1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar

A Gatekeeper Approach to Mobile App Regulation is Developing in the United States

Print Friendly

The Federal Trade Commission (FTC) released a Staff Report on February 1, 2013, entitled “Mobile Privacy Disclosures: Building Trust Through Transparency.” The FTC Staff Report follows on the heels of earlier recommendations by the California Attorney General (AG), released in January, in a report entitled “Privacy on the Go: Recommendations for the Mobile Ecosystem.”

The FTC Staff Report is particularly notable for articulating a gatekeeper function for platform providers in the mobile app ecosystem. The Staff Report and the California AG Recommendations recognize that there are distinct players in the mobile app market – platforms that provide the operating system and marketplaces; developers of the apps; and advertising networks. Each of the FTC Staff Report and the California AG Recommendations target these different players with recommendations.

However, it appears that FTC Staff see the platform providers as particularly amenable to regulation because they are the focal point for the interface between users and app developers.

“[…] platforms such as Apple, Google, Amazon, Microsoft, and Blackberry are gatekeepers to the app marketplace and possess the greatest ability to effectuate change with respect to improving privacy disclosures.” (FTC Staff Report, p. 14)

FTC Staff asserted that the platforms “use the plethora of apps offered on their devices as a significant marketing tool” (p. 14). The inference appears to be that the platforms have fair trading obligations to ensure that the apps they distribute meet privacy standards.

As gatekeepers, FTC Staff want platform providers to:

  • Require developers to make privacy disclosures;
  • Enforce privacy disclosure standards;
  • Educate developers on privacy issues;
  • Be responsible for providing “just-in-time” disclosure for the collection of geolocation data and other sensitive data;
  • Be responsible for obtaining consent for the collection of geolocation data and other sensitive data;
  • Develop a “dashboard” to allow consumers to review what types of content is being accessed by Apps on their devices;
  • Develop icons to notify the user of the transmission of user data;
  • Establish a do-not-track (DNT) option at the platform level to allow consumers to make a one-time choice; and
  • Provide consumers with disclosure regarding the extent of review that the platform undertakes prior to making the app available as well as any compliance checks or reviews after the app is made available on the platform’s market store.

The approach to platform providers as a potential gatekeeper and enforcer is different from that California AG’s report, which focused on the educational role that platform providers could play.

Other highlights from the FTC Staff Report and the earlier California AG Recommendations are:

  • DNT or bust? FTC Staff continue to call on the industry to develop a “DNT mechanism that would prevent an entity from developing profiles about mobile users” (FTC, p. 21). The DNT mechanism must be (i) universal, (ii) easy to find and use, (iii) persistent, (iv) effective and enforceable, and (v) apply to more than just advertisements (FTC, p. 21).
  • “Just-in-Time” and “Surprise Minimization”. The FTC Staff Report emphasizes “just-in-time” or contextual disclosure and obtaining express affirmative consent at the point in which it is going to matter to consumers – that is, just prior to collection (FTC, p. 15). The California AG’s basic approach is to “minimize surprises to users”. The emphasis is on clearer, shorter notices. Organizations should not rely on privacy policies alone but also supplement those notices with alerts delivered “in context and just in time” (AG, p. 5).
  • Icons – but which ones? Privacy icons are the future; however, FTC Staff want to see consumer testing to ensure efficacy (FTC, p. 16).
  • Privacy by Design. The California AG continues to emphasize privacy as the default and the limiting of collection, use and retention to what is necessary to complete the function for which the data was required (AG, p. 9).