Mobile App Privacy - Six Things You Need to Know

Posted by Kate Jurras on Mon, Jul 2, 2012

gene resized 600For the July blog series, we asked some of Boston's greatest thought leaders to speak on a particularly complicated (but relevant) subject: tracking, targeting, and privacy. Their responses were surprising, fascinating, and applicable - and we think you'll find this series quite interesting! This post is by Gene K. Landy. Gene is a shareholder of the law firm of Ruberto, Israel & Weiner, P.C.,, a MITX sponsor. Gene is Chair of the firm’s Technology Business Group and concentrates on digital technology and media companies. He advises clients on technology lice   nsing, business transactions, and privacy matters. He is the author of a 2008 comprehensive entrepreneur’s guide to digital technology and media law called The IT/Digital Legal Companion. You can contact Gene at

Mobile Apps Collect and Provide Data to Marketers

Companies get valuable data about users through mobile apps. Depending on the app’s programming, data gathered can include location (accurate to within a few meters), the device ID (i.e., a unique device identifier), phone number, address book contacts, applications used, the user’s voice characteristics, information searched for, music played, etc. Use of the app may also indicate age, sex or other personal characteristics.

This is the age of big data. When companies combine data from mobile apps with powerful analytics, the result can be greatly increased data value. Information about a single user can be aggregated into a user profile. Knowing that you are presently in Boston has some value; but knowing that you are female, live in an upscale neighborhood, are aged 30 to 35, and shop at particular stores is worth much more. Data aggregated from many users can reveal consumer trends and patterns of behavior.

The more data companies collect, and the more analysis they (or their advertising and analytics partners and suppliers) do with mobile data, the more about data collection and use they may need to disclose to users.

Regulatory Focus and Privacy Policies

Mobile data privacy and consumer tracking is a prime focus of The Federal Trade Commission (FTC), which believes that consumers need better information and more protection. The FTC has targeted mobile companies for failing adequately to disclose mobile data collection practices.  Other countries also regulate the mobile app privacy area. In Europe, no information can be gathered by marketers from a mobile device without disclosure to the user and affirmative user consent.

In February 2012, the California Attorney General signed a deal with Apple, Google, Amazon, HP, and Microsoft in which these companies all agreed that app developers that use their online app distribution platforms must make data gathering and use disclosures. Now any company that distributes an app through an app market (including Google Play, the Amazon’s Android Appstore, and Apple’s App Store) must make specific disclosures about the information that is gathered by the app. However, most of these pro forma disclosures provide little information about how the information gathered is actually used.

It is best practice for companies to have, in addition to these generic app store disclosures, a privacy policy for each mobile app with additional disclosure. The app can contain a link to an online privacy policy – or, even better, the app can contain the text of the applicable privacy policy.  Many apps also include contractual terms of use – and some apps (a minority) require that the user “click to accept” the terms of use before first use. The deeper the information gathered and the broader the use, the more important the terms of use and privacy policy become.

General or Specific Disclosure?

When you write a privacy policy disclosure, should the information you provide to users be highly specific or should it be more general?

Here is an example that illustrates the problem: In Apple’s initial online privacy disclosure for the iPhone’s Siri application, Apple said that user data “will not be shared with third parties other than with Apple’s partners who are providing related services to Apple.” Apple’s disclosure did not explain who these “partners” are, what “related services” means, which user data will go to “partners,” or what the “partners” will do with it. (Apple later revised this disclosure, and its online information now says nothing about data sharing in Siri.)

Most lawyers in the field would consider this kind of vaguely written disclosure inadequate, because it provides no concrete information to users on what is being done with data or who is getting it. On the other hand, being too precise about use and processing of user data can limit companies’ freedom of action in exploiting data – or lead to the disclosures becoming inaccurate when new data services or data processing analytics are added to the app.
There is no hard and fast rule about how much disclosure is enough. Data use disclosure in a privacy policy is always a judgment call.

Apps for Business

Many consumer users ignore privacy disclosures and will just download useful apps without regard to the data that they collect. However, business users are more sensitive about allowing third parties to collect, hold, and use their information. In May of 2012, IBM’s CIO announced that IBMers’ mobile devices would not be allowed to use Apple’s Siri, Google’s iCloud or DropBox, all out of concern that IBM company information on these services (all of which transmit user data to outside storage) would not be adequately secure and protected.  If the B-to-B sector, it is important that data practices, as disclosed, fit user expectations.

Apps for Children

A well-known California-based maker of children’s mobile games, W3 Innovations, has released many fun game apps for kids, including Emily's Girl World and Emily's Dress Up. In December 2011, W3 paid a $50,000 fine to settle FTC allegations that it violated federal law because these apps obtained email addresses of young children and permitted them to publicly post personal information on message boards from their apps. Under the federal Children's Online Privacy Protection Act (COPPA), there are tight restrictions on accumulating and disclosing personal data about children under the age of 13.

The Bottom Line

The privacy issues that arise in mobile apps depend on the types of data obtained, the audience, the nations targeted, and the data use. Mobile app privacy practices and written privacy policies should be carefully considered and periodically reviewed and revised.
About the Author: