August 27, 2013 Articles

Privacy in the Mobile Age: Recent Developments and New Regulations

By Monique Bhargava

The Internet is constantly evolving, and along with it the realm of consumer online privacy. Every day companies are connecting in new ways with their consumers and discovering new ways of learning about consumers’ behaviors, preferences, and general information. While consumers may not always be diligent about where and how they divulge their personal information, companies are increasingly charged with the responsibility to inform consumers about information collection, use, sharing, and security. This task is not easy, however, as these same companies have to keep up not only with technology, but with the laws and regulations that protect consumers from the potential misuse of technology.

The increasing prevalence of mobile applications, social media, and online behavioral advertising means that both in-house and outside counsel are faced with the challenge of applying old (and sometimes new) rules to new media. This means assessing what it means to make meaningful disclosures and how to comply with the law while at the same time balancing the business needs of your client. Failure to present consumers with adequate disclosures, transparent policies, notice, and choice may expose your client to class actions, hefty fines, and burdensome settlement agreements—or worse, PR disasters.

<p>So what are the latest developments in consumer online privacy and how can you keep up? You should be aware of these recent developments if your clients intend to engage with consumers online.</p>
<p><strong>Mobile Disclosures</strong></p>
<p>With tablets and mobile phones becoming the preferred methods of communication, it is no wonder that every company is racing to capitalize on this market. Not to be left behind, the Federal Trade Commission recently revised its Dot Com Disclosures to better address the unique concerns posed by mobile devices. Although the Dot Com Disclosures are merely &ldquo;guidance&rdquo; on what the FTC may look at to determine whether online communications are deceptive, unfair, or misleading, the principles outlined in the Dot Com Disclosures send a clear message to businesses that a new approach is needed for how information is disclosed in new media.</p>
<p>The Dot Com Disclosures reiterate the need for clear and conspicuous disclosure. Specifically, in the mobile environment, the Dot Com Disclosures state, in part, that disclosures should be placed close to the triggering claim, and they should be incorporated into the communication itself if possible. But if a hyperlink is necessary, that hyperlink should be obvious and clearly labeled. For example, a disclaimer placed at the bottom of a mobile website and accessible only through excessive scrolling may not always be effective unless there are clear visual or textual cues directing consumers to the disclaimer location. Notably, the Dot Com Disclosures indicate that a visual scroll bar may not be a sufficient visual cue, as scroll bars may not always be visible and may not always indicate whether the end of the page has been reached.</p>
<p>Furthermore, the FTC suggests that vaguely labeled hyperlinks—such as &ldquo;details below&rdquo;—may not sufficiently alert the viewer to the subject matter or importance of the information in the hyperlink and thus could render the disclosure meaningless. Hyperlinks that are labeled specifically, such as &ldquo;see shipping restrictions&rdquo; or &ldquo;eligibility requirements,&rdquo; may be more likely to encourage consumers to read further for information. Regardless, businesses should be careful not to relegate pertinent information integral to the claim made to hyperlinks. Examples include health and safety information, as well as substantial offer and payment terms and restrictions. Such information should be incorporated in a prominent manner into the main communication.</p>
<p>Businesses should also take into consideration how consumers use various devices, as well as the respective space and viewing constraints associated with different devices and platforms. For example, websites designed for a computer screen may not be optimized for mobile viewing, which can lead to consumers&rsquo; zooming in on specific frames or portions of the page. This could mean that disclosures that are otherwise clear and conspicuous on a computer website may become obscured on a mobile device or tablet and therefore be rendered ineffective. In addition, keep in mind other unique limitations posed by mobile devices. Links to important disclosures that are grouped together with other clickable content can be discouraging to viewers who may have trouble clicking on the appropriate link. Remember, not everyone can navigate his or her mobile devices with the stealth of a teenager.</p>
<p><strong>Mobile Privacy</strong></p>
<p>What can&rsquo;t you do with your mobile device these days? Using mobile applications, I can rent a movie, order food, purchase a book for my tablet, check social media, and play a quick game of Diamond Dash, all during the 10-minute ride home in the cab I ordered. Such convenience comes at a price greater than my daily data usage fees. In the span of 10 minutes, I probably divulged a large amount of personal information to a multitude of companies, including my service provider, app developers, and even advertising networks. These companies can gain access to a rich source of information, including a user&rsquo;s location, device ID, and personal information input by the user herself. However, few applications have adequate privacy policies—or any privacy policy at all.</p>
<p>The FTC and state regulators have both been quick to react to the increase in mobile information collection and use. In early 2012, the California Attorney General reached an agreement with several leading companies to improve privacy disclosures on mobile platforms. This agreement included the conspicuous posting of a mobile privacy policy, in accordance with the California Online Privacy Protection Act, which the consumer can review and accept prior to download and installation of an application. More recently, in January 2013, Attorney General Harris released California&rsquo;s mobile privacy guidelines, &ldquo;Privacy on the Go,&rdquo; which set forth best practices for app developers, platform providers, mobile ad networks, operating system developers, and mobile carriers. The FTC released its own staff report on mobile privacy, &ldquo;Mobile Privacy Disclosures: Building Trust Through Transparency,&rdquo; in February 2013.</p>
