Developers of mobile apps, especially new startups who have yet to make money on their apps, often do not focus on consumer privacy compliance. Ignoring or postponing privacy law compliance until the app starts generating revenue is risky. Yesterday, the FTC issued guidance making it clear that even small, new mobile app developers must comply with truth-in-advertising and basic privacy principles, or else the FTC may come knocking.
The FTC’s guidance, “Marketing Your Mobile App: Get it Right From the Start,” focuses on eight primary areas of concern:
- Be truthful about your app’s capabilities, including the kind of information you collect and how that information is used.
- Disclose key information clearly and conspicuously; be up-front about the fact that the app collects certain personal information and clearly describe how that information is used.
- Develop good privacy practices from the beginning and keep those practices front and center throughout the app’s development and rollout phases.
- Make user choices within the app easy and follow through with user responses.
- Practice what you preach; live up to the privacy and security assurances that you communicate to users.
- Treat kids with extra-soft gloves; if your app is used by children take a thoughtful approach to how they use the app, what information the app collects, and how that information is used.
- Consent, consent, consent. Collect sensitive, personal information only with the user’s affirmative consent, this is especially important if collection or sharing of information is not readily apparent.
- Secure user data and be prepared to handle situations where security is breached and information is unintentionally disclosed.
There is no one-size-fits-all approach to privacy and consumer protection practices in the mobile app industry; however, the FTC’s guidance is a strong signal that it intends to treat mobile app developers the same way it treats companies that operate online. The best way to approach privacy and consumer protection compliance is to be truthful and complete in your privacy practice disclosures, to follow through with what you say you are doing, and to be sure to obtain user consent for the collection of any personal information.