Scrutiny of mobile privacy is growing on Capitol Hill, but the mobile-app industry appears to be ignoring warning signs.
The Federal Trade Commission revealed today that only 20% of 400 mobile apps aimed at children included any privacy disclosures before or after downloads. The agency said it is investigating whether certain companies have violated laws protecting children online by failing to disclose the types of data gathered through apps and how those data are used.
As the year draws to a close, regulators and lawmakers seem increasingly motivated to impose some clarity on the murky world of mobile apps. The FTC is expected to unveil an update to the Children's Online Privacy Protection Act to require more transparency on data collection by mobile-industry players soon. In addition, the Department of Commerce will discuss a code of conduct for mobile privacy notifications next week.
As a follow-up to a similar report published in February, the FTC studied 400 mobile apps aimed at kids in the Apple and Google Play stores. Almost 60% of the apps studied in the summer test sent device identification data to app developers or third parties such as ad networks and analytics, a sign of how pervasive mobile-data collection has become.
The FTC found that 14 of those ID-disseminating apps also passed along geographic location data and/or a phone number. "Those are very interesting findings in light of the COPPA proposal," suggested Jessica Rich, associate director of the FTC's Division of Financial Practices, during a press conference this morning.
COPPA itself hasn't changed since it was passed in 1998 and of course didn't address smartphones or the non-existent mobile-apps market. Among the FTC's proposed changes would be to define personal information to include a "persistent identifier" such as a mobile device ID.
The commission did not reveal the names of apps it studied. "We think this is a systematic problem and don't want people to think if they avoid certain apps they're home free," said Ms. Rich.
In light of the report, companies developing apps for brands should "make sure they are getting clear information from their vendors about how these programs will operate," said Liisa Thomas, partner with Winston and Strawn, LLP, a law firm that works with brands and agencies.
One unnamed company received data from 223 apps, the FTC found, adding that the firm's "precise use or need for the transmitted information was largely undisclosed."
"Staff also observed that multiple apps transmitted information immediately upon use, highlighting the need for clear and consistent disclosures to parents prior to an app's download," noted the FTC report, "Mobile Apps for Kids: Disclosures Still Not Making the Grade."
Market-research firm The NPD Group found in a March 2012 online survey that kids have access to an average of 12 mobile apps on devices, 88% of them downloaded for free.
Many free apps are monetized through advertising. The commission discovered that 58% or 230 apps downloaded for the study contained ads, but just 9% disclosed that they were ad-supported. The ad industry's self-regulatory program is evident in the mobile environment through the appearance of its blue triangular Ad Choices icon in mobile display ads.
However, the FTC's report helps illuminate what some see as a disconnect between the way the ad industry treats privacy and the way privacy advocates and some in government would prefer to deal with it. While mobile users -- kids and adults -- can opt-out from ad targeting through the icons, data are collected and used in online and mobile environments for purposes beyond ad targeting.
"Industry should realize that it's in their interest to develop some rules of the game," said Kathryn Montgomery, Ph.D., School of Communication, American University. "The kids issue is particularly urgent because they are early adopters."
The FTC's report today "should light a fire under these efforts," said Ms. Rich.