[{"innerBlocks":[],"name":"core\/freeform","postId":869,"blockType":{"name":"core\/freeform","keywords":[],"attributes":{"content":{"type":"string","source":"html"},"lock":{"type":"object"}},"providesContext":[],"usesContext":[],"supports":{"className":false,"customClassName":false,"reusable":false},"styles":[],"variations":[],"apiVersion":2,"title":"Classic","description":"Use the classic WordPress editor.","category":"text"},"originalContent":" $\"phone$ To say that mobile device usage has reached a tipping point would be an understatement. There are now more mobile devices<\/a> than people in the world, a staggering 7.9 billion mobile devices for 7.4 billion people on Earth. In the U.S., more time is spent on mobile media than on desktop<\/a> and other media, 2.8 hours per day per person. Mobile devices are dominating<\/a> consumers\u2019 media consumption: 80 percent of Internet users own a smartphone, and other \u201csmart\u201d devices are quickly gaining ground. The proliferation of mobile devices and apps has touched nearly every aspect of our lives and is playing an increasingly integral role in such wide-ranging areas as retail, health, finance, and home security.\n\nAs consumers embrace mobile technology, companies have more access than ever to a wide range of sensitive personal information. Not surprisingly, consumer concerns about the privacy and security of their data are at an all-time high: a recent survey shows that 89 percent of consumers<\/a> reportedly have avoided companies that do not protect their privacy, and 45 percent are now more worried about online privacy than they were a year ago. This post updates our 2014 Mobile Privacy and Security Trends and What to Look for in 2015<\/a> article and examines recent developments in mobile marketing, mobile payments, and the Internet of Things (IoT), as well as the ever-evolving mobile legal and regulatory landscape.\n\nMobile Trends<\/strong><\/b>\n\nA. Mobile Marketing<\/u>\n\nWith consumers spending ever more time on mobile devices, marketers are finding them where they are. Advertisers spent an estimated $68.69 billion<\/a> on mobile advertising in 2015, with spending expected to top more than $195 billion by 2019<\/a>. With 90 percent of mobile consumers<\/a> using location-based services to get directions and local recommendations, location-based advertising has skyrocketed and is expected to reach $15 billion by 2018<\/a>. While these certainly are high figures, when compared with the total amount spent on Internet advertising, mobile still has plenty of room to grow. Figures for 2014<\/a> show that of the $50 billion spent on Internet advertising that year, mobile accounted for about only 25 percent.\n\nAdditionally, social media marketing<\/a>, <\/u>estimated at $24 billion in 2015, continues to be a lucrative investment for advertisers. Given that nearly 70 percent of mobile users<\/a> in the 18-29 age group access social media sites on their mobile devices, marketers are adapting advertisements for mobile consumption. Native advertising and paid endorsements have become popular trend<\/a>s<\/u> in social media and mobile marketing, with 90 percent of advertisers reportedly using native ads and 70 percent of Internet users reportedly wanting to learn about products through content instead of traditional ads.\n\nCompanies and advertisers also are increasingly developing mobile apps to reach consumers. According to Red Hat\u2019s Mobile Maturity Survey 2015<\/a>, 52 percent of companies now have a fully implemented mobile strategy, with 90 percent of surveyed companies reporting that investment in mobile apps would increase in 2016. Not only are web-based companies leading the charge, but in-store retailers also are increasingly leveraging mobile capabilities. More and more retailers are using in-store web beacons and other similar technologies to track consumers\u2019 in-store location data, analyze consumers\u2019 purchasing activity, and push relevant, real-time, in-store promotions to consumers.\n\nB. Mobile Payments<\/u>\n\nMobile payment systems are also on the rise. The value of purchases made on mobile devices is projected to grow<\/a> from $52 billion in 2014 to $142 billion by 2019. While mobile commerce currently represents 22 percent of all U.S. digital commerce revenue, it is expected to jump to 50 percent <\/a>\u00a0<\/u>by 2017. The Apple Pay mobile payment and digital wallet system illustrates the growing popularity of mobile payments, with more than a million credit cards<\/a> registered for use with the service in the first three days of availability. Starbucks<\/a> also has seen great success with its member loyalty program, which has driven mobile payments and resulted in Starbucks earning 90 percent of the $1.6 billion spent in U.S. stores via smartphones in 2013.\n\nC. Internet of Things<\/u>\n\nAlong with the rise of mobile devices, the IoT industry has grown exponentially. The term IoT refers to \u201cthings\u201d such as devices or sensors \u2013 other than computers, smartphones, or tablets \u2013 that connect, communicate, or transmit information with or between each other through the Internet. It is hard to imagine any industry that has not been affected by this new form of technology, from wearable technology<\/a> and health trackers<\/a>,<\/u> to smart thermostats<\/a>, networked baby monitors<\/a>, and connected cars<\/a>. There will be an estimated 24 billion connected<\/a> IoT devices by 2020, and nearly $6 trillion will be spent on IoT solutions over the next five years.