1
Introduction
“Mobile applications” – software programs for mobile device operating systems (such as Android, Blackberry OS, iOS, or
Windows Phone OS) – can collect, use, and transfer users’ personal information from a mobile device. As the mobile app
developer, you are responsible for thinking about privacy at all stages of your app’s life cycle.
Mobile apps are at the forefront of current consumer privacy concerns. High profile media attention
1
and a series of class
action lawsuits
2
have prompted close scrutiny of app developer data practices from federal and state regulators.
3
As a
result, the U.S. the Federal Trade Commission (FTC)
4
is actively enforcing consumer privacy rights against application
developers that surreptitiously access or misuse user data.
5
Although other actors in the mobile ecosystem may also have access to personal information – including OS developers,
device manufacturers, app store platforms, service providers, and advertisers – as the app developer, you are often in
the best position to provide notice and disclosure due to the end-user.
6
However, limitations inherent in current mobile
architecture can sometimes make it difficult for developers to adequately inform users of data collection, use, and
sharing practices.
The guidelines set forth in this document are intended to serve as a road map for you, the mobile app developer, to build
privacy into your apps, better inform and empower end-users, and foster trust and confidence in the mobile app ecosystem.
7
1
For example, the recent Wall Street Journal’s “What They Know” investigative series on Internet-tracking technology and consumer privacy has
motivated a number of Congressional and administrative inquiries. See http://online.wsj.com/public/page/what-they-know-digital-privacy.html
2
Class action lawsuits filed against apps are frequently related to claims that personal data on mobile devices is being surreptitiously accessed,
transmitted, maintained, and/or used without users’ knowledge or permission. Most recently, a federal class action suit was filed against 18
high-profile apps in Texas on March 17, 2012. http://www.scribd.com/doc/85310203/TX-US-District-Court-Class-Action
3
For example, California has indicated that all app developers that collect personal information from California residents must have a privacy
policy in compliance with California’s Online Privacy Protection Act. The policy must detail the type of information collected, how the information
will be shared, and how consumers may review and make changes to their stored information. Cal. Bus. & Prof. Code §§ 22575-22579.
4
The FTC is the main consumer privacy protection agency. The FTC derives its enforcement power from Section 5 of the FTC Act which prohibits
unfair or deceptive practices under 15 USC § 45(a).
5
In the FTC’s first case involving mobile apps, W3 Innovations agreed to pay $50,000 to settle FTC allegations that it had violated the Children’s
Online Privacy Protection Act by illegally collecting and disclosing personal information from children younger than 13 without their parents’
consent. (August 2011, http://ftc.gov/os/caselist/1023251/index.shtm)
6
Note that in some instances, the ability to comply with leading practices may depend on some of these other parties. We urge the other key actors
in the ecosystem to cooperate with app developers to make the improvements needed to ensure that consumers are provided with the necessary
transparency and controls called for in this document.
7
Many of the guidelines in this document are based on the Fair Information Practice Principles, a set of generally accepted principles that should
inform an organization’s handling of individuals’ personal information. http://www.ftc.gov/reports/privacy3/fairinfo.shtm
1
Future of Privacy Forum and Center for Democracy & Technology acknowledge Lia Sheena,
Kenesa Ahmad, Aaron Brauer-Rieke, and Erica Newland for their invaluable contributions to this report.