iapp privacy academy€¦ · ftc regulatory framework • section 5 of the ftc act – prohibits...
Post on 30-Apr-2020
4 Views
Preview:
TRANSCRIPT
IAPP PRIVACY ACADEMY
KEEPING UP WITH EMERGING
STANDARDS FOR MOBILE PRIVACY
Joanne McNabb Julie Mayer Tim Tobin
Director of Privacy Staff Attorney Partner
Education & Policy Northwest Regional Office Hogan Lovells
Office of the Attorney General Federal Trade Commission
California Department of Justice
October 2, 2013
OVERVIEW • US Federal Legal Landscape
– FTC Regulatory Framework and Enforcement – FTC Guidance
• California: Leading the States – California OPPA and Recent Amendment – Recommendations
• Self-Regulatory Initiatives for apps (NTIA, DAA, NAI, FPF/CDT)
• International treatment of apps (EU)
• US Text Advertising
FTC REGULATORY FRAMEWORK AND
ENFORCEMENT
FTC REGULATORY FRAMEWORK
• Section 5 of the FTC Act – prohibits unfair or deceptive trade practices
• COPPA Rule - governs online collection of personal information from children (including through apps)
• Fair Credit Reporting Act – requires accuracy in credit reporting information and provides dispute rights for consumers
FTC MOBILE APP ENFORCEMENT: RULES OF THE ROAD
1. Tell the Truth – About your product: DermApps – About your data practices: Path
2. Secure Consumer Information – HTC
3. Comply with COPPA – W3 Innovations, dba Broken Thumbs
4. Make Sure Your Credit Reports Are Accurate and Used for Permissible Purposes – Filiquarian Publishing
FTC REPORTS March 2013 .com
Disclosures
February 2013
Mobile Privacy
Disclosures
March 2012
Privacy Report
February 2012
Kids Apps Report
December 2012
Kids Apps Report
March 2013
Mobile Payments
Report
MARCH 2012 PRIVACY REPORT
• 3 Main Principles: All Apply to Mobile Environment
– Principle #1: Adopt Privacy by Design
– Principle #2: Simplify Privacy Choices
• “Just-in-time” disclosures
• Do Not Track
– Principle #3: Improve Transparency
• Standardize and enhance privacy disclosures to enable better comprehension and comparison of privacy practices
KIDS APP REPORTS
• 2012 Kids App Reports (2)
– Examined 400 apps
– Many apps shared information with third parties without disclosing this fact
– Found 58% of kids apps include ads, but only 9% tell you so
KIDS APPS STATISTICS
MOBILE PRIVACY DISCLOSURES
• February 2013 Staff Report – Outgrowth of commission’s prior work
on mobile privacy and workshop discussions and comments
• Recommended Best Practices for: – Platforms – App Developers – Ad Networks and other Third Parties – App Developer Trade Associations
MOBILE PAYMENTS
• FTC has broad jurisdiction of many of the participants in the mobile payment ecosystem, including:
– Hardware manufacturers, os developers, data brokers, coupon and loyalty programs, payment card networks, advertising cos, retailers, and merchants
– Mobile operator engaging in payment functions such as mobile carrier billing
MOBILE PAYMENTS
• Use of mobile payments raises significant privacy concerns due to:
– High number of companies involved
– Large amount of data being collected
– Ability to consolidate personal and purchase data in new ways versus a traditional credit or debit card purchase
FTC MOBILE GUIDANCE
• Mobile App Developers: Start with Security (February 2013)
– Rush to market introduces flaws
– Security by Design
• Marketing Your Mobile App: Getting it Right (September 2012)
– Be truthful
– Be transparent
• Sound familiar?
MOBILE PRIVACY IN CALIFORNIA
CalOPPA
• California Online Privacy Protection Act
– Operators of commercial website/online service collecting PII on CA residents shall make privacy policy conspicuously available
– PII broadly defined (identifier that permits contacting)
– Must comply with the privacy policy
– AB 370: Disclose response to DNT signals
IT TAKES A VILLAGE – OR AN ECOSYSTEM
…to protect privacy in the mobile sphere
RECOMMENDATIONS FOR APP
PLATFORMS/STORES
PLATFORMS FOR PRIVACY
• Make app privacy policy accessible in the store.
• Provide means for users to report non-compliant apps.
– Implement process for responding to such reports
• Help educate consumers on mobile privacy.
RECOMMENDATIONS FOR APP
DEVELOPERS
SURPRISE MINIMIZATION
ENHANCED NOTICE
• Alert users with enhanced measures
– For collection of PII not related to app’s basic functionality
– For collection of sensitive information
• Two approaches recommended
– Short privacy statement + privacy settings
– Just-in-time “special notices”
BASIC PRIVACY PRACTICES
• Avoid or limit collecting PII not required for app’s functionality.
• Avoid or limit collecting sensitive information.
• Use app-specific, non-persistent device IDs.