\n\nData Privacy and Security Risks and Legal and Regulatory Trends<\/strong><\/b>\n\nWhile mobile and IoT devices offer immense real-time convenience and functionality, they raise commensurate privacy and security concerns about the collection and use of sensitive personal data. As consumers and the companies that market to them move to mobile, the regulators are following. In the past year, regulators increasingly have turned a watchful eye toward all things mobile.\n\nA. Federal Trade Commission<\/span>\n\nThe FTC has continued to focus on the mobile industry, in both its enforcement actions and educational workshops and reports. We summarize below the FTC\u2019s recent actions relating to the mobile industry.\n\nInternet of Things<\/em>\n\nIn January 2015, the FTC released a report<\/a> titled The Internet of Things: Privacy and Security in a Connected World <\/em>(the \u201cIoT Report\u201d) following a 2013 FTC workshop by the same name. Echoing the FTC\u2019s core fair information practice principles<\/a> (FIPPs), the IoT Report recommends a number of concrete steps companies can take to enhance and protect consumers\u2019 privacy and personal information collected by the multitude of Internet-connected devices, including:\n\n(1) Build security into devices at the outset rather than as an afterthought in the design process.\n\n(2) Train employees about the importance of security, and ensure that security is managed at an appropriate level in the organization.\n\n(3) Ensure that outside services are capable of maintaining reasonable security, and provide reasonable oversight of the providers.\n\n(4) When a security risk is identified, consider a \u201cdefense-in-depth\u201d strategy whereby multiple layers of security may be used to defend against a particular risk.\n\n(5) Consider measures to keep unauthorized users from accessing a consumer\u2019s device, data, or personal information stored on the network.\n\n(6) Monitor connected devices throughout their expected life cycle, and where feasible, provide security patches to cover known risks.\n\n(7) Limit the collection of consumer data, and retain that information only for a set period of time, not indefinitely.\n\n(8) Notify consumers about their choices about how their information will be used, particularly when the data collection is beyond consumers\u2019 reasonable expectations.\n\nThe FTC also released a companion business guide to the IoT Report, titled Careful Connections: Building Security in the Internet of Things<\/em><\/a>. This guide summarizes, in plain English, the best practices set forth in the IoT Report and encourages businesses to take reasonable steps to protect consumers.\n\nMost recently, on March 31, 2016<\/a>, FTC Chairwoman Edith Ramirez made remarks at an American Bar Association IoT Conference in Washington, D.C. suggesting that companies need to take steps to deal with the \u201csignificantly magnified\u201d risks posed by the rapidly evolving IoT industry. Commissioner Ramirez stated, \u201cIn light of various studies showing consumers are deeply concerned about IOT\u2019s data collection, disclosure of sensitive information and their lack of control and awareness of who has access to the data that\u2019s collected, it\u2019s particularly important for IOT manufacturers to design devices that take into consideration unexpected uses of their IOT data, and the potential for misuse.\u201d\u00a0 Commissioner Ramirez emphasized the importance of developing IoT products with a \u201cprivacy by design\u201d approach, and addressing issues as they arise throughout the product\u2019s life cycle. Commissioner Ramirez also stated that the FTC would hold a series of workshops this fall 2016 to look at the variety of consumer protection issues posed by drones, \u201csmart\u201d televisions, and ransomware.\n\nLocation-Based Tracking and Cross-Device Tracking<\/em>\n\nIn April 2015, the agency reached a settlement<\/a> with retail tracking firm Nomi Technologies, Inc. Nomi places sensors in retail stores to track customers\u2019 purchasing behavior by recording their mobile device\u2019s MAC addresses. Nomi\u2019s privacy policy promised that it would provide an opt-out mechanism at stores using its services, which, according to the FTC, implied that consumers would be informed when stores were using Nomi\u2019s tracking technology. In reality, the FTC alleged, Nomi failed to notify consumers when their mobile devices were being tracked and failed to provide the ability to opt out of the tracking. Under the terms of the settlement, Nomi is prohibited from misrepresenting consumers\u2019 options for controlling whether information is collected, used, disclosed, or shared about them or their devices, as well as the extent to which consumers will be notified about information practices.