The Federal Trade Commission's new guidelines to improve mobile privacy for consumers don't much worry CIO Niel Nickolaisen. A veteran IT professional who currently oversees technology and information at Western Governors University, a fast-growing private, nonprofit university in Salt Lake City, Nickolaisen said he follows the golden rule in his approach to application data privacy.
"If I would not like someone to know something about me, I don't build that into anything I ask someone else to use," Nickolaisen said. As long as he is transparent about collecting data, asks customers for permission to collect their data and treats data "with the same respect I would want my data treated," he figures he's in the clear. "Of course, the FTC could prove me wrong and issue regulations that prescribe how I do this," he said. Now that could throw a monkey wrench into the whole mobile ecosystem.
Lest CIOs think they are personally exempt from these privacy matters, experts point out that the exemption is lifted the instant anyone at a CIO's company touches a mobile app. "Every CIO is about to become the CIO of a small software company inside their organization, as they start building and supporting mobile apps for customers, partners and employees," said Simon Yates, who covers mobility and the workplace experience in the CIO group at Forrester Research Inc. He agreed with Nickolaisen that the FTC guidelines by and large "make perfect sense and are common-sense" practices. "If nothing else, reading this guide from the FTC will alert developers to some principles: Don't lie about what the app can do; disclose anything relevant to the user; honor your customers' privacy and seek consent for sensitive information."
Moreover, the guidelines are nonbinding. The problem is that CIOs by and large aren't up on data protection laws, especially those that can be applied to mobile data. "They don't know where to start, and they certainly don't have the big legal teams that Google, Apple and Microsoft have to track this stuff all time," Yates said. While many people read these guidelines as a warning directed mainly at Apple and Google and their like, "it's everybody else that is probably more at risk," he said.
Lawsuits pending on mobile privacy
Carsten Casper, a privacy and security analyst at Gartner Inc., also stressed that the FTC guidelines are not aimed just at the likes of Apple and Google. "They explicitly name 'app developers,' and this can mean any company (or even individual) that develops an app -- and rightly so," he said. "Apps can do privacy-intrusive things, even on tightly controlled platforms. In fact, one could argue, "Why blame the platform if the app is misbehaving?" similar to "Why blame the hosting provider for a website hosting illegal material?"
App developers should
- Provide just-in-time disclosures and obtain affirmative express consent before collecting and sharing sensitive information (to the extent the platforms have not already provided such disclosures and obtained such consent).
- Improve coordination and communication with ad networks and other third parties that provide services for apps, such as analytics companies, so the app developers can better understand the software they are using and, in turn, provide accurate disclosures to consumers. For example, app developers often integrate third-party code to facilitate advertising or analytics within an app with little understanding of what information the third party is collecting and how it is being used.
- Consider participating in self-regulatory programs, trade associations and industry organizations, which can provide guidance on how to make uniform, short-form privacy disclosures.
Source: Excerpted from the FTC report, Mobile Privacy Disclosures
And while these guidelines at present lack teeth, the FTC is getting serious about applying existing privacy laws, Casper said. "If companies violate their privacy promises they made, then they can expect 20 years of privacy audits. There must be at least half a dozen such cases by now, including Google and Facebook."
Joseph Marcella, CIO for the city of Las Vegas, foresees Apple and other key players building mobile privacy standards into their app store requirements going forward, but he says safeguards are coming, one way or another. "If not mandated through legislation, the industry will be driven by their community to manage the apps, devices, channels in practical way to ensure consistency, reliability and market share," he said. Crafting legislation that serves all mobile users will be hard, in any case: "We have four generations of users, developers, and folks dependent on the technology innovation out there with different interests."
Kelly Mantheny, director for solutions delivery at Solstice Mobile, a mobile strategy consulting firm based in Chicago, sees the recommendations as underscoring a widening concern over mobile privacy: "I think the FTC guidelines underscore how important mobile devices have become in our lives." CIOs should make it a priority to ensure their company has updated privacy policies that include mobile, she said. Solstice advises clients to approach mobile privacy through the "same lens" as Internet privacy: Namely, have a policy on tracking and usage of personal information and make it available; always provide an opt-out option; and ask for permission before accessing information stored on the device. "Privacy badging" will become more popular, with icons letting consumers know that the app follows national standards for mobile privacy. And scrutiny of the "Wild Wild West" of mobile markets -- from the big guys to the one-gal shops -- is definitely coming.
"Like the Internet was in the late '90s, we are just figuring out the power of the mobile platform and the type of data that is available to be collected," Mantheny said. "As data aggregation and reporting becomes more sophisticated for the mobile platform, there will be more scrutiny of mobile privacy."
So -- be prepared.
Let us know what you think about the story; email Linda Tucci, News Director.