As state and federal regulators increasingly focus on mobile apps, the Federal Trade Commission today released detailed recommendations for mobile privacy.

In a 29-page staff report, the FTC suggests how mobile app platforms and developers should notify consumers of their privacy practices.  Although the guidelines are not binding law, they offer best practices that could help app developers and platforms provide clear privacy notices, which are increasingly important as regulators concentrate on mobile privacy.  In December, California Attorney General Kamala Harris sued Delta Airlines for failing to provide a privacy notice on its mobile app, and she has indicated that more lawsuits are likely.

Much of the FTC report focuses on guidelines for mobile app platform providers, such as Apple, Google, Amazon, Microsoft, and Blackberry. The FTC states that platform providers “are gatekeepers to the app marketplace and possess the greatest ability to effectuate change with respect to improving mobile privacy disclosures.”

Of particular note is the FTC’s suggestion that mobile app platforms notify consumers and obtain express consent before accessing content “that consumers would find sensitive in many contexts,” such as contacts, photos, calendar entries, and audio or video content. Some other jurisdictions, such as the European Union, distinguish between sensitive and non-sensitive personal information, but the United States generally has only made such a distinction for medical, financial, and education records.

The FTC also suggests that mobile app platforms:

  • Offer a dashboard that allows consumers to choose which apps have access to particular types of data, such as geolocation information
  • Use icons to indicate when an app is accessing their sensitive data
  • Include provisions in their contracts with mobile app developers that require privacy disclosures and affirmative consent before collecting sensitive information
  • Clearly disclose how the platforms review apps
  • Develop a mobile Do-Not-Track system that prevents companies from creating profiles of mobile users

The FTC report states that mobile app developers should have a privacy policy, which also is available through the platform’s app store, and that they should notify consumers and obtain consent before sharing sensitive information. Notably, the FTC states that an app need not provide notice and obtain consent if the platform provider already has done so. In other words, if a platform has notified consumers that an app will collect geolocation data, the app does not need to provide an identical notice.

The FTC urges ad networks to help app developers understand how their code works, to ensure that the networks do not collect information without the app developers’ knowledge. And the FTC encourages app trade associations to develop standardized icons to inform consumers about app privacy practices, and to help app developers standardize their privacy policies.