\n\nIn November 2015, the FTC hosted a workshop<\/a> focused on cross-device tracking of consumer behavior. The workshop focused on new methods the mobile industry has adopted to track consumer behavior, including \u201cdeterministic\u201d tracking, which requires a consumer to sign into a platform to access its service. This allows the company to then link the consumer\u2019s various devices to a single account. Another method is \u201cprobabilistic\u201d tracking, which involves the collection of information such as device type, operating system, fonts, and IP address to create a \u201cdigital fingerprint\u201d of the user to link him or her to different devices. The FTC\u2019s workshop focused mainly on this probabilistic type of tracking, which is generally invisible to consumers and therefore poses privacy concerns. The FTC identified the following takeaways, which may shed light on the FTC\u2019s potentially emerging position on cross-device tracking: (1) companies need to work toward providing greater transparency, choices, and education for consumers; (2) companies should engage consumers in a way that will not cause consumers to lose trust in the marketplace; (3) data minimization policies and technologies will become more important as the amount of data collected about consumers increases; and (4) companies should be mindful of, and comply with, the privacy representations they make to consumers, both about their own actions and the actions of affiliated third parties. For more information, see this previous post on our blog<\/a>.\n\nNative Advertising and Paid Endorsements<\/em>\n\nAnother area the FTC has recently focused on is native advertising and paid endorsements in the mobile environment. Native advertising is advertising that bears a similarity to the news, feature articles, product reviews, entertainment, and other material that surrounds it online. A related advertising trend is paid endorsements on social media, where advertisers will pay celebrities or \u201cinfluencers\u201d with a strong social media following to post pictures or videos of them with the advertiser\u2019s product. Last December, the FTC issued its long-awaited Enforcement Policy Statement on Deceptively Formatted Advertisements<\/a> (the \u201cPolicy Statement\u201d) and its companion Native Advertising: A Guide for Businesses<\/a> (the \u201cBusiness Guide\u201d).<\/u> As discussed more fully in our previous post<\/a>, the Policy Statement and Business Guide apply the FTC\u2019s long-standing consumer protection standards to the native context. The key takeaways from the Policy Statement are: (1) native ads should clearly be identified as consumer advertising; (2) promotional content is deceptive if it misleads consumers into believing it is independent or impartial; (3) qualifying information, such as the advertiser\u2019s connection to the content, must be clear, conspicuous, and prominent; and (4) the FTC will decide whether an ad is deceptive based on the net impression the ad conveys to the reasonable consumer in the context of the platform and any qualifying information in the ad.\n\nAdditionally, in June 2015, the FTC updated its frequently asked questions (FAQs) guidance to the FTC\u2019s 2009 Endorsement Guidelines (the \u201cGuidelines\u201d). The Guidelines FAQs provide helpful commentary on how to apply the agency\u2019s endorsement guideline standards to evolving forms of digital marketing and promotion. As we discussed in more detail in our previous post<\/a>, the Guidelines FAQs provide greater clarity on when social media influencers and bloggers must make disclosures about their connection to the brand they are promoting.\n\nThe FTC has been actively enforcing its native advertising and endorsement guidelines in the past year. For instance, in September 2015, the FTC announced<\/a> that it had settled charges against Machinima, Inc., that the online entertainment network had engaged in deceptive advertising by paying influencers to post YouTube videos endorsing Microsoft\u2019s Xbox One system and several games. The FTC alleged that the influencers paid by Machinima failed to adequately disclose that they were being paid for their seemingly objective opinions. As part of the final order<\/a>, just recently approved by the FTC this March, the company is prohibited from misrepresenting in any influencer campaign that the endorser is an independent user of the product or service being promoted. Notably, Machinima must also ensure that all its influencers are aware of their responsibility to make required disclosures, by monitoring them and prohibiting payment to influencers who do not make such disclosures.\n\nMost recently, on March 15, 2016, the FTC settled charges that Lord & Taylor<\/a> deceived consumers by paying for native advertisements, including a seemingly objective article and Instagram post, without disclosing that the posts actually were paid promotions. The FTC also charged the company with paying 50 online fashion influencers to post Instagram pictures of themselves wearing the same dress design while failing to disclose they had paid each influencer thousands of dollars and given each influencer a dress in exchange for her endorsement. The agreement (1) prohibits Lord & Taylor from misrepresenting that paid commercial advertising is from an independent or objective source and misrepresenting that any endorser is an independent or ordinary consumer, (2) requires the company to disclose any payment or benefit given to an influencer or endorser, and (3) establishes a monitoring and review program for the company\u2019s endorsement campaigns.