by Member Omari Sealy
Similar to website browsers, many mobile applications collect a variety of information from the user, including, the user’s identity, usage history, past log-ins, and location. This enables the application to provide various functionality and to tailor features of the application for a better user experience (e.g., items retained in a shopping cart or targeted advertising). These applications can be found in a variety of everyday devices such as smartphones, tablets, laptops, smart TVs, and even in some newer automobiles. However, the enhanced functionality and convenience facilitated by the data collected by the application present a privacy trade-off – the more information that is collected and shared with or made available to third parties, the greater the risk that the information will be misused, improperly disclosed or accessed via data breach or digital snoop.
How do Mobile Applications Collect information?
Mobile applications collect information in ways that are difficult to understand and that are often not within the control of the user. Examples of methods that applications use to track users include the following:
- Device Specific IDs. Device Specific IDs are unique permanent identification numbers/characters associated with the user’s device (e.g., Apple’s Unique Device Identifier (UDID)). Device specific IDs are permanently associated with the device and users generally cannot alter their ID or opt out of being tracked by their ID.
- Metadata and Data Stored on Devices. Applications will often access various files stored on the device for information, including photos, contacts and location. While many applications now request user permission to access such data, once access is granted, that data might contain information related to the user’s current and past locations or other personal information (e.g., a photo stored on a device which contains the coordinates of where it was taken).
- Data Stored in Specific Applications. Many applications store information that users have shared with the application locally on the devices, which data is not necessarily shared with other applications on the device. Such data might be used later by the application for a different purpose (e.g., targeted advertising), but is often not easily accessible on the device so that users can examine or manage the content of the data stored.
- Geo-location Data. Some applications collect information about their users’ locations through global positioning systems (GPS), cell tower proximity, WiFi hotspot locations, and IP addresses. Applications with this capability have been found to be useful by law enforcement agencies to aid in criminal investigations and by parents for monitoring of the location of their children. However, these applications have also been used by companies to track the locations of employees during work hours (e.g., delivery truck drivers) and by marketers to inform consumers of local promotions.
FTC Regulation of Mobile Applications
While there is no federal privacy law specifically targeted at mobile applications, the Federal Trade Commission (FTC) has been examining the privacy implications of mobile applications for some time now. Rather, mobile applications are primarily governed by the same legal and regulatory framework applicable to websites, i.e., Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a) (the “FTC Act”), which prohibits “…unfair or deceptive acts or practices in or affecting commerce.” The FTC has also regulated the privacy of specific types of consumer information through a variety of federal statutes, including the Children’s Online Privacy Protection Act of 1998 (COPPA), the Gramm-Leach-Bliley Act (GLB), aka Financial Services Modernization Act of 1999, the Fair Credit Reporting Act of 1970 (FCRA), among others.
The FTC, in enforcing the FTC Act, has been actively pursuing mobile application developers at least since 2011, and its complaints have typically alleged that the mobile application in question collected consumer data without users’ knowledge or consent, failed to employ reasonable security to safeguard consumer data, or misrepresented or failed to disclose consumer data collection or storage practices or changes to those practices. Generally, the FTC has indicated that it expects mobile application developers to adopt and maintain reasonable data security practices taking into consideration the nature of the mobile application and the data being collected.
Notable examples of actions brought by the FTC against mobile application developers include:
- Path, Inc. In February 2013, the operator of the Path social networking application agreed to a civil penalty of $800,000 to settle FTC charges that it deceived users by collecting personal information from their mobile device address books without their knowledge and consent. The FTC alleged that Path failed to spell out its collection, use and disclosure policy for personal information, and violated the COPPA Rule by failing to obtain parental consent before collecting personal information from users under the age of 13. In addition to the aforementioned civil penalty, the settlement required Path to establish a comprehensive privacy program and to obtain independent privacy assessments every other year for the next 20 years.
- Fandango and Credit Karma. In March 2014, Fandango and Credit Karma agreed to settle FTC charges that they misrepresented the security of their mobile applications and failed to secure the transmission of millions of consumers’ sensitive personal information from their mobile apps. The FTC alleged that each of Fandango and Credit Karma failed to take reasonable steps to secure their mobile applications, leaving consumers’ sensitive personal information at risk. As a condition of the settlements each of Fandango and Credit Karma was required to, among other measures, establish comprehensive security programs designed to address the security risks of their applications and to undergo independent security assessments every other year for the next 20 years.
- LAI Systems LLC and Retro Dreamer. In December 2015, two mobile application developers, LAI Systems LLC and Retro Dreamer, agreed to pay civil penalties to settle FTC charges that they violated the COPPA Rule. The FTC alleged that among other things, LAI Systems LLC allowed third-party advertisers to collect personal information from children and failed to provide notice or get consent from children’s parents for collecting and using the information. The FTC alleged that Retro Dreamer allowed third-party advertisers to collect children’s personal information through its applications and ignored specific warnings about its obligations under the COPPA Rule. As part of their settlements, each of LAI Systems LLC and Retro Dreamer was prohibited from further violations of the COPPA Rule, and each was required to pay a civil penalty in the amount of $60,000 and $300,000, respectively.
