Improving Mobile App Privacy

A quick note on vocabulary: This guidance is intended for the companies that are known in the parlance of the mobile space as app “developers.” Let's say that Company X wants to issue a mobile app to consumers, and it hires a vendor to write the code. Company X, not the code-writing vendor, is the developer.

What the FTC calls “privacy by design,” an internal lawyer at an app developer should call “get yourself into the first meeting.” That is, be there in the room with your businesspeople and sensitize them to privacy concerns when the app is initially being designed . Nothing is more important. It is generally too late to effectively vet an app for privacy concerns if you come in toward the end when the app is mostly “baked.”

The goal is to gather information. First, understand exactly how the app will function. Second, inventory what personally identifiable information (PII) the app could collect. PII includes obvious items like name, e-mail address and credit card number, and less-obvious items like geo-location information and persistent identifiers associated with a smartphone (e.g., unique device identifier [UDID] or Apple's identifier for advertising [IFA or IDFA]) that can be used to track a user across apps. Third, identify what PII the app really needs for its basic functions. PII should be collected when it's intrinsic to those functions ' not because a programmer thinks it's interesting, or because you might have a need for it in the future. Location data may be necessary for a restaurant locator app, but probably not for a flashlight app.

After that, list any “sensitive information” the app may collect or access. This includes precise geo-location data (e.g., street address or coordinates), contacts, photos/videos, financial or medical information, and information like race or religion. Lastly, identify any third parties that will collect app data or run app analytics on your company's behalf. Is your company using a vendor to collect and maintain data? Will third-party code be integrated into the app to gather analytics (e.g., audience metrics and usage data)? Will ads be delivered in the app through use of an advertising network?

With this information, you are ready to move on to the fun part ' actually building privacy protections into the app. The FTC says those protections should provide “transparency” and “control.” That means providing users with clear notices about the data that will be collected and getting user consent when appropriate.

Be Transparent, Starting With Your Privacy Policy

The first and most important notice is the app privacy policy. It should clearly and comprehensively explain what data the app collects, how the data is used and with whom the data is shared. Do not simply cut and paste the privacy policy from the company website. Chances are it does not cover what a specific app does. It is critical that the privacy policy accurately reflect how the app actually collects data and how the company uses that data. The FTC has gone after companies whose actual data practices were either undisclosed in their privacy policies or inconsistent with them.

Link to the privacy policy from the app store page so that the user can review it before downloading the app. Also display the policy in a prominent location within the app itself, such as the home page or in the Settings menu under the heading “Privacy Policy.” Hyperlinking to the policy is fine if it is easily readable when accessed.

Integrate 'Just-In-Time' Notices and Get User Consent

Will the app collect or access sensitive information? If so, provide users with “just-in-time” notices and a consent opportunity. Just-in-time typically means a pop-up that prompts the user to allow the app to collect or access the information immediately before that happens. For example, a just-in-time notice for a location feature might say that the app “would like to use your current location” and ask for the user's permission. If the reason for accessing the user's location is not obvious, explain why the app wants to use that data.

Also use just-in-time notices and get consent if PII will be shared with third parties for uses that a user may not expect ' for example, if a third party ad network will collect persistent identifiers for behavioral advertising purposes, or if the company is working with third parties to combine collected PII with other transactional data to use across its sites. No consent is required for expected uses, such as to fulfill a credit card transaction, to service the app, to measure audience metrics or for the company to run its own contextual ads.

Be Careful with Children's Information

Be careful if the company decides to launch an app directed to children. Under the Children's Online Privacy Protection Act (COPPA), app developers must provide a just-in-time “direct notice” to parents and obtain their “verifiable consent” before they or any of their third-party service providers (e.g., analytics, social media plug-ins) collect personal information from children under 13. The FTC recently expanded the definition of children's “personal information” to include specific items such as persistent identifiers (unless collected solely for “internal purposes,” such as servicing the app) and photos or videos featuring the child's image or voice. Avoid sending push notifications or get parental consent before doing so ' the FTC has advised that information collected from a device to send push notifications qualifies as personal information.

Comply with Industry-Specific And Foreign Laws

Consider whether the company's app may be subject to industry-specific regulation, such as the Health Insurance Portability and Accountability Act (HIPAA) (if the company is a covered entity and collects health care information), Food and Drug Administration rules (e.g., if the app is used as an accessory to a medical device) and the Gramm-Leach-Bliley Act (if the company is a financial institution). If the app is targeted to European users, you should also consult the Article 29 Working Party Opinion on apps (02/2013 WP202) (http://bit.ly/M5nIZg) ' which, among other things, calls for developers to provide a privacy policy, get consent for each and every type of data that will be collected before the app is downloaded, and only collect strictly necessary data.

Negotiate Third-Party Agreements

Build privacy protections into the company's agreements with its vendors. Review the terms of service of the analytics provider or ad network. In the contract with an analytics provider, ensure that it uses the data only to provide a service on behalf of the app, and prohibit the downstream sharing of such data with other third parties (though this may be permissible if the data will be anonymized and aggregated so that it is no longer associated with a particular user). Make sure the providers you work with are experienced. Indemnification provisions in your favor are important, but not even an ironclad contract will protect against reputational or regulatory risk inflicted by a vendor, or against a vendor who simply disappears.

Min Lee is counsel at Debevoise & Plimpton and a leader of the firm's privacy and data security practice. Prior to joining the firm, she was vice president, associate general counsel at Penguin Random House, where she regularly advised on app development and privacy issues.

Companies that create and distribute mobile apps are under increasing pressure to protect user data. In 2013, the Federal Trade Commission (FTC) and the California Attorney General each published privacy recommendations for mobile apps. See, “FTC Recommends Privacy Practices for Mobile Apps.” Among other things, the FTC urges “privacy by design,” advising companies to build privacy protections into apps from the outset. The FTC also has updated its regulations on children's privacy to address the mobile realm.