\n\nUnauthorized Installation of Mobile Software<\/em>\n\nIn June 2015, the FTC reached a settlement<\/a> with Prized Mobile, a mobile app that grants users points for playing games or downloading affiliated apps, which can be spent on rewards such as clothes and gift cards. The app promised consumers that it would be free of malware and viruses. The FTC alleged that the app\u2019s actual purpose was to infect the consumers\u2019 mobile phones with malicious software to mine virtual currencies. As part of the settlement, the Prized Mobile app developer is banned from creating and distributing malicious software and must destroy all information about consumers collected through the marketing and distribution of the app.\n\nMore recently, in February 2016, the FTC reached a settlement<\/a> with technology company Vulcun on charges that it unfairly replaced a popular web browser game with a program that installed applications on consumers\u2019 mobile devices without their permission. The FTC alleged that Vulcun\u2019s Google Chrome browser extension game, Running Fred, installed apps directly on the Android devices of consumers while bypassing the permissions process required by the Android operating system. The FTC\u2019s complaint charged that Vulcun\u2019s actions unfairly put consumers\u2019 privacy at risk. According to the FTC, \u201cby bypassing the permissions process in the Android operating system, the apps placed on consumers\u2019 mobile devices also could have easily accessed users\u2019 address books, photos, location, and device identifiers.\u201d Under the terms of the settlement, Vulcun is required to tell consumers about the types of information a product or service will access and how it will be used, display any built-in permissions notice associated with installing a product or service, and get users\u2019 express affirmative consent before the installation or material change of a product or service\n\nChildren\u2019s Privacy and the COPPA Rule<\/em>\n\nIn December 2015, the FTC reached two settlements<\/a> with app developers on allegations that they violated the Children\u2019s Online Privacy Protection Rule (COPPA Rule). As we have blogged about previously, the FTC brought actions against app developers LAI Systems (also known as TapBlaze)<\/a> and Retro Dreamer. In both actions, the FTC alleged that the app developers violated COPPA by allowing third-party advertisers to collect personal information from children under 13 through the use of persistent identifiers without first obtaining parental consent. The third-party advertisers then served targeted advertisements to those children. Under the terms of the settlement agreements, Retro Dreamer agreed to pay a $300,000 civil penalty, and TapBlaze agreed to pay a $60,000 civil penalty and post a link on its website that provides notice of its data policies. Both app developers are prohibited from engaging in practices that would further violate the COPPA Rule.\n\nIn addition to its COPPA enforcement actions, the FTC continued to examine data privacy and security issues relating to children. In 2015, the FTC conducted its third kids\u2019 app survey. The survey examined what information kids\u2019 app developers are collecting from users, whom they are sharing it with, and what disclosures they are providing to parents about their practices. The resulting report<\/a> found that privacy policies on children\u2019s apps have become easier to locate, but it encouraged companies to make disclosures that accurately reflect what children\u2019s information the app collects.\n\nMost recently, in January 2016, the FTC\u2019s Bureau of Consumer Protection posted a blog article <\/a>warning parents about weak data security protections in Internet-connected baby monitors. Following its review of five baby monitors, the FTC found that each lacked sufficiently strong password requirements and that nearly half of the monitors did not encrypt the feed between the monitor and the home router. According to the FTC, these security vulnerabilities pose the risk of strangers hacking into the live baby monitor feed. The FTC\u2019s focus on this industry suggests further enforcement actions in the future.\n\nB. Federal Legislation<\/u>\n\nIn January 2015, Sen. Ron Wyden<\/a> (D-OR) and Rep. Jason Chaffetz<\/a> (R-UT) reintroduced the GPS Act, which would create a process for government agencies to get a probable cause warrant to obtain geolocation information, as well as prohibit businesses from disclosing geographical tracking data about a customer to others without the customer\u2019s permission.\n\nIn February 2015, House Representatives Zoe Lofgren (D-CA), Ted Poe (R-TX), and Suzan Delbene (D-WA) reintroduced the Online Communications and Geolocation Protection Act<\/a>. The act would require the government to obtain a warrant to access the contents of any wire or electronic communication that is stored, held, or maintained by an electronic communication service or remote computing service, as well as prohibit government entities from intentionally intercepting an individual\u2019s geolocation information that was obtained in violation of the act\u2019s prohibitions.