Senate Hearing Reflects Increasing Focus on Mobile Privacy and Consumer Protection
Kelley Drye Client Advisory
May 20, 2011
On May 19, 2011, the Senate Commerce Subcommittee on Consumer Protection, Product Safety and Insurance held a hearing on protecting consumer privacy in the dynamic mobile marketplace created by smart phones and the advent of mobile applications or "apps." The hearing, "Consumer Privacy and Protection in the Mobile Marketplace," comes amid growing concerns for consumer mobile privacy in the wake of reports that mobile app providers collect personal information without privacy policies or consumer consent on data collection and usage. The hearing builds on a May 10, 2011 Senate Judiciary Subcommittee hearing that also focused on mobile privacy (see Kelley Drye Advisory).

The hearing garnered considerable interest from Commerce Committee members. Senators in attendance included Subcommittee Chairman Mark Pryor (D-AR), Sen. Roy Blunt (R-MO), Sen. John Kerry (D-MA), Sen. Amy Klobuchar (D-MN), Sen. Claire McCaskill (D-MO), Sen. John "Jay" Rockefeller IV (D-WV), Sen. Marco Rubio (R-FL), Sen. John Thune (R-SD), and Sen. Tom Udal (D-NM). Two panels of witnesses testified before the Senators, including witnesses that offered views from the government, industry and consumer perspectives.

Sen. Pryor opened with the chief concern that Americans may not understand how their information is being shared given that most app providers do not have privacy policies. As Sen. Rockefeller stated, the fundamental concern was that consumers want to understand and have control over their personal information. Echoing a major theme of the hearing, Sen. Kerry rejected the notion that privacy protection is the enemy of innovation, and commented that consumer trust in mobile devices and apps spurs economic activity in those marketplaces. The panelists addressed these concerns, focusing on FTC authority, behavioral advertising targeting children, and the specific mechanisms and procedures used to protect mobile privacy, summarized below.

Panel 1: Government Perspective

The Senators began by questioning David Vladeck, Director of the FTC's Bureau of Consumer Protection, on mobile privacy and the efforts of the FTC as the primary enforcement authority in consumer protection. Mr. Vladeck began with an overview of the explosion in the mobile marketplace created by smart phones that at the same time raises serious privacy concerns. Mr. Vladeck focused his statements on the role of the FTC in investigating unfair and deceptive trade practices in the mobile marketplace, citing successful investigations of Google and Twitter. Mr. Vladeck also discussed the FTC's preliminary staff report on privacy based on the "privacy by design" concept, streamlined privacy choices, transparency and a "Do Not Track" opt-out mechanism. Mr. Vladeck also discussed the FTC's roundtable on the Children's Online Privacy Protection Act and asserted that there is widespread consensus that COPPA is broad enough to encompass the mobile marketplace without Congressional action.

Questions directed to Mr. Vladeck honed in on FTC authority and capability to enforce COPPA and the FTC Act in order to protect consumers', particularly children's, mobile privacy. The FTC Act provides a broad enforcement mandate but Mr. Vladeck acknowledged that without privacy policies, it is difficult to bring an "unfair and deceptive" action against mobile app makers. Mr. Vladeck noted non-public FTC investigations into practices of kid-focused mobile apps that result in significant charges. With regard to COPPA, Mr. Vladeck indicated that mobile apps would be considered "online services," triggering special notice and consent requirements applicable to children. Sen. Rockefeller inquired whether Vladeck agreed that COPPA is "widely disregarded." Mr. Vladeck responded that he "did not know" whether he agreed with the Senator's statement and went on to cite the recent $3 million settlement with Disney's Playdom, Inc. as evidence of the FTC's COPPA enforcement against mobile app makers targeting children (see Kelley Drye Blog). Sen. Rockefeller pressed Mr. Vladeck on the status of the FTC's rulemaking to update COPPA in light of the mobile Internet marketplace. Comments were due July 2010. Mr. Vladeck indicated that the FTC plans to produce a revised COPPA rule "in the next couple of months" - which did not satisfy Sen. Rockefeller.

