Speaking at the American Bar Association’s annual meeting in Toronto, Commissioner Brill informed the audience that “We will soon be seeing some enforcement actions on [mobile] apps.”  Commissioner Brill emphasized that Section 5 of the FTC Act, which prohibits unfair or deceptive acts or practices, applies to mobile applications and criticized many app developers for not posting a privacy policy. 

The FTC’s interest in mobile applications is not surprising given that mobile privacy has been the focus of a number of recent Congressional hearings and press reports.  However, it will be interesting to see what Section 5 claims the FTC will raise with respect to mobile apps.  The FTC’s authority to adopt prescriptive rules under Section 5 is highly constrained.  There is no rule under Section 5, for example, that a mobile app developer post a privacy privacy.  

Instead, it is common for the FTC to issue informal guidance explaining what acts and practices it is likely to consider “deceptive” or “unfair.”   While not legally binding, this informal guidance provides industry some indication of where the FTC’s Section 5 enforcement efforts are likely to be concentrated.  Last December the Commission released a preliminary staff report that proposes a framework for businesses and policymakers to protect consumer privacy.  In her speech to the ABA, Commissioner Brill referenced this preliminary report to support her claims that mobile app developers should develop simplified notices, icons, and layered notices to provide consumers information about the developer’s information handling practices. 

However, building an enforcement action around this report may be problematic for at least two reasons.  First, the report is still in draft form, and a final report is not expected until later this year.  Second, the preliminary report stopped short of calling for legislation or prescriptive rules and remained generally supportive of self-regulation. 

The report did, however, suggest that the FTC “plans to continue its vigorous law enforcement in the privacy area, using its existing authority under Section 5.”  Therefore, unless the FTC attempts to significantly expand its reach in the area of unfairness, any claims against mobile app developers are likely to be based more on standard Section 5 deception claims, such as making a false or misleading statement in the developer’s privacy policy or failing to disclose material practices (although it may be difficult to demonstrate that an app developer’s omission is likely to affect the consumer’s conduct).  It would not be surprising, however, if the FTC were to push for simplified notice, icons, layered privacy policies, and just-in-time notices in consent decrees settling its Section 5 complaint.  While these consent decrees are binding only on the party involved, they could influence self-regulatory efforts and best practices in the mobile industry.

 

 

Tags: Brill, Mobile, Privacy Policy, Section 5
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Lindsey Tonsager Lindsey Tonsager

Lindsey Tonsager co-chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and state attorneys general on proposed changes to data protection…

Lindsey Tonsager co-chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and state attorneys general on proposed changes to data protection laws, and regularly represents clients in responding to investigations and enforcement actions involving their privacy and information security practices.

Lindsey’s practice focuses on helping clients launch new products and services that implicate the laws governing the use of artificial intelligence, data processing for connected devices, biometrics, online advertising, endorsements and testimonials in advertising and social media, the collection of personal information from children and students online, e-mail marketing, disclosures of video viewing information, and new technologies.

Lindsey also assesses privacy and data security risks in complex corporate transactions where personal data is a critical asset or data processing risks are otherwise material. In light of a dynamic regulatory environment where new state, federal, and international data protection laws are always on the horizon and enforcement priorities are shifting, she focuses on designing risk-based, global privacy programs for clients that can keep pace with evolving legal requirements and efficiently leverage the clients’ existing privacy policies and practices. She conducts data protection assessments to benchmark against legal requirements and industry trends and proposes practical risk mitigation measures.

Read more about Lindsey TonsagerEmail
Show more Show less