It is also worth noting that in addition to mobile application developers, mobile device manufacturers also face the scrutiny of the FTC with respect to the applications on their devices. In February 2013, mobile device manufacturer, HTC America Inc., agreed to settle FTC charges that it had failed to take reasonable steps to secure the software developed for its smartphones and tablets, resulting in security flaws that placed sensitive information about millions of consumers at risk. The FTC alleged that HTC America failed to employ reasonable and appropriate security practices in the design and customization of the software on its mobile devices, failed to provide its engineering staff with adequate security training, failed to review or test the software on its mobile devices for potential security vulnerabilities, failed to follow well-known and commonly accepted secure coding practices, and failed to establish a process for receiving and addressing vulnerability reports from third parties. The settlement required HTC America to fix vulnerabilities found in millions of its devices, to establish a comprehensive security program designed to address security risks during the development of HTC devices, and to undergo independent security assessments every other year for the next 20 years.
Proposed Legislation – The Apps Act
Specific attempts have been made to address the absence of federal legislation specifically geared at regulating mobile application privacy. Originally introduced in May 2013, and re-introduced in February 2016, Georgia Congressman Hank Johnson introduced a bill to enact the Application Privacy, Protection and Security Act of 2013 (the “Apps Act”), which would “…provide for greater transparency in and user control over the treatment of data collected by mobile applications and to enhance the security of such data.”  If enacted, the Apps Act would preempt any conflicting state laws regulating mobile application privacy and provide a single, federal standard that mobile application developers could rely on in the collection, use and protection of consumer information by mobile applications. As of February 2016, the Apps Act has been assigned to a congressional committee for further consideration.
Recent Consumer Litigation Regarding Mobile Applications
While there is no private right of action under the FTC Act, and FTC Act violations generally do not provide the basis for private litigation, mobile application developers have faced lawsuits regarding the data collected by their applications in a number of other contexts. In one recently resolved case that garnered considerable attention, a federal court in San Jose, California combined in May 2012 21 separate lawsuits against Facebook Inc. from jurisdictions across the United States, each of which alleged that Facebook knowingly intercepted its users’ internet communications and activities even after the users logged out of the social network.  The plaintiffs accused Facebook of violating multiple state and federal laws, including the Federal Wiretap Act, the Stored Communications Act, the Computer Fraud and Abuse Act, and California’s Invasion of Privacy Act and sought in excess of $15 billion in damages together with injunctive relief. Ultimately, in October 2015, the court dismissed the suit because it found that the users failed to adequately connect the value of the data collected by Facebook to a realistic economic harm or loss, or to demonstrate that they “personally lost the opportunity to sell their information or that the value of their information was somehow diminished after it was collected by Facebook.”
Employers in a variety of industries use mobile applications to track their employees who are out on sales or service calls, or out making deliveries, with the hope of tracking and improving employee productivity, lowering fuel costs and other costs and boosting profitability. In May 2015, a woman sued her former employer, Intermex, a wire transfer business that facilitates sending money to Latin America, for invasion of privacy, wrongful termination and unfair business practices. The former employee, whose role with Intermex required travel across Central California visiting bodegas and Hispanic business owners to convince them to install Intermex machines, alleged that Intermex required installation of a mobile application named Xora on her company device, which tracked her location via GPS and sent that location information back to her employer. When the former employee objected to being tracked nonstop, even during her personal time, and deleted Xora from the device, she was ultimately terminated. It appears that this lawsuit was settled out of court.
As of July 2015, there were over 1.5 million mobile applications available in each of Apple’s App Store and on Google Play. As new mobile applications continue to be developed, the ways in which consumer information is collected, compiled, stored and used by mobile applications will continue to evolve, and will continue to be closely scrutinized by the FTC and other regulatory authorities. Similarly, consumers who have concerns about the ways in which their information is collected, compiled, stored and used by mobile applications will continue to bring actions that will have an impact on how mobile applications operate going forward.
 See Id.
 See http://www.bloomberg.com/news/articles/2015-10-24/facebook-wins-dismissal-of-15-billion-users-privacy-suit; See also In Re Facebook Internet Tracking Litigation, 5:12-md-02314-EJD, 2015 U.S. Dist. LEXIS 145142 (N.D. California).
 See http://money.cnn.com/2015/05/13/technology/fired-gps-app; See also Arias v. Intermex Wire Transfer, LLC, Case No. 1:15-cv-01101 JLT (E.D. Cal. 2015).
About Data Points: Privacy & Data Security Blog
The technology and regulatory landscape is rapidly changing, thus impacting the manner in which companies across all industries operate, specifically in the ways they collect, use and secure confidential data. Moore & Van Allen’s Privacy & Data Security Group recognizes the challenges clients face in the effort to stay abreast of such volatility. “Data Points” seeks to educate by providing transparent and cutting-edge insight on the most critical issues and dynamics. Our goal is to inform business decision-makers who are navigating these waters about the information they must protect, and what to do if/when security is breached. Read About Our Practice and Meet the MVA Privacy & Data Security Team.