Mr. Vladeck's testimony also highlighted some of the major themes presented in the FTC's privacy report, including the Do Not Track mechanism, which gives consumers the ability to opt-out of the collection and use of their personal information for behavioral advertising. In response to a question from Sen. Kerry, Mr. Vladeck indicated that the FTC's proposed Do Not Track mechanism would apply to third party service providers but that applicability to mobile apps would depend on the apps' functionality. Mr. Vladeck acknowledged the difficultly implementing a Do Not Track mechanism for mobile apps and that the FTC does not currently have rulemaking authority to implement such a mechanism. Mr. Vladeck voiced support for the goals of Sen. Rockefeller's Do Not Track Act of 2011.

Panel 2: Industry and Consumer Perspectives

The second panel of witnesses included representatives from industry, including Facebook, Apple, Google, and the Association for Competitive Technology (ACT), as well as a representative of the consumer group Common Sense Media.

Bret Taylor, Chief Technology Officer at Facebook, emphasized the need to balance the openness of the Internet, which helped lead to the development of Facebook, with the need to ensure consumer trust in Facebook through privacy protections. Mr. Taylor indicated that mobile technology plays an increasing important role at Facebook, which extends its online privacy controls to its mobile apps, including a 13 year old minimum age requirement. Sen. Rockefeller pressed Mr. Taylor on this assertion, noting that Facebook is listed in the Apple App Store for ages 4 and up and that an estimated 7.5 million Facebook users are under the of age 13. Mr. Taylor responded that that as soon as Facebook discovers user age misrepresentation, the account is shut down. Sen. Rubio probed the Facebook Places app, which tracks user location information. Mr. Taylor indicated that Facebook Places users actively opt in to sharing their location information when they log in, and that the information is shared indefinitely unless users change their privacy settings.

Catherine Novelli, Apple's Vice President for Worldwide Government Affairs, voiced support for privacy protections particularly when they apply to children. Ms. Novelli indicated that Apple requires all third party app developers to comply with Apple's privacy policy. Further, Apple has built in parental controls on all iOS devices that provide parents with tools to protect their children, rejecting apps that target children under the age of 13. The Senators were interested in the business relationship created by mobile apps. Ms. Novelli stated that once a consumer purchases an app, their business relationship is with the app developer. The Senators pressed Apple on its process to vet "bad apps." Ms. Novelli noted that Apple investigates problem apps, giving app developers 24 hours to resolve an issue before an app is removed from its app store. Sen. Udal was particularly concerned that Apple continues to sell apps that enable drunk drivers to avoid police DUI checkpoints by providing location information despite a letter from the Senator. Ms. Novelli indicated that Apple looked into the various "DUI" apps, finding "differences of opinion" as to the utility of the apps, providing cab information for example, and noting that the information was gathered from police department announcements.

Apple made headlines in recent months for allegedly collecting location information without consumer consent. Ms. Novelli echoed testimony by Apple at a May 10th Senate Judiciary hearing, testifying that Apple does not collect individually-identifiable location information. Ms. Novelli acknowledged that cell towers and Wi-Fi hotspots anonymously store location data but an individual user's phone is not connected to a given location. Ms. Novelli noted that Apple has a free software update available to prevent the release of location information. Ms. Novelli noted the ease with which Apple users opt out of location tracking with a simple on/off feature. Ms. Novelli indicated that while Apple has not taken a position on privacy legislation, she agrees that any company with sensitive personal information should provide clear notice and choice for consumers.

Alan Davidson, Google's Director for Public Policy for the Americas, noted the growing importance of mobile services in the U.S. economy, which requires consumer trust based on consumer privacy protection, transparency and security. Mr. Davidson noted that Google collects mobile geolocation information by opt in consent only (unless the data is anonymized), which is the first screen on any Android phone, he said. Sen. Klobuchar inquired as to Google's pledge at a May 10th Senate Judiciary hearing that it would require app providers to have privacy policies, which Mr. Davidson indicated Google has yet to require. Mr. Davidson indicated that Google does have a flagging mechanism to flag and remove "bad apps" that violate Google's content policies. Google recently came under fire for GoogleBuzz, a social networking app that resulted in a proposed 20-year FTC settlement and consent decree regarding inadequate privacy practices and which prompted a question by Sen. Thun. Mr. Davidson testified that Google recognized the privacy issues with GoogleBuzz early, changing the product within a matter of days. Sen. Thun asked whether the GoogleBuzz FTC consent decree, which requires a "privacy by design" approach enforced by privacy audits every 2 years, constitutes a privacy model that is applicable to other companies. Mr. Davidson responded that he would leave that up to the individual companies.

