F.T.C. Suggests Guidelines on Privacy for Mobile Apps

WASHINGTON — In a strong move to protect the privacy of Americans as they use the Internet on their smartphones and tablets, the Federal Trade Commission on Friday said the mobile industry should include a do-not-track feature in software and apps and take other steps to safeguard personal information.

Enlarge This Image

Ken James for The New York Times

Path, a mobile social network, lets users keep online journals that can be shared with a limited group of family and friends.

Enlarge This Image

Jose Luis Magana/Associated Press

Jon Leibowitz, the F.T.C. chairman, said the mobile industry should let users opt out of having their online activities tracked.

The staff report, which was approved by the commission, is not binding, but it is an indication of how seriously the agency is focused on mobile privacy. As if to emphasize that, the commission on Friday separately fined Path, a two-year-old social networking app, $800,000. It charged the company with violating federal privacy protections for children by collecting personal information on underage users, including almost everyone in users’ address books.

Together the actions represent the government’s heightened scrutiny of mobile devices, which for many Americans have become the primary way of gaining access to the Internet, rather than through a laptop or desktop computer.

“We‘ve been looking at privacy issues for decades,” said Jon Leibowitz, the F.T.C. chairman. “But this is necessary because so much commerce is moving to mobile, and many of the rules and practices in the mobile space are sort of like the Wild West.”

The report lays out a clear picture of what sort of activities might bring a company under investigation — like, for example, conveying the impression that an app will gather geolocation data only one time, when, in fact, it does so repeatedly.

For companies like Apple, Google, Microsoft, Amazon and BlackBerry (formerly Research in Motion), the suggestions essentially carry the weight of policy.

But the F.T.C. also has its sights on thousands of small businesses that create apps that smartphone users can download for a specific service. The introduction of the iPhone created a sort of gold rush among start-ups to create apps featuring games, music, maps and consumer services like shopping and social networking.

“This says if you’re outside the recommended behavior, you’re at a higher risk of enforcement action,” said Mary Ellen Callahan, a partner at Jenner & Block and former chief privacy officer for the Department of Homeland Security.

Morgan Reed, executive director of the Association for Competitive Technology, a trade group representing app developers, said that the organization generally supported the commission’s report but that it had some concerns about what he called “unintended consequences.”

If app stores are worried about their own liability over whether they have adequately checked the privacy protections of a mobile app they sell, they might err on the side of caution and not screen for privacy at all, he said.

The federal recommendations follow a similar set of guidelines issued last month by the California attorney general, whose tips effectively set the standard for technology companies nationwide, given the state’s huge consumer market.

The trade commission and the Obama administration last year issued separate sets of recommendations for safeguarding consumers’ online privacy, and the subject has attracted growing concern in Congress.

But most of the focus to date, particularly with do-not-track policies, has been on Internet browsers commonly used at home but not on cellphones. Do-not-track features let users request that their footsteps not be followed as they move around online.

The commission and the administration have begun to focus on mobile data privacy partly because smartphones let so many entities gain access to personal information, including wireless service providers, mobile operating system developers, handset manufacturers, app companies, analytics outfits and advertisers — “a degree unprecedented in the desktop environment,” the report said.

The activities of Path, a company in San Francisco, illustrate some of the F.T.C.’s concerns. The company developed a social networking app that allows people to keep an online journal about moments in their lives, including written entries, photos, music to which they are listening and their location. A user can share a journal with up to 150 people. The app has been installed more than 2.5 million times.

The F.T.C. asserted that Path, without alerting its users, had engaged in deceptive practices because it routinely collected and stored information about the contacts in users’ address books. The privacy policy that Path provided to consumers said it collected limited, mainly technical information about users’ devices.

In fact, the commission said, Path was collecting personal details including addresses, phone numbers, usernames for Facebook and Twitter, as well as dates of birth.

The company also collected some of that information from users who, in signing up for the service, indicated that they were under age 13 without permission of their parents or disclosure of how it would use the information — violations of rules adopted under the Children’s Online Privacy Protection Act.

Path, without admitting or denying the accusations, agreed to pay an $800,000 fine and to comply with the children’s privacy act, destroy already collected children’s information, follow its own stated privacy policy and have its privacy efforts monitored by an outside party.

In a statement posted on its Web site, Path said that “there was a period of time where our system was not automatically rejecting people who indicated that they were under 13.” But even before the F.T.C. contacted the company, Path said, “we discovered and fixed this sign-up process qualification and took further action by suspending any underage accounts that had mistakenly been allowed to be created.”

The F.T.C. staff report, which was approved by a 4-to-0 vote, with one commission member not participating, recognized that steps were already being taken to adopt best practices for privacy protection. Among them is the creation of a group, Moms With Apps, which developed a badge icon to alert parents to the advertising and data-collection practices of apps aimed at children.

Even before this report, “the F.T.C. has not been meek,” said Lisa J. Sotto, managing partner of Hunton & Williams in New York. “They have brought a number of enforcement actions,” she said. “Those in the mobile ecosystem know they’re in the regulators’ sights.”