\n\nIn November 2015, Senator Al Franken (D-MN) reintroduced the Location Privacy Protection Act of 2015<\/a>, which would prohibit companies from collecting or disclosing geolocation information from an electronic communications device without the user\u2019s consent. It provides exceptions for parents tracking their children, emergency services, law enforcement, and other cases. The bill would also prohibit development and distribution of \u201cstalking apps,\u201d establish an Anti-Stalking Fund at the Department of Justice, and take other steps to prevent geolocation-enabled violence against women.\n\nC. State Regulator Actions and Legislation<\/u>\n\nIn January 2016, the New York Attorney General\u2019s office announced<\/a> that it had reached a settlement with the ride-hailing app Uber Technologies Inc. over its alleged tracking of riders and exposure of drivers\u2019 personal data. This follows intense scrutiny of the company started in 2014<\/a>, after reports about its \u201cGod View\u201d \u2013 which allowed Uber employees real-time access to customers\u2019 location information \u2013 surfaced. Under the terms of the settlement, Uber is required to encrypt riders\u2019 GPS information and adopt authentication measures before any employee can access riders\u2019 sensitive personal information. The New York Attorney General also fined Uber $20,000 for failure to provide timely notice to drivers and his office in the aftermath of a September 2014 data breach.\n\nIn California in 2015, the state legislature introduced a bill, AB886<\/a>, which would have forced Uber, Lyft, and other ride-sharing apps to guard customers\u2019 personal information. The bill would have prohibited smartphone-ordered ride services from disclosing any passenger data except to combat fraud or other crimes. It also would have required the ride-sharing services to destroy all personal information when customers canceled their accounts. The bill died in committee in January 2016.\n\nD. Mobile Industry Self-Regulation<\/u>\n\nIn addition to federal and state laws and regulations, industry self-regulatory groups have developed their own regulations. The Interactive Advertising Bureau (IAB) has recently developed a Mobile Location Data Guide for Publishers<\/a>, which advises companies to strike a balance between collecting accurate location data and delivering an optimal user experience (i.e., preserving battery life, reducing network activity).\n\nBeginning September 1, 2015<\/a>, the Digital Advertising Alliance (DAA) began enforcing its Application of Self-Regulatory Principles to the Mobile Environment<\/a> (Mobile Guidance). The Mobile Guidance urges mobile app advertisers and publishers to be transparent in collection of multisite data, cross-app data, precise location data, and personal directory data. It also sets guidelines for app advertisers and publishers to give consumers control over how and when such data is collected. Entities that are not compliant with the Mobile Guidance risk being subject to DAA accountability mechanisms. For more information, see this previous post on our blog<\/a>.\n\nIn 2015, the DAA also released two mobile tools for consumers<\/a>, the AppChoices<\/a> mobile app and the DAA Consumer Choice Page for Mobile Web<\/a>. AppChoices is a free mobile app that allows consumers to opt out of the collection and use of cross-app data, other than for permitted uses, by listing third-party AppChoices participants that consumers may select. The DAA Consumer Choice Page for Mobile Web is a mobile-web-optimized tool that consumers can use to opt out of the collection of cookie-based data for interest-based advertising by selected participating third parties. For more information, see this previous client alert<\/a>.\n\nLooking Forward: Mobile Privacy and Security in 2016<\/strong><\/b>\n\n2016 is shaping up to see a continuation and acceleration of the mobile trends of the past few years. More specifically, for the balance of 2016, we expect to see the following.\n
\n\t
Regulators will continue to follow companies and advertisers to mobile.<\/strong> Along with a steady rise in mobile marketing, we expect to see increased regulatory scrutiny of advertisers that engage in native advertising and paid endorsements, especially on mobile screens. As evidenced by the FTC\u2019s recent settlement with Lord & Taylor, advertisers that do not clearly disclose the nature of these ads are at risk of facing an FTC enforcement action.<\/li>\n\t
Advertisers and retailers will increase their use of location-based ads.<\/strong> With the number of mobile devices and the types of personal information users are comfortable sharing through their devices continuing to grow, advertisers will be able to craft more personalized and sophisticated real-time ads targeted at individuals\u2019 unique characteristics and preferences. Location-based tracking, including the use of web beacons, will continue to play a large role as advertisers and retailers continue to reach consumers where they are, in many cases even in their own stores. As the collection and use of location-based data grow, we also expect to see traction in the legislatures and from the regulators regarding the collection and use of location-based consumer data.<\/li>\n\t
