In new guidance on mobile privacy, the Federal Trade Commission (FTC) said that mobile internet searches were, generally, inherently personal. Information collected about those kinds of searches is more likely to be sensitive in nature as a result, it said.
"Mobile technology presents unique privacy challenges," the FTC said. "First, more than other types of technology, mobile devices are typically personal to an individual, almost always on, and with the user. This can facilitate unprecedented amounts of data collection. The data collected can reveal sensitive information, such as communications with contacts, search queries about health conditions, political interests, and other affiliations, as well as other highly personal information. This data also may be shared with third parties, for example, to send consumers behaviourally targeted advertisements."
If the FTC's view was shared by EU regulators it could mean that a greater amount of search query data collected by companies could be subject to restrictive data protection requirements that apply only to the collection of personal data considered 'sensitive.' It would mean that some companies would not be able to rely on legal provisions that allow them to process personal data on the basis of their own "legitimate interests" or those of third parties to whom they intend to disclose data, which enable processing where such interests do not unduly prejudice the fundamental rights of individuals.
In its guidance (36-page 754KB PDF) the FTC said that it is up to mobile platforms to provide consumers with "just-in-time disclosures" if application providers would collect sensitive information about them. It said that the platforms should obtain consumers' "affirmative express consent" before apps can collect that data. It also called for platforms to use privacy "icons" that could let consumers know when their personal data is being accessed.
The FTC said that app developers should have "easily accessible" privacy policies that can be found in app stores. Because many mobile devices have screens measuring "just a few inches", the FTC acknowledged that there are "practical challenges in terms of how critical information – such as data collection, sharing of information, and use of geolocation data – is conveyed to consumers". It said, though, that app developers should obtain users' "affirmative express consent" to collect and share sensitive information if mobile platforms have not already done so.
The FTC also called for mobile technology firms to build a new 'do-not-track' standard for mobile devices that provides consumers with a mechanism to control how their mobile browsing activity is tracked by advertisers and website operators for the purposes of serving personalised content. The standard would be best implemented at "platform level", it said.
"Offering this setting or control through the platform will allow consumers to make a one-time selection rather than having to make decisions on an app-by-app basis," the FTC said in its guidance. "Apps that wish to offer services to consumers that are supported by behavioural advertising would remain free to engage potential customers in a dialogue to explain the value of behavioural tracking and obtain consent to engage in such tracking."
Data protection law specialist Marc Dautlich of Pinsent Masons, the law firm behind Out-Law.com, said that businesses involved in the EU "mobile ecosystem" would be "familiar" with the recommendations the FTC has made. He said it was "interesting" that the FTC had emphasised that platforms were the "gatekeepers of privacy standards" in a mobile context.
"Given that all the platforms mentioned are US players (Apple, Amazon, Google, Microsoft) except for one (Blackberry) the FTC has a strong incentive to stimulate their efforts to develop good privacy practices, and rightly sees the ability of platforms to set requirements for app developers as central to the development of better mobile privacy standards," Dautlich said.
"The FTC’s emphasis on standardised privacy approaches, such as the use of visual icons, which are compared in the FTC’s report to nutrition labels in the food industry, is an example which has already been adopted in neighbouring sectors with some success – such as the icon used now by the online advertising industry on both sides of the pond to identify online behavioural advertising to consumers," he added.
"Whether, however, some of the FTC’s other recommendations are likely to gain traction, or be adopted any time soon in other geographies, is more doubtful – for example the exhortation that the various participants in the ecosystem work together more effectively on privacy matters," Dautlich said. "Given how many players there are, let alone the significant disparity in their resources allocated to compliance and privacy matters – carriers, handset manufacturers, operation system providers, app developers and advertisers to name the main ones – this is going to be challenging. We can expect more debate on this and other challenging topics at the GSM Mobile World Congress in Barcelona later this month."