps

16 February 2012 Privacy & Security Source Publication
Author(s): Chanley T. Howell

By Ariel Fox Johnson and Chanley Howell

Today, the FTC staff released a Report [http://www.ftc.gov/os/2012/02/120216mobile_apps_kids.pdf] which raised concerns about the privacy polices and practices of mobile apps for children. The Report contains the results of a survey the FTC staff conducted of mobile apps targeted at kids. While tailored for children focused apps, the Report provides useful guidance with respect to FTC concerns applicable to all categories of mobile apps.

 The Report explains that in today’s growing mobile market, there are over 500,000 mobile apps in the Apple App Store and 380,000 in the Android Market. On the positive side, the Report found that there are a wide variety of apps now available from children, both educational and entertaining, and that the apps are for the most part inexpensive.

 The Report also found that despite the wide variety and accessibility of kids’ apps, there is a lack of information about apps’ data collection and sharing practices available to parents when they are downloading apps. In the app stores and at developer’s sites, it was often very difficult to determine what the actual scope and reach of the app’s data collection and sharing functionality. The Report noted that mobile apps can capture lots of information from a device automatically and without a user’s awareness, such as geolocation, phone numbers, contacts, call logs, and unique identifiers. Furthermore, some children’s apps—like adult apps—allow for social networking and the display of advertising, which can raise additional privacy concerns for parents.

 The Report recommended that app developers and app stores, such as the Android Market and the Apple App Store, should work together to provide necessary privacy information to parents in a clear, simple and timely manner. For example, app stores should provide information about an app’s privacy practices the same way they provide “category” or price information, perhaps by displaying symbols indicating various privacy collection and sharing practices.

 The Report further recommended that app developers need to write clear and short policies using plain language (not “legalese”) that can be effectively displayed on a mobile device. Writing such policies may be an exercise in creativity for the app developers—privacy policies appearing on websites have been criticized for length and density, and those concerns apply even more to policies displayed on a screen only inches wide. They should also disclose whether the app connects with social media, and whether it contains ads.

 Finally, the FTC encouraged app developers, app stores, and third parties providing services within apps to make information clear so that parents can make informed choices about their children’s apps.

Companies should note that when the FTC refers to “app developers,” it uses the term broadly to include the sponsor, seller or distributor of the app, not just the company that actually does the development work. In other words, companies that sell and distribute mobile apps are responsible for requiring its developers to comply with the privacy requirements imposed and enforced by the FTC.

The FTC also indicated that it would be conducting a review of certain mobile apps in the coming months to determine if the apps are complying with the Children’s Online Privacy Protection Act (COPPA).  The COPPA Rule is currently undergoing a review at the FTC.

Concerns about mobile app privacy, and in particular the lack of transparency regarding what mobile apps do, extend beyond kid’s apps. As highlighted in New York Times post yesterday (http://bits.blogs.nytimes.com/2012/02/15/google-and-mobile-apps-take-data-books-without-permission/?src=me&ref=technology), certain popular apps may be routinely gathering personal information from address books and uploading it to servers without a user’s knowledge. As technology evolves and more companies create mobile apps, companies should take care to accurately explain their privacy practices and comply with best practices in this arena. While the guidelines provide useful guidance for all apps,  compliance in this areas is especially important for developer’s of children’s mobile apps, given the FTC’s mandate under COPPA and its particular concern with children’s privacy as a top priority.