FTC Stresses “Privacy by Design” for Mobile App Developers
Do you really know who’s keeping track of your mobile data? And what about your children’s info? It’s a growing concern for all of us, and for those who develop mobile apps. The federal government wants to make sure everyone is aware that privacy by design—privacy and data protection for consumers—should be built into every stage of the development cycle.
The most recent company that found itself held up as an example of how not to handle mobile privacy practices is social networking app Path. The Federal Trade Commission (FTC) announced a complaint and settlement, including an $800,000 fine, against Path for accessing users’ contacts without permission and for violating the Children’s Online Privacy Protections Act (COPPA).
From Path’s blog post, “Path and the FTC”:
The gist of the FTC’s complaint is this: early in Path’s history, children under the age of 13 were able to sign up for accounts. A very small number of affected accounts have since been closed by Path.
As you may know, we ask users their birthdays during the process of creating an account. However, there was a period of time where our system was not automatically rejecting people who indicated that they were under 13. Before the FTC reached out to us, we discovered and fixed this sign-up process qualification, and took further action by suspending any underage accounts that had mistakenly been allowed to be created.
We want to share our experience and learnings in the hope that others in our industry are reminded of the importance of making sure services are in full compliance with rules like COPPA. From a developer’s perspective, we understand the tendency to focus all attention on the process of building amazing new things. It wasn’t until we gave our account verification system a second look that we realized there was a problem. We hope our experience can help others as a reminder to be cautious and diligent.
Path joins the ranks of much larger players—Google, Facebook, and MySpace—that the FTC requires to implement a privacy program and obtain regular outside privacy audits.
Along with the announcement of the Path settlement, the FTC issued a set of guidelines that spells out best practices for mobile applications developers and others.
FTC Chairman Jon Leibowitz commented:
…education remains a vital complement to our enforcement and policy work. That is particularly true in the app space, where we’ve found that a number of small developers are rushing to get their cool new technologies out to the public, but not practicing privacy by design—perhaps because they don’t know about their obligations to consumers. To address this issue, we have a new publication for app developers, which provides tips on how to safeguard consumers’ information.