In Reddit Chat, FTC’s Ohlhausen Gives Take on App Privacy

The Reddit AMA was a good opportunity for Ohlhausen to speak to “technologists who are hands on with the code every day,” said Morgan Reed, executive director of the Association for Competitive Technology (ACT), which works with 5,000-plus small to mid-sized app developers. Technologists and developers don’t always understand, from a technical standpoint, how the FTC’s compliance rules are helping achieve the commission’s privacy and data security goals, Reed said. For instance, most technologists don’t see an IP address as personally identifiable information (PII), but the FTC does, said Reed. “Finding a way for developers to understand that” is “helpful,” Reed said.

Developers have two main FTC-related concerns -- “the carrot and the stick,” Reed said. “What are incentives to do it right?” and how are bad actors “punished in a way that it is clear it is worthwhile to take the time to do it right?” App developers want a clear idea of how to comply with privacy guidelines while still being able to create a good user experience, Reed said. And they want compliance with privacy guidelines -- such as the Children’s Online Privacy Protection Act safe harbor program -- to give them a level of brand trust, he added. With numerous privacy best-practice documents in existence -- from industry associations and the FTC -- it can be difficult to know whether complying with any or all of them will gain an app consumer trust. “When you combine” every best-practice privacy guideline “there isn’t clear unification,” Reed said.

"The FTC has made it clear that companies need to notify consumers and get their consent before using their personal information in a way that is different from what they promised when they collected that information,” Ohlhausen said during the chat session. This gives users the choice, she said, to select products based on their preferred privacy terms. “If consumers object to the changed terms, they can look for other products or services in the market that offer privacy terms they prefer,” she said. “It seems like companies are starting to compete on their privacy terms more frequently and I applaud this development."

"When the FTC staff gives a series of best practices or proposals for self-regulation it would be nice to know which, if any of those, the FTC believes are actionable under existing federal law,” said Reed Freeman, a lawyer at Morrison Foerster who has counseled app developers and advertisers on complying with FTC privacy and data security regulations. Freeman over the years has seen the FTC issue “a large number of staff reports” on privacy and online behavioral advertising that he thought were characterized as “best practices.” Since then, the FTC has brought enforcement actions for not complying with several of these best practices under its Section 5 authority, he said.

"It leaves you wondering, ‘Are other things already required?'” Freeman said. Knowing what’s “aspirational and what’s enforceable” would help companies know how to set themselves apart in the market, he said. “The industry is not conditioned over time to receive and know what to do with recommendations from the government.” Marc Groman, CEO of the third-party digital advertising group Network Advertising Initiative (NAI), said industry can divine a good amount of the FTC’s priorities through its publications. “The FTC has done a good job in highlighting best practices through enforcement, education and best practices,” he said.

Numerous codes of conduct can complement each other “if we do our job right,” Groman said. Ohlhausen praised NAI’s 2013 Mobile Application Code during a September speech. “For the first time,” she said then, NAI’s code “addresses the collection and use of data from mobile apps.” NAI can “provide guidance to the mobile advertising network,” Groman said, while ACT’s app developers guide -- which it is producing with NTIA -- can also be “very beneficial for the ecosystem."

"Self-regulation is an important way to offer consumers additional privacy choices,” Ohlhausen said during the chat session. “The commission has long supported industry self-regulation as an efficient way of securing consumer benefits and promoting a robust and competitive marketplace.” Ohlhausen cited COPPA and apps as two areas leading the way in self-regulation. It’s a “great example of how private efforts can augment our work at the FTC,” she said. “Although I can’t discuss ongoing FTC litigation, I can say that the FTC has often used its authority under Section 5 to challenge deceptive and unfair practices in the area of privacy,” Ohlhausen said. “We have brought many cases where companies that made promises about how they will use or secure consumer data have failed to live up to those promises. I believe we can continue to do this in the future."

Reed thinks there need to be “some cases to help clarify when somebody has done something really wrong so the rest of the industry understands,” he said. For instance, app developers in the Google Play store were automatically getting the name and zip code of everyone buying their application, Reed said. That information “was opaque to the user,” he said, but the developers were saying, “I didn’t make that happen.” That type of confusion leads to FTC action, according to Reed.

The commission could start by updating its November 2011 “Protecting Personal Information: A Guide for Business,” (http://1.usa.gov/17CcGlG) Freeman said. “It’s proven to be a helpful document for industry.” Reed and Groman agreed the commission needs to clarify what’s considered to be sensitive data and how to treat it. “Great examples are location data, address books, contact lists,” said Groman. This clarifying role as an educator and informer for app developers and consumers shouldn’t necessarily extend to issuing regulations, Reed and Groman said. Waiting for comment periods, review periods and government bureaucracy -- “that’s insane,” Reed said. “Nobody wants technology at the speed of government.”