News Stay informed about the latest enterprise technology news and product updates.

FTC mobile privacy guidelines put mobile ecosystem and CIOs on notice

If CIOs haven't updated their data privacy laws to include mobile data, the FTC's new mobile privacy guidelines make it clear that the time has come.

The Federal Trade Commission's new guidelines to improve mobile privacy for consumers don't much worry CIO Niel Nickolaisen. A veteran IT professional who currently oversees technology and information at Western Governors University, a fast-growing private, nonprofit university in Salt Lake City, Nickolaisen said he follows the golden rule in his approach to application data privacy.

Niel NickolaisenNiel Nickolaisen

"If I would not like someone to know something about me, I don't build that into anything I ask someone else to use," Nickolaisen said. As long as he is transparent about collecting data, asks customers for permission to collect their data and treats data "with the same respect I would want my data treated," he figures he's in the clear. "Of course, the FTC could prove me wrong and issue regulations that prescribe how I do this," he said. Now that could throw a monkey wrench into the whole mobile ecosystem.

Indeed, in its report released last week, the FTC, the nation's chief privacy agency, made clear its recommendations for improving mobile privacy disclosures to consumers and customers are intended for a broad universe of "key players in the rapidly expanding mobile marketplace." Those key players range from the mega-operating system providers, such as Amazon, Apple, BlackBerry and Microsoft, to app developers to advertising networks, analytics companies, app developer trade associations and academics. For each of them, the FTC has recommendations. Mobile platform providers, for example, are urged to offer a do-not-track mechanism for smartphones and consider making icons that show the transmission of user data, among other safeguards. App developers should have a privacy policy that can be readily accessed through the app store, get permission from consumers before collecting and sharing sensitive information, and make sure they understand the software used by their partner networks (advertising and analytics firms) so they can actually provide accurate disclosures to consumers.

Simon Yates Simon Yates

Lest CIOs think they are personally exempt from these privacy matters, experts point out that the exemption is lifted the instant anyone at a CIO's company touches a mobile app. "Every CIO is about to become the CIO of a small software company inside their organization, as they start building and supporting mobile apps for customers, partners and employees," said Simon Yates, who covers mobility and the workplace experience in the CIO group at Forrester Research Inc. He agreed with Nickolaisen that the FTC guidelines by and large "make perfect sense and are common-sense" practices. "If nothing else, reading this guide from the FTC will alert developers to some principles: Don't lie about what the app can do; disclose anything relevant to the user; honor your customers' privacy and seek consent for sensitive information."

Moreover, the guidelines are nonbinding. The problem is that CIOs by and large aren't up on data protection laws, especially those that can be applied to mobile data. "They don't know where to start, and they certainly don't have the big legal teams that Google, Apple and Microsoft have to track this stuff all time," Yates said. While many people read these guidelines as a warning directed mainly at Apple and Google and their like, "it's everybody else that is probably more at risk," he said.

Lawsuits pending on mobile privacy

Carsten Casper, a privacy and security analyst at Gartner Inc., also stressed that the FTC guidelines are not aimed just at the likes of Apple and Google. "They explicitly name 'app developers,' and this can mean any company (or even individual) that develops an app -- and rightly so," he said. "Apps can do privacy-intrusive things, even on tightly controlled platforms. In fact, one could argue, "Why blame the platform if the app is misbehaving?" similar to "Why blame the hosting provider for a website hosting illegal material?"

App developers should

  • Have a privacy policy, and make sure it is easily accessible through the app stores.
  • Provide just-in-time disclosures and obtain affirmative express consent before collecting and sharing sensitive information (to the extent the platforms have not already provided such disclosures and obtained such consent).
  • Improve coordination and communication with ad networks and other third parties that provide services for apps, such as analytics companies, so the app developers can better understand the software they are using and, in turn, provide accurate disclosures to consumers. For example, app developers often integrate third-party code to facilitate advertising or analytics within an app with little understanding of what information the third party is collecting and how it is being used.
  • Consider participating in self-regulatory programs, trade associations and industry organizations, which can provide guidance on how to make uniform, short-form privacy disclosures.

Source: Excerpted from the FTC report, Mobile Privacy Disclosures

And while these guidelines at present lack teeth, the FTC is getting serious about applying existing privacy laws, Casper said. "If companies violate their privacy promises they made, then they can expect 20 years of privacy audits. There must be at least half a dozen such cases by now, including Google and Facebook."

In addition, steam is building across government entities to address mobile privacy. The FTC recommendations, for example, follow similar privacy best practices published last month by the California attorney general, Casper said. "Enforcement is already happening," he said, and it's not aimed just at the platform players. He pointed to the California attorney general's lawsuit against Delta Airlines for failing to include a privacy policy in the app that customers can download from the Apple and Google platforms: "So, here the target is not the platform, it's the app developer," he added. Absent any general law, authorities now are using the means they have "to protect consumers and citizens from overly nosy or data-greedy companies," he said. "Those companies' CIOs had better be prepared."

Joseph Marcella, CIO for the city of Las Vegas, foresees Apple and other key players building mobile privacy standards into their app store requirements going forward, but he says safeguards are coming, one way or another. "If not mandated through legislation, the industry will be driven by their community to manage the apps, devices, channels in practical way to ensure consistency, reliability and market share," he said. Crafting legislation that serves all mobile users will be hard, in any case: "We have four generations of users, developers, and folks dependent on the technology innovation out there with different interests."

Kelly Mantheny, director for solutions delivery at Solstice Mobile, a mobile strategy consulting firm based in Chicago, sees the recommendations as underscoring a widening concern over mobile privacy: "I think the FTC guidelines underscore how important mobile devices have become in our lives." CIOs should make it a priority to ensure their company has updated privacy policies that include mobile, she said. Solstice advises clients to approach mobile privacy through the "same lens" as Internet privacy: Namely, have a policy on tracking and usage of personal information and make it available; always provide an opt-out option; and ask for permission before accessing information stored on the device. "Privacy badging" will become more popular, with icons letting consumers know that the app follows national standards for mobile privacy. And scrutiny of the "Wild Wild West" of mobile markets -- from the big guys to the one-gal shops -- is definitely coming.

"Like the Internet was in the late '90s, we are just figuring out the power of the mobile platform and the type of data that is available to be collected," Mantheny said. "As data aggregation and reporting becomes more sophisticated for the mobile platform, there will be more scrutiny of mobile privacy."

So -- be prepared.

Let us know what you think about the story; email Linda Tucci, News Director.

Dig Deeper on Enterprise data privacy management

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

Is your data privacy policy up-to -date on mobile privacy?