Privacy by Design in IoT will become increasingly important.<\/strong> As consumer-facing companies continue to expand and experiment with IoT functionality and capabilities across all industry verticals, data privacy and security will continue to","saveContent":" $\"phone$ To say that mobile device usage has reached a tipping point would be an understatement. There are now more mobile devices<\/a> than people in the world, a staggering 7.9 billion mobile devices for 7.4 billion people on Earth. In the U.S., more time is spent on mobile media than on desktop<\/a> and other media, 2.8 hours per day per person. Mobile devices are dominating<\/a> consumers\u2019 media consumption: 80 percent of Internet users own a smartphone, and other \u201csmart\u201d devices are quickly gaining ground. The proliferation of mobile devices and apps has touched nearly every aspect of our lives and is playing an increasingly integral role in such wide-ranging areas as retail, health, finance, and home security.\n\nAs consumers embrace mobile technology, companies have more access than ever to a wide range of sensitive personal information. Not surprisingly, consumer concerns about the privacy and security of their data are at an all-time high: a recent survey shows that 89 percent of consumers<\/a> reportedly have avoided companies that do not protect their privacy, and 45 percent are now more worried about online privacy than they were a year ago. This post updates our 2014 Mobile Privacy and Security Trends and What to Look for in 2015<\/a> article and examines recent developments in mobile marketing, mobile payments, and the Internet of Things (IoT), as well as the ever-evolving mobile legal and regulatory landscape.\n\nMobile Trends<\/strong><\/b>\n\nA. Mobile Marketing<\/u>\n\nWith consumers spending ever more time on mobile devices, marketers are finding them where they are. Advertisers spent an estimated $68.69 billion<\/a> on mobile advertising in 2015, with spending expected to top more than $195 billion by 2019<\/a>. With 90 percent of mobile consumers<\/a> using location-based services to get directions and local recommendations, location-based advertising has skyrocketed and is expected to reach $15 billion by 2018<\/a>. While these certainly are high figures, when compared with the total amount spent on Internet advertising, mobile still has plenty of room to grow. Figures for 2014<\/a> show that of the $50 billion spent on Internet advertising that year, mobile accounted for about only 25 percent.\n\nAdditionally, social media marketing<\/a>, <\/u>estimated at $24 billion in 2015, continues to be a lucrative investment for advertisers. Given that nearly 70 percent of mobile users<\/a> in the 18-29 age group access social media sites on their mobile devices, marketers are adapting advertisements for mobile consumption. Native advertising and paid endorsements have become popular trend<\/a>s<\/u> in social media and mobile marketing, with 90 percent of advertisers reportedly using native ads and 70 percent of Internet users reportedly wanting to learn about products through content instead of traditional ads.\n\nCompanies and advertisers also are increasingly developing mobile apps to reach consumers. According to Red Hat\u2019s Mobile Maturity Survey 2015<\/a>, 52 percent of companies now have a fully implemented mobile strategy, with 90 percent of surveyed companies reporting that investment in mobile apps would increase in 2016. Not only are web-based companies leading the charge, but in-store retailers also are increasingly leveraging mobile capabilities. More and more retailers are using in-store web beacons and other similar technologies to track consumers\u2019 in-store location data, analyze consumers\u2019 purchasing activity, and push relevant, real-time, in-store promotions to consumers.\n\nB. Mobile Payments<\/u>\n\nMobile payment systems are also on the rise. The value of purchases made on mobile devices is projected to grow<\/a> from $52 billion in 2014 to $142 billion by 2019. While mobile commerce currently represents 22 percent of all U.S. digital commerce revenue, it is expected to jump to 50 percent <\/a>\u00a0<\/u>by 2017. The Apple Pay mobile payment and digital wallet system illustrates the growing popularity of mobile payments, with more than a million credit cards<\/a> registered for use with the service in the first three days of availability. Starbucks<\/a> also has seen great success with its member loyalty program, which has driven mobile payments and resulted in Starbucks earning 90 percent of the $1.6 billion spent in U.S. stores via smartphones in 2013.\n\nC. Internet of Things<\/u>\n\nAlong with the rise of mobile devices, the IoT industry has grown exponentially. The term IoT refers to \u201cthings\u201d such as devices or sensors \u2013 other than computers, smartphones, or tablets \u2013 that connect, communicate, or transmit information with or between each other through the Internet. It is hard to imagine any industry that has not been affected by this new form of technology, from wearable technology<\/a> and health trackers<\/a>,<\/u> to smart thermostats<\/a>, networked baby monitors<\/a>, and connected cars<\/a>. There will be an estimated 24 billion connected<\/a> IoT devices by 2020, and nearly $6 trillion will be spent on IoT solutions over the next five years.