Morgan Reed, ACT's Executive Director, testified that while most apps do not collect information and are not required to have privacy policies, ACT believes app makers should develop privacy policies. ACT has a working group addressing this issue. Mr. Reed testified that there should be a self-regulatory approach bolstered by FTC enforcement. Fraudulent app makers that either do not have privacy policies or violate their privacy policies, should face stiff penalties though FTC enforcement under Section 5 of the FTC Act's broad authority, Mr. Reed said. Sen. McCaskill cautioned the panel on the unintended consequences of regulating mobile and online privacy and suggested that app providers should offer consumers the choice on a given app - consent to behavioral tracking and receive the app for free or decline to be tracked and pay for the app. Mr. Reed responded that Sen. McCaskill's model is one that ACT is using to give consumers choice.

Amy Shenkan, President and Chief Operating Officer Common Sense Media, focused on the significance of protecting mobile privacy for children, urging Congress to bolster laws protecting children and teen privacy. More specifically, Ms. Shenkan advocated for: (1) an opt in consent industry standard; (2) clear and transparent privacy policies; (3) prohibitions on behavior tracking of children; (4) enabling tools for parents and children to easily delete information about themselves; and (5) increase education and information on online privacy. Ms. Shenkan reiterated Sen. Kerry's point in his opening remarks, rejecting the notion that policymakers face the choice between innovation and privacy.

Conclusion

As Sen. Pryor noted, the hearing may only have covered the "tip of the iceberg" on the legal and policy issues developing in mobile device and app privacy. The hearing adds to the growing flurry of activity in Congress aimed at protecting consumer privacy, particularly in the mobile arena. Numerous bills have been introduced and hearings have been held. Notably, Sen. Rockefeller introduced the Do Not Track Online Act of 2011, which gives the FTC authority to require mobile app providers to implement consumer privacy protections. Senators Kerry and John McCain (R-AZ) introduced the Consumer Privacy Bill of Rights Act of 2011 that proposes rules based on fair information practice principles applicable to mobile phones. While it is not clear that Congress will act on online and mobile privacy this term, as Sen. Kerry noted at the hearing, consumer privacy is a "vital issue growing in its importance," and there is sure to be more activity within the legislative, regulatory, and litigation arenas going forward. For more information on mobile privacy, view and listen to a recording of Kelley Drye & Warren's May 16, 2011 webinar entitled Mobile Applications: Privacy and Data Security Considerations.

Kelley Drye & Warren LLP

Kelley Drye & Warren's Privacy and Information Security practice is a leader in advising clients on privacy and information security issues and has been at the forefront of developments in this growing area of the law. Our attorneys regularly counsel clients regarding all aspects of privacy and data security compliance, including drafting and amending privacy and information security policies, advising clients on interpreting their own policies, crafting data security programs for clients, performing privacy and/or data security audits of existing business practices, drafting agreements with third parties regarding their obligations in connection with handling clients' customer data, and representing clients in connection with federal and state regulator privacy investigations regarding their privacy and data security practices.

Kelley Drye's Government Relations and Public Policy Practice Group helps clients interpret and shape governing laws, enabling them to achieve and maintain market leadership. The varied backgrounds of its government relations lawyers and professionals enable the team to handle a variety of clients needs including representation and strategic planning.

For more information about this advisory, contact:

Dana B. Rosenfeld
(202) 342-8588
drosenfeld@kelleydrye.com

John J. Heitmann
(202) 342-8544
jheitmann@kelleydrye.com

Alysa Zeltzer Hutnik
(202) 342-8603
ahutnik@kelleydrye.com

Christopher M. Loeffler
(202) 342-8429
cloeffler@kelleydrye.com