In February of 2015, the Federal Trade Commission (FTC) expanded their guidelines for mobile app developers who create apps that collect user data, specifically user location data.
This expansion builds upon the original guidance published by the FTC in February of 2013 in their report "Mobile Privacy Disclosures: Building Trust Through Transparency".
A recently settled lawsuit initiated by the FTC shows that these guidelines should not be disregarded by app developers without the risk of being charged with deceptive practices. The lawsuit will be discussed further in this article.
Guidance from the FTC
Guidance from 2013
Key points for mobile app developers from the 2013 report include:
Here's what a user sees on the Apple App Store when looking to download the Facebook app:
The same link can be placed on the profile page of the app, but when users are looking from the App Store webpages and not from their iOS devices:
Before any personal information is collected and shared by the app with the necessary third parties, the collecting and sharing of information should be disclosed to the user and express consent must be obtained.
Here's an example of consent from users agreeing to a new updated Terms and Conditions agreement from Airbnb iOS app:
Guidance from 2015
The 2015 update addresses mobile apps that collect the location data of a user when the app is not being actively used.
The FTC states that this collection of data, while the app is not in use:
- Should be disclosed very clearly
- The user should be given the chance to not allow the continual location tracking
This is especially important for apps that a user would not assume would be collecting location data when not actively in use.
For example, someone using a navigation app to get turn-by-turn driving directions will be aware that the app is actively collecting location data during the drive.
However, if that navigation app continues to collect location data after the user arrives at the location and exits out of the app, this should be disclosed and consent obtained because it's not intuitive that the app would do this.
If you have 'background location' turned on, the Foursquare app will, from time to time, tell us about your device's location even if you are not directly interacting with the application.
This language lets the user know that the tracking is continual regardless of active interaction with the app, but also provides the user with a way to avoid the tracking: by turning "background location" off.
While some operating systems, such as iOS8, have a measure in place that requires all mobile apps to require express consent before location data is allowed to be collected when an app is not in use, other operating systems do not.
Because of this, mobile app developers should work to add the appropriate disclosures and consent requirements into each mobile app developed. It's legally risky to not do this.
FTC v Goldenshores Technologies
In December 2013, the FTC filed a formal complaint against Goldenshores Technologies alleging unfair or deceptive acts or practices.
Goldenshores developed and provided a mobile app called Brightest Flashlight Free.
The case was settled and Goldenshores was required to comply with a number of requirements. The most notably are the following:
- A just-in-time disclosure must be provided to users that fully informs them of when, how, and why their location data is being collected, used, and shared
- Affirmative express consent must be obtained by users before location data can be collected.
How to stay compliant
As a mobile app developer, there are a few easy steps you can take to make sure your app is compliant with FTC guidelines while collecting location data:
Be very clear on the following:
When you collect, use and share location data.
If your mobile app collects location data constantly, whether the app is being actively used or not, let your users know this.
If location data is only collected when the app is being used, make this clear as well.
Let your users know when that collected data will be used, and when you share it with any third parties.
How you collect, use and share location data.
Let users know what technologies your mobile app uses to collect location data.
Be clear about what the app uses the data for, as well as how exactly the data is shared with any third parties.
By telling the user that "various technologies [are used to] determine location, including IP address, GPS, and other sensors" a user is able to better control when and if location data is to be collected from his devices.
Why you collect, use and share location data.
Be completely transparent about why you need or choose to collect location data.
When we have location information, we use it to tailor our Services for you and others, like helping you to check-in and find local events or offers in your area or tell your friends that you are nearby.
When a user first opens your app, use a dialogue box to include a notification about when location data will be collected:
Require the user to have an option to either consent to this data collection or disallow it.
You can also integrate pop-up reminders that an app requires location tracking to be enabled in order to work, which gives users a choice as to whether to allow location data to be collected at that moment.
The Google Maps app informs users if their location data settings are disabled:
These pop-up messages are great ways to ensure a user is aware of location data being used and require the user to consent or choose not to continue.