MOBILE APP SELF-REGULATORY GUIDELINES
NTIA CODE OF CONDUCT
• App Developers Focus on “short notice”
– Collection of data types (biometric, location, browser history, user files)
NTIA CODE OF CONDUCT
• App Developers Focus on “short notice”
– Sharing of user data with third parties (ad networks, carriers, government entities)
NTIA CODE OF CONDUCT
• Means of Accessing Long Form Privacy Policy
• Exceptions:
– (1) not identified or promptly de-identified data;
– (2) certain operational purposes; and
– (3) unauthorized/unknown data collection
OTHER GUIDELINES • DAA: Application of OBA and Multi-Site Self-Regulatory
Principles to Mobile Environment (July 2013) – Focuses on “cross-app” data
– Transparency, consumer control, security, consent for material changes and added protections for sensitive information
• NAI Mobile Application Code (July 2013) – Applies only to third party digital advertising companies
– Focus on cross-app advertising and ad delivery and reporting
– Transparency, user control, use limitations, transfer restrictions, data access, quality, security and retention and accountability
• FPF/CDT Best Practices for Mobile App Developers – Transparency and Accessibility
– Address changes
– Use short form notice and enhanced notice
MOBILE APP PRIVACY ABROAD
ARTICLE 29 WORKING PARTY
• Opinion on Mobile Apps (March 2013)
– Applies to all apps available to EU users regardless of where app developer is located
– “Cookie consent provisions” of the 2002 ePrivacy Directive also apply to apps downloaded by EU users
• i.e., users’ consent must be obtained prior to installing or accessing any information stored on their devices
– Consumers should be free to say no to processing and choices should be granular
– Cites to US guidance, including FTC for “just in time notice” principle
WHATSAPP INVESTIGATION
Joint Dutch and Canadian DPA investigation of WhatsApp’s data collection, use, storage, and sharing practices
FCC (TCPA), FTC AND TEXT MARKETING
TCPA AND TEXT MARKETING
• Most Autodialed calls to wireless numbers require prior express consent
– - text messages are “calls”
• - Commercial texts typically sent via autodialers
TCPA AND TEXT MARKETING
• Non-advertisement/telemarketing texts – Prior express consent (written or oral)
• Advertising/telemarketing texts – No primary purpose test (FCC; Chesbro v. Best Buy) – Oct. 16, 2013 - Prior express written consent:
• Signed, written agreement (E-SIGN) with the following “clear and conspicuous disclosures – By signing, person authorizes autodialed
telemarketing calls – Agreement not requirement for purchasing any
property, goods or service
–
TEXT MARKETING
• TCPA Ramifications – Private Right of Action
• Actual damages or $500 per violation (willful/knowing = $1,500)
• Multiple mult-million dollar settlements – FCC enforcement = $16,000 per violation
• FCC also has CAN-SPAM jurisdiction over MSCMs • FTC
– Has filed suits against multiple “text spammers” for various section 5 violations
–
TEXT MARKETING INDUSTRY GUIDELINES
• Mobile Marketing Association
– US Consumer Best Practices
– Mobile Advertising Guidelines
– Global Code of Conduct
• Disclosure Examples (Subscription):
– Msg&Data Rates May Apply.
– Get 1 msg/week.
– Reply HELP for help.
– Reply STOP at any time to cancel. (Honor STOP, END,
CANCEL, UNSUBSCRIBE or QUIT)
– T&Cs avail at [web URL for full Terms and Conditions; if possible, included an embedded link to the URL]
SUMMARY
SUMMARY
• Apps:
– Know what app does
– Be truthful and transparent (e.g., short form disclosures)
– “Just in time” choices for unexpected collection/sharing
– Address security
– Know audience (EU residents; appeal to children under 13)
– Know your role (developer, app platform, ad network)
• Text Messages
– Always have prior express consent
– For advertising/telemarketing, have prior express written consent in conformity with FCC rules
- Honor opt-outs and include disclosure on rates, etc.
FTC RESOURCES
• FTC Business Center: business.ftc.gov
– COPPA FAQs: http://business.ftc.gov/documents/Complying-with-COPPA-Frequently-Asked-Questions
– Mobile Privacy Disclosures: http://www.ftc.gov/opa/2013/02/mobileprivacy.shtm
– Protecting Consumer Privacy in an Era of Rapid Change: http://ftc.gov/os/2012/03/120326privacyreport.pdf
CALIFORNIA RESOURCES
• California Privacy Laws, Legislation, Business Guidance, Consumer Information – www.oag.ca.gov/privacy
• Privacy on the Go – www.oag.ca.gov/privacy/business-privacy
• Joint Statement of Principles (with app platform companies) – www.oag.ca.gov/news/press-releases/attorney-
general-kamala-d-harris-secures-global-agreement-strengthen-privacy
APP SELF-REGULATORY RESOURCES
• NTIA Code of Conduct
– www.ntia.doc.gov/other-publication/2013/privacy-multistakeholder-process-mobile-application-transparency
• DAA Principles – http://www.aboutads.info/
• NAI Mobile Application Code – http://www.networkadvertising.org/mobile/NAI_Mobile_A
pplication_Code.pdf
OTHER RESOURCES
• EU Art. 29 Opinion on Mobile Apps
– http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2013/wp202_en.pdf
• FCC TCPA and CAN-SPAM Rules
– 47 CFR 64.1200; 47 CFR 64.3100
– http://www.fcc.gov/guides/spam-unwanted-text-messages-and-email
top related