23
FTC Staff Report
app developer can provide a hyperlink to an app’s privacy policy, the text of an app’s privacy
policy, or a short statement describing the app’s privacy practices.
96
Second, app developers should provide just-in-time disclosures and obtain affirmative
express consent when collecting sensitive information outside the platform’s API, such as
financial, health, or children’s data,
97
or sharing sensitive data with third parties. The Privacy
Report made clear that these categories of information warrant special protection.
98
In the
Privacy Report, the Commission indicated that companies should obtain affirmative express
consent before collecting or sharing this information, and this recommendation applies equally
to app developers. For instance, if an app collects blood glucose information or shares it with
third parties, the app developer should provide the consumer with a just-in-time disclosure of
that fact and obtain affirmative express consent prior to the initial collection or sharing.
As a general matter, it is important that these app-level disclosures not repeat the
platform-level disclosures. For example, an app should be able to rely on the platform’s
96. Although the agreement has been in place for several months, substantial progress needs to occur. A
June 2012 study of 150 of the most popular apps across three leading platforms – Apple’s iTunes app
store, Google’s Play app store, and Amazon’s Kindle Fire app store – reveals how much more work
needs to take place. See Future of Privacy Forum, FPF Mobile Apps Study (June 2012) at 4, available at
http://www.futureofprivacy.org/wp-content/uploads/Mobile-Apps-Study-June-2012.pdf. For example, the
study found that only 28% of paid apps and 48% of free apps available in Apple’s iTunes app store included
a privacy policy or link to a privacy policy on the app promotion page. The top apps in Google’s Play
store fared even worse. There, only 12% of paid apps and 20% of free apps examined provided access to a
privacy policy through the app store. The study did not contain any data on Amazon’s Kindle Fire app store
because as of the publication of the report, Amazon had not yet provided app developers with the means to
comply with the agreement. The Commission staff’s kids app reports reached similar conclusions, noting
the paucity of information provided to parents before they or their children downloaded popular children’s
apps. See FTC Staff, Mobile Apps for Kids: Current Privacy Disclosures are Disappointing, supra note 28,
at 1; FTC Staff, Mobile Apps for Kids: Disclosures Still Not Making the Grade, supra note 33, at 4-6. To
address this problem, the California AG recently sent warning letters to 100 app developers notifying them
that they are not in compliance with California law, which requires the posting of a privacy policy. The
developers were given thirty days to conspicuously post a privacy policy within their app that informs users
of what personally identifiable information about them is being collected and what will be done with that
private information. See Press Release, Office of the Attorney General of California, Attorney General
Kamala D. Harris Notifies Mobile App Developers of Non-Compliance with California Privacy Law (Oct.
30, 2012), available at http://oag.ca.gov/news/press-releases/attorney-general-kamala-d-harris-notifies-
mobile-app-developers-non-compliance. In addition, the California AG has sued Delta Airlines, one of the
recipients of the warning letter. See Press Release, Office of the Attorney General of California, Attorney
General Kamala D. Harris Files Suit Against Delta Airlines for Failure to Comply with California Privacy
Law (Dec. 6, 2012), available at http://oag.ca.gov/news/press-releases/attorney-general-kamala-d-harris-
files-suit-against-delta-airlines-failure.
97. COPPA also requires app developers to obtain parents’ consent before collecting personal information from
children under 13.
98. See FTC, Protecting Consumer Privacy in an Era of Rapid Change, Recommendations for Businesses and
Policymakers, supra note 2, at 59-60.