FTC Urges "Privacy By Design" for Mobile Device and Social Media Data Collection As Well

By Brian Nixon On June 28, 2011, the American Bar Association’s science and technology law section held a teleconference to discuss the topic “Law of E-Tracking: Is Your Phone Too Smart, Your Media Too Social, and Your Advertising Misbehaving?” The teleconference addressed, among other things, effective best practices for companies that collect, use and share information about consumers when they use location based services (“LBS”) on mobile devices and/or social media sites. A major concern raised on the teleconference with respect to data collected through mobile devices was that companies are collecting far more consumer data than what is necessary to provide the service. For example, some companies in connection with providing LBS were found to collect consumers’ call logs even though such information was not needed to provide the service. Although the participants acknowledged that certain consumer data is needed to provide the underlying services, practices of this sort and others (such as the highly publicized LBS use by Apple and Google) are discouraged as they raise concerns such as a lack of transparency to consumers. In addition, companies were encouraged to be more practical when attempting to notify consumers of their data collection and use practices on mobile devices by properly accounting for the small screen size on such devices - which can make it challenging for consumers to view the same potentially lengthy privacy policies that are available on companies’ online sites. With respect to data collected by companies through social media sites, the teleconference participants appeared to all agree that companies should develop and provide privacy notices that describe the information they are collecting and give the consumer the choice to opt-out of such collection and use practices. Jessica Rich, deputy director of the FTC’s Consumer Protection Bureau, explained that the FTC encourages companies to provide such disclosure within the context of the transaction (i.e., at the point where the data is being collected) as consumers are more likely to read it then. She cautioned that social media sites need to be more transparent about the data that they are collecting and how such data is being used. As proposed in the FTC’s Preliminary Privacy Report (which we discussed in detail here), Rich reiterated that companies should as a general matter engage in self-regulatory practices such as adopting a “privacy by design” approach in connection with their data collection and use practices by building privacy protections into the companies’ everyday practices. Rich noted that this can be achieved by building privacy practices in at the outset of development of a particular product or service offering. When asked what companies can do to reduce risk when engaging in consumer data collection, Rich explained that companies should not collect consumer data that they do not need, nor should they store consumer data for longer than necessary, and companies should routinely check default and legacy systems to ensure that such systems are not collecting consumer data that is not germane to the company’s product or service offering.