<p>Both the FTC and California guides contain similar themes, primarily transparency, notice, and consent. App developers should ensure that their mobile applications contain a privacy policy that clearly discloses to users what information is collected and how it is used. Best practice recommendations include allowing users to review the policy prior to download and increasing ease of access through consistent placement of the privacy policy in the app store information screen as well as within the app itself. Developers should also make sure that the policy itself is easy to read on a mobile device. As discussed above, regulators can view excessive scrolling as an impediment to communicating important information. Therefore, mobile-privacy policies could be rendered easier to read through the use of layering, graphics, and other unique formatting techniques.</p>
<p>Of special concern is the collection of what regulators may consider &ldquo;sensitive&rdquo; personal information, such as location information and contact lists. The FTC recommends the use of &ldquo;just-in-time&rdquo; disclosures, already present in most mobile platforms and various applications, which alert the user and obtain affirmative consent immediately prior to collecting &ldquo;sensitive&rdquo; information from the user&rsquo;s mobile device. The California guidelines echo this recommendation by encouraging app and platform developers to provide special additional notice when collecting such information.</p>
<p>In the FTC&rsquo;s first privacy action against a mobile device maker, the FTC alleged that HTC America Inc., in addition to inadequately securing its mobile software and placing sensitive consumer information at risk, produced user manuals associated with such devices that contained false or misleading statements regarding when user information was accessed or transmitted. Specifically, the FTC&rsquo;s complaint alleged that the manuals contained statements that user authorization was necessary for a third-party application to access user information when, because of security vulnerabilities, such information could be accessed without authorization. Furthermore, statements indicated that the user could select to transmit location data along with user error reports, when the location data may have been actually transmitted regardless of user preference. The cases resulted in a settlement and consent order that requires HTC America to address the various security vulnerabilities and places several long-term reporting and audit burdens on the company. Given the Commission&rsquo;s recent focus on mobile platforms and devices, this case may be the first of many mobile-based privacy actions from the FTC.</p>
<p><strong>Online Behavioral Advertising</strong></p>
<p>Online behavioral advertising (OBA) is not necessarily a new concept. However, the ways in which companies are collecting and using information certainly continue to evolve. Marketers and advertisers are often at odds with regulators on how heavily OBA activities should be regulated, but it is clear that consumers are still unsure of exactly what OBA is and why they are seeing ads for Tahoe resorts after searching online for snowboarding lessons.</p>
<p>OBA—tracking of website users over multiple, unaffiliated websites and the use of such information to serve targeted ads—is regulated largely through the industry self-regulatory program. In addition to the self-regulatory program principles, the FTC has also issued OBA principles. The principles behind both the industry regulations and the FTC guidance are similar—namely, companies engaging in OBA activities should provide notice and give users choices when it comes to targeted advertising. The method of notice and choice can vary based on which part a company plays in the OBA process.</p>
<p>When targeted ads are served on a website, notice can be as simple as including an &ldquo;About Tracking&rdquo; or &ldquo;About Ads&rdquo; disclosure on the website homepage. The notice should clearly disclose what is being tracked, by whom, and what choices the consumer has. The choice—via opt-outs—should be provided by the advertisers or relative ad networks and linked through the disclosure. As the advertiser whose ads are being served, you must provide notice and choice. To accomplish both notice and choice, the industry self-regulatory program has adopted the DAA icon, which has become more and more prevalent, as well as the aboutads.info program. The icon is typically placed within the targeted ad and links directly to an explanation of OBA and opt-out choices. Many advertisers use ad networks to serve targeted advertisements. They should ensure that their vendors and ad networks are complying with the notice and choice requirements—including that ad networks are effectively opting users out once those users have exercised their choice.</p>
<p>One of the greatest challenges of OBA is keeping up with tracking techniques. Only a few years ago, tracking was accomplished mainly through traditional cookies. Today, there are a multitude of ways for advertisers to track user activity on the Internet, including flash cookies and digital fingerprinting. Actually, there were probably five new behavioral tracking techniques being pitched to your marketing department as I wrote this article. The perpetual improvement of tracking techniques also means that privacy policies and tracking notices must be kept up to date, with adequate disclosures on what tracking techniques are used, what information is being collected, how that information is used and shared, and how consumers can opt out.</p>
<p>For example, in a recent FTC action against Epic Marketplace, a digital marketing company, the FTC alleged that Epic failed to disclose the use of &ldquo;browser history sniffing&rdquo; as one of its tracking tools. Although Epic traditionally gathered information through the use of cookies, Epic merged with a company that engaged in browser-history sniffing—using a user&rsquo;s browser history to identify other websites the user had visited. The history-sniffing tracking continued for more than a year after the merger. Epic used this information to target ads to users, allegedly without disclosing the new tracking technique and opt-out methods in its tracking disclosures and privacy policy. Under the final consent order, Epic is prohibited from using history-sniffing technology, prohibited from making future misrepresentations, and it must destroy all information gathered through the use of such techniques.</p>
<p><strong>Keywords: </strong>woman advocate, litigation,online privacy, marketing, advertising, disclosures</p>