Speaking at the American Bar Association’s annual meeting in Toronto, Commissioner Brill informed the audience that “We will soon be seeing some enforcement actions on [mobile] apps.” Commissioner Brill emphasized that Section 5 of the FTC Act, which prohibits unfair or deceptive acts or practices, applies to mobile applications and criticized many app developers for not posting a privacy policy.
The FTC’s interest in mobile applications is not surprising given that mobile privacy has been the focus of a number of recent Congressional hearings and press reports. However, it will be interesting to see what Section 5 claims the FTC will raise with respect to mobile apps. The FTC’s authority to adopt prescriptive rules under Section 5 is highly constrained. There is no rule under Section 5, for example, that a mobile app developer post a privacy privacy.
Instead, it is common for the FTC to issue informal guidance explaining what acts and practices it is likely to consider “deceptive” or “unfair.” While not legally binding, this informal guidance provides industry some indication of where the FTC’s Section 5 enforcement efforts are likely to be concentrated. Last December the Commission released a preliminary staff report that proposes a framework for businesses and policymakers to protect consumer privacy. In her speech to the ABA, Commissioner Brill referenced this preliminary report to support her claims that mobile app developers should develop simplified notices, icons, and layered notices to provide consumers information about the developer’s information handling practices.
However, building an enforcement action around this report may be problematic for at least two reasons. First, the report is still in draft form, and a final report is not expected until later this year. Second, the preliminary report stopped short of calling for legislation or prescriptive rules and remained generally supportive of self-regulation.
The report did, however, suggest that the FTC “plans to continue its vigorous law enforcement in the privacy area, using its existing authority under Section 5.” Therefore, unless the FTC attempts to significantly expand its reach in the area of unfairness, any claims against mobile app developers are likely to be based more on standard Section 5 deception claims, such as making a false or misleading statement in the developer’s privacy policy or failing to disclose material practices (although it may be difficult to demonstrate that an app developer’s omission is likely to affect the consumer’s conduct). It would not be surprising, however, if the FTC were to push for simplified notice, icons, layered privacy policies, and just-in-time notices in consent decrees settling its Section 5 complaint. While these consent decrees are binding only on the party involved, they could influence self-regulatory efforts and best practices in the mobile industry.