California Dreaming: privacy and mobile apps

by Jon_B in

This is the latest in my (not-at-all) regular series of posts about mobile application development and the law.

The latest developments are markedly California-centric. As you will see though, this doesn't mean it is safe for UK developers to ignore them.

The first piece in the puzzle is the FTC's complaint against Broken Thumbs apps, which was recently settled in California.

Broken Thumbs settled the claim (with no admission of liability) on the basis of a $50,000 fine and other undertakings, having been accused by the FTC of violating the Children's Online Privacy Protection Act in the USA by failing to obtain verifiable parental consent to the collection and use of personal information from children under 13 who used their mobile apps.

This settlement is the first specific confirmation that COPPA applies to mobile apps as well as websites.

This is something which UK app developers need to be aware of because COPPA isn't limited to US companies.

It applies to any business which operates a website or online service (which now expressly includes a mobile app) if it is directed to children and offers products or services for sale:

"involving commerce [between the USA and] one or more foreign nations..."

There is no requirement that the operator (or app developer) is based in the USA so this could apply to a UK developer whose app is available in US app stores.

This is a topical area for the FTC, which also released a report in February this year accusing developers of mobile apps directed at children of failing to provide proper disclosure of their collection and use of data on app store pages.

To an extent, this is being addressed by the major app platforms. The "big six" mobile app platforms (including Apple and Google) signed up to an agreement with the California Attorney General at the end of February aimed at increasing transparency about privacy issues.

One of the requirements of this is for the app store approval process to include:

"an optional data field for a hyperlink to the app's privacy policy or a statement describing the app's privacy practices or (b) an optional data field for the text of the app's privacy policy..." [emphasis added]

The full agreement can be found in PDF format here, but I would expect to see these additional fields cropping up in UK app store submission processes.

This raises the question of what (if anything) you need to put into this field when submitting your app.

For UK developers this is fairly straightforward. If you are processing personal data then the Data Protection Act will apply. The best starting point is the comprehensive guidance issued by the Information Commissioner's Office about privacy notices.

One of the reasons why Data Protection has become a live issue for app developers was the revelation that Path and other apps were uploading the contents of address books from the device on which they were installed without obtaining specific consent from the user.

This brings me to the final Californian item. A class action has already been filed against Path and a large number of other social media and mobile companies in Texas, but as of March 26th, a class action has been launched against Path in California.

The claim is filed on behalf of all US mobile device users who downloaded the Path app prior to the date on which the company removed the address book uploading function.

I have no idea what the likely prospect of this (or any of the other) claims is, but the message is clear. Privacy is becoming a big money issue for app developers, regulators and litigators and it pays to be aware of the issues.

Finally, what of the future?

The US dimension is likely to change in the light of the new "Bill of Rights for online consumers" being promoted by the Obama administration in the form of the Consumer Data Privacy in a Networked World white paper.

UK developers who are already used to the relatively high European level of data protection regulation may not think they have much to worry about; however, the EU data protection regime is also likely to change significantly over the next couple of years.

The European Commission has recently proposed a review of data protection rules to bolster privacy rights, increase users' control over their data and introduce a single set of rules on data protection.

This is likely to cover issues such as an obligation to notify data breaches and the "right to be forgotten", both of which will be relevant to anyone developing apps which process personal data.

The new law will be in the form of a regulation which is directly enforceable across the EU without the need for individual national legislation. It also carries the threat of fines of up to 2% of global turnover for non-compliance.

With privacy and data protection edging up the global agenda, this is a subject which will become increasingly important for app developers over the next few years.

A working knowledge of UK data protection rules and a weather eye on upcoming developments is the basic starting point.

However, it is becoming increasingly important to be aware of legislation like COPPA where US and other rules could catch you out.