\n\nData Privacy and Security Risks and Legal and Regulatory Trends<\/strong><\/b>\n\nWhile mobile and IoT devices offer immense real-time convenience and functionality, they raise commensurate privacy and security concerns about the collection and use of sensitive personal data. As consumers and the companies that market to them move to mobile, the regulators are following. In the past year, regulators increasingly have turned a watchful eye toward all things mobile.\n\nA. Federal Trade Commission<\/span>\n\nThe FTC has continued to focus on the mobile industry, in both its enforcement actions and educational workshops and reports. We summarize below the FTC\u2019s recent actions relating to the mobile industry.\n\nInternet of Things<\/em>\n\nIn January 2015, the FTC released a report<\/a> titled The Internet of Things: Privacy and Security in a Connected World <\/em>(the \u201cIoT Report\u201d) following a 2013 FTC workshop by the same name. Echoing the FTC\u2019s core fair information practice principles<\/a> (FIPPs), the IoT Report recommends a number of concrete steps companies can take to enhance and protect consumers\u2019 privacy and personal information collected by the multitude of Internet-connected devices, including:\n\n(1) Build security into devices at the outset rather than as an afterthought in the design process.\n\n(2) Train employees about the importance of security, and ensure that security is managed at an appropriate level in the organization.\n\n(3) Ensure that outside services are capable of maintaining reasonable security, and provide reasonable oversight of the providers.\n\n(4) When a security risk is identified, consider a \u201cdefense-in-depth\u201d strategy whereby multiple layers of security may be used to defend against a particular risk.\n\n(5) Consider measures to keep unauthorized users from accessing a consumer\u2019s device, data, or personal information stored on the network.\n\n(6) Monitor connected devices throughout their expected life cycle, and where feasible, provide security patches to cover known risks.\n\n(7) Limit the collection of consumer data, and retain that information only for a set period of time, not indefinitely.\n\n(8) Notify consumers about their choices about how their information will be used, particularly when the data collection is beyond consumers\u2019 reasonable expectations.\n\nThe FTC also released a companion business guide to the IoT Report, titled Careful Connections: Building Security in the Internet of Things<\/em><\/a>. This guide summarizes, in plain English, the best practices set forth in the IoT Report and encourages businesses to take reasonable steps to protect consumers.\n\nMost recently, on March 31, 2016<\/a>, FTC Chairwoman Edith Ramirez made remarks at an American Bar Association IoT Conference in Washington, D.C. suggesting that companies need to take steps to deal with the \u201csignificantly magnified\u201d risks posed by the rapidly evolving IoT industry. Commissioner Ramirez stated, \u201cIn light of various studies showing consumers are deeply concerned about IOT\u2019s data collection, disclosure of sensitive information and their lack of control and awareness of who has access to the data that\u2019s collected, it\u2019s particularly important for IOT manufacturers to design devices that take into consideration unexpected uses of their IOT data, and the potential for misuse.\u201d\u00a0 Commissioner Ramirez emphasized the importance of developing IoT products with a \u201cprivacy by design\u201d approach, and addressing issues as they arise throughout the product\u2019s life cycle. Commissioner Ramirez also stated that the FTC would hold a series of workshops this fall 2016 to look at the variety of consumer protection issues posed by drones, \u201csmart\u201d televisions, and ransomware.\n\nLocation-Based Tracking and Cross-Device Tracking<\/em>\n\nIn April 2015, the agency reached a settlement<\/a> with retail tracking firm Nomi Technologies, Inc. Nomi places sensors in retail stores to track customers\u2019 purchasing behavior by recording their mobile device\u2019s MAC addresses. Nomi\u2019s privacy policy promised that it would provide an opt-out mechanism at stores using its services, which, according to the FTC, implied that consumers would be informed when stores were using Nomi\u2019s tracking technology. In reality, the FTC alleged, Nomi failed to notify consumers when their mobile devices were being tracked and failed to provide the ability to opt out of the tracking. Under the terms of the settlement, Nomi is prohibited from misrepresenting consumers\u2019 options for controlling whether information is collected, used, disclosed, or shared about them or their devices, as well as the extent to which consumers will be notified about information practices.