What exactly should an app developer do as a practical matter to stay on the right side of these emerging legal rules?

Meet Early With the App Development Team

A quick note on vocabulary: This guidance is intended for the companies that are known in the parlance of the mobile space as app “developers.” Let's say that Company X wants to issue a mobile app to consumers, and it hires a vendor to write the code. Company X, not the code-writing vendor, is the developer.

What the FTC calls “privacy by design,” an internal lawyer at an app developer should call “get yourself into the first meeting.” That is, be there in the room with your businesspeople and sensitize them to privacy concerns when the app is initially being designed . Nothing is more important. It is generally too late to effectively vet an app for privacy concerns if you come in toward the end when the app is mostly “baked.”

The goal is to gather information. First, understand exactly how the app will function. Second, inventory what personally identifiable information (PII) the app could collect. PII includes obvious items like name, e-mail address and credit card number, and less-obvious items like geo-location information and persistent identifiers associated with a smartphone (e.g., unique device identifier [UDID] or Apple's identifier for advertising [IFA or IDFA]) that can be used to track a user across apps. Third, identify what PII the app really needs for its basic functions. PII should be collected when it's intrinsic to those functions ' not because a programmer thinks it's interesting, or because you might have a need for it in the future. Location data may be necessary for a restaurant locator app, but probably not for a flashlight app.

After that, list any “sensitive information” the app may collect or access. This includes precise geo-location data (e.g., street address or coordinates), contacts, photos/videos, financial or medical information, and information like race or religion. Lastly, identify any third parties that will collect app data or run app analytics on your company's behalf. Is your company using a vendor to collect and maintain data? Will third-party code be integrated into the app to gather analytics (e.g., audience metrics and usage data)? Will ads be delivered in the app through use of an advertising network?

With this information, you are ready to move on to the fun part ' actually building privacy protections into the app. The FTC says those protections should provide “transparency” and “control.” That means providing users with clear notices about the data that will be collected and getting user consent when appropriate.

Be Transparent, Starting With Your Privacy Policy

The first and most important notice is the app privacy policy. It should clearly and comprehensively explain what data the app collects, how the data is used and with whom the data is shared. Do not simply cut and paste the privacy policy from the company website. Chances are it does not cover what a specific app does. It is critical that the privacy policy accurately reflect how the app actually collects data and how the company uses that data. The FTC has gone after companies whose actual data practices were either undisclosed in their privacy policies or inconsistent with them.

Link to the privacy policy from the app store page so that the user can review it before downloading the app. Also display the policy in a prominent location within the app itself, such as the home page or in the Settings menu under the heading “Privacy Policy.” Hyperlinking to the policy is fine if it is easily readable when accessed.

Integrate 'Just-In-Time' Notices and Get User Consent

Will the app collect or access sensitive information? If so, provide users with “just-in-time” notices and a consent opportunity. Just-in-time typically means a pop-up that prompts the user to allow the app to collect or access the information immediately before that happens. For example, a just-in-time notice for a location feature might say that the app “would like to use your current location” and ask for the user's permission. If the reason for accessing the user's location is not obvious, explain why the app wants to use that data.

Also use just-in-time notices and get consent if PII will be shared with third parties for uses that a user may not expect ' for example, if a third party ad network will collect persistent identifiers for behavioral advertising purposes, or if the company is working with third parties to combine collected PII with other transactional data to use across its sites. No consent is required for expected uses, such as to fulfill a credit card transaction, to service the app, to measure audience metrics or for the company to run its own contextual ads.

Be Careful with Children's Information

Be careful if the company decides to launch an app directed to children. Under the Children's Online Privacy Protection Act (COPPA), app developers must provide a just-in-time “direct notice” to parents and obtain their “verifiable consent” before they or any of their third-party service providers (e.g., analytics, social media plug-ins) collect personal information from children under 13. The FTC recently expanded the definition of children's “personal information” to include specific items such as persistent identifiers (unless collected solely for “internal purposes,” such as servicing the app) and photos or videos featuring the child's image or voice. Avoid sending push notifications or get parental consent before doing so ' the FTC has advised that information collected from a device to send push notifications qualifies as personal information.

Comply with Industry-Specific And Foreign Laws

Consider whether the company's app may be subject to industry-specific regulation, such as the Health Insurance Portability and Accountability Act (HIPAA) (if the company is a covered entity and collects health care information), Food and Drug Administration rules (e.g., if the app is used as an accessory to a medical device) and the Gramm-Leach-Bliley Act (if the company is a financial institution). If the app is targeted to European users, you should also consult the Article 29 Working Party Opinion on apps (02/2013 WP202) (http://bit.ly/M5nIZg) ' which, among other things, calls for developers to provide a privacy policy, get consent for each and every type of data that will be collected before the app is downloaded, and only collect strictly necessary data.

Negotiate Third-Party Agreements

Build privacy protections into the company's agreements with its vendors. Review the terms of service of the analytics provider or ad network. In the contract with an analytics provider, ensure that it uses the data only to provide a service on behalf of the app, and prohibit the downstream sharing of such data with other third parties (though this may be permissible if the data will be anonymized and aggregated so that it is no longer associated with a particular user). Make sure the providers you work with are experienced. Indemnification provisions in your favor are important, but not even an ironclad contract will protect against reputational or regulatory risk inflicted by a vendor, or against a vendor who simply disappears.

Min Lee is counsel at Debevoise & Plimpton and a leader of the firm's privacy and data security practice. Prior to joining the firm, she was vice president, associate general counsel at Penguin Random House, where she regularly advised on app development and privacy issues.