In February 2012 the US Federal Trade Commission (FTC) released a study of privacy and mobile apps for kids. The study concluded that parents weren’t given enough information in the app stores to properly evaluate privacy practices. At the time the FTC issued some recommendations for app developers, as well as Apple and Google:
- All members of the “kids app ecosystem” – the stores, developers and third parties providing services – should play an active role in providing key information to parents.
- App developers should provide data practices information in simple and short disclosures. They also should disclose whether the app connects with social media, and whether it contains ads. Third parties that collect data also should disclose their privacy practices.
- App stores also should take responsibility for ensuring that parents have basic information. “As gatekeepers of the app marketplace, the app stores should do more.” The report notes that the stores provide architecture for sharing pricing and category data, and should be able to provide a way for developers to provide information about their data collection and sharing practices.
A new follow-up study from the FTC issued today, based on a review of 400 kid-oriented apps for iOS and Android, reports that most of these recommendations have not been followed. The FTC concludes, “Industry appears to have made little or no progress in improving its disclosures since the first kids’ app survey was conducted.” The report adds, “[M]ost apps failed to provide basic information about what data would be collected from kids, how it would be used, and with whom it would be shared.”
Kids’ apps that transmitted or shared information
This new survey went a step beyond simply examining privacy disclosures. It compared privacy disclosures to actual privacy practices:
Specifically, the new survey examined whether the apps included interactive features or shared kids’ information with third parties without disclosing these facts to parents. The answer: Yes, many apps included interactive features or shared kids’ information with third parties without disclosing these practices to parents
The FTC found that “Of the 400 apps reviewed, only 20% (81) contained any privacy-related disclosure on the app’s promotion page, on the developer website, or within the app.”
The type of information shared
In a few cases the FTC found apps that provided assurances that personal data (i.e., device ID, phone number) and location were not being shared even as they were in fact conveyed to multiple ad networks. Ad networks were the most common recipient of the user data in question, although often it was potentially available to social networks.
In nearly 60 percent of the apps there was some information transmitted from the device to the developer or a third party:
In total, staff found that 59% (235) of the 400 apps transmitted some information from a user’s mobile device back to the developer or to a third-party. The most common piece of information that was collected and shared was a user’s device ID, a string of letters or numbers that uniquely identifies each mobile device. Indeed, all 59% of the apps that transmitted some information transmitted a device ID to the developer or, much more commonly, to a third-party. Of all the apps reviewed, 5% (20) transmitted the device ID back to the developer, while 56% (223) transmitted the device ID to ad networks, analytics companies, or other third parties.
Apps with ads and related disclosures
The report scolds the industry for not being transparent enough and not acting quickly enough to enact parent and kid-friendly privacy practices. The FTC calls upon developers, publishers and app stores to do the following:
- Adopt a “privacy by-design” approach to minimize risks to personal information
- Provide consumers with simpler and more streamlined choices about relevant data practices
- Provide consumers with greater transparency about how data is collected, used, and shared
What’s most interesting about this report and the above recommendations is what it may suggest about the future of privacy regulation in mobile app development and digital/mobile advertising more broadly.
There is some sort of privacy regulation on the way; I can all but guarantee it. The FTC however is trying to balance interests of stakeholders and create rules that are both meaningful for consumers and not-too-burdensome to the industry.
Those who may believe that the FTC will sit on the sidelines and allow the industry to “self-regulate” are deluded. I’ve read and heard enough from the FTC on this subject to believe that self-regulation is regarded as ineffectual ultimately. Indeed, this report is a spanking for self-regulation and stands as evidence that the FTC believes it largely won’t work.