\n\nIn November 2015, the FTC hosted a workshop<\/a> focused on cross-device tracking of consumer behavior. The workshop focused on new methods the mobile industry has adopted to track consumer behavior, including \u201cdeterministic\u201d tracking, which requires a consumer to sign into a platform to access its service. This allows the company to then link the consumer\u2019s various devices to a single account. Another method is \u201cprobabilistic\u201d tracking, which involves the collection of information such as device type, operating system, fonts, and IP address to create a \u201cdigital fingerprint\u201d of the user to link him or her to different devices. The FTC\u2019s workshop focused mainly on this probabilistic type of tracking, which is generally invisible to consumers and therefore poses privacy concerns. The FTC identified the following takeaways, which may shed light on the FTC\u2019s potentially emerging position on cross-device tracking: (1) companies need to work toward providing greater transparency, choices, and education for consumers; (2) companies should engage consumers in a way that will not cause consumers to lose trust in the marketplace; (3) data minimization policies and technologies will become more important as the amount of data collected about consumers increases; and (4) companies should be mindful of, and comply with, the privacy representations they make to consumers, both about their own actions and the actions of affiliated third parties. For more information, see this previous post on our blog<\/a>.\n\nNative Advertising and Paid Endorsements<\/em>\n\nAnother area the FTC has recently focused on is native advertising and paid endorsements in the mobile environment. Native advertising is advertising that bears a similarity to the news, feature articles, product reviews, entertainment, and other material that surrounds it online. A related advertising trend is paid endorsements on social media, where advertisers will pay celebrities or \u201cinfluencers\u201d with a strong social media following to post pictures or videos of them with the advertiser\u2019s product. Last December, the FTC issued its long-awaited Enforcement Policy Statement on Deceptively Formatted Advertisements<\/a> (the \u201cPolicy Statement\u201d) and its companion Native Advertising: A Guide for Businesses<\/a> (the \u201cBusiness Guide\u201d).<\/u> As discussed more fully in our previous post<\/a>, the Policy Statement and Business Guide apply the FTC\u2019s long-standing consumer protection standards to the native context. The key takeaways from the Policy Statement are: (1) native ads should clearly be identified as consumer advertising; (2) promotional content is deceptive if it misleads consumers into believing it is independent or impartial; (3) qualifying information, such as the advertiser\u2019s connection to the content, must be clear, conspicuous, and prominent; and (4) the FTC will decide whether an ad is deceptive based on the net impression the ad conveys to the reasonable consumer in the context of the platform and any qualifying information in the ad.\n\nAdditionally, in June 2015, the FTC updated its frequently asked questions (FAQs) guidance to the FTC\u2019s 2009 Endorsement Guidelines (the \u201cGuidelines\u201d). The Guidelines FAQs provide helpful commentary on how to apply the agency\u2019s endorsement guideline standards to evolving forms of digital marketing and promotion. As we discussed in more detail in our previous post<\/a>, the Guidelines FAQs provide greater clarity on when social media influencers and bloggers must make disclosures about their connection to the brand they are promoting.\n\nThe FTC has been actively enforcing its native advertising and endorsement guidelines in the past year. For instance, in September 2015, the FTC announced<\/a> that it had settled charges against Machinima, Inc., that the online entertainment network had engaged in deceptive advertising by paying influencers to post YouTube videos endorsing Microsoft\u2019s Xbox One system and several games. The FTC alleged that the influencers paid by Machinima failed to adequately disclose that they were being paid for their seemingly objective opinions. As part of the final order<\/a>, just recently approved by the FTC this March, the company is prohibited from misrepresenting in any influencer campaign that the endorser is an independent user of the product or service being promoted. Notably, Machinima must also ensure that all its influencers are aware of their responsibility to make required disclosures, by monitoring them and prohibiting payment to influencers who do not make such disclosures.\n\nMost recently, on March 15, 2016, the FTC settled charges that Lord & Taylor<\/a> deceived consumers by paying for native advertisements, including a seemingly objective article and Instagram post, without disclosing that the posts actually were paid promotions. The FTC also charged the company with paying 50 online fashion influencers to post Instagram pictures of themselves wearing the same dress design while failing to disclose they had paid each influencer thousands of dollars and given each influencer a dress in exchange for her endorsement. The agreement (1) prohibits Lord & Taylor from misrepresenting that paid commercial advertising is from an independent or objective source and misrepresenting that any endorser is an independent or ordinary consumer, (2) requires the