If app developers want to avoid the risk of prosecution, they have to make sure they follow the 11 guidelines on mobile app marketing published by the Federal Trade Commission (FTC) in September 2012. The good news is that these guidelines simply describe honest, careful business practices, so an app developer who cares about producing a high-quality product will probably already have these bases covered. Here’s an overview of the FTC rules, as well as a couple cautionary tales about what happens if developers ignore them:
Two of the eleven guidelines center on being honest. You must “tell the truth about what your app can do,” and “disclose key information clearly and conspicuously.” This is essential to building trust with customers, and it’s unlikely that responsible app developers would willfully violate this rule, but the FTC publication points out that “once you start distributing your app, you become an advertiser.” With the boom in app development startups, many entrepreneurs are naively tossing product descriptions into the marketplace without first becoming familiar with laws pertaining to truth in advertising.
The remaining nine guidelines focus on aspects of consumer privacy. These include building privacy protections into the default settings of your product, so that customers have to clearly “opt in” in order to allow their information to be accessed. The guidelines also stipulate that all privacy protections have to be clearly spelled out, that sensitive user data can be collected only with active consent and must be stored securely. Finally, there are some detailed rules specific to protecting the privacy of children.
Despite the fact that the these truthfulness and privacy rules appear to define good basic business practices, it’s possible for app developers to get so caught up in flash and dazzle that they forget to construct basic security architecture. PC Mag reported in March 2014 that Fandango and Credit Karma were both charged by the FTC with violations in the area of app privacy. User credit card information was not protected by SSL (secure socket-layer encryption) even though both apps explicitly promised users that this protection was in place. Furthermore, the two companies had no established processes for vulnerability testing, so the security holes continued for years. Part of the FTC’s ruling in the case requires both companies to undergo independent security testing every other year for the next twenty years, and FTC Chair Edith Ramirez commented, “Our cases against Fandango and Credit Karma should remind app developers of the need to make data security central to how they design their apps.”
Even if an app developer is more motivated by the Apple App Store’s rules than by the FTC guidelines (as ClickZ suggests may be the case), the result going forward will be that all apps will have a strong consumer protection policy in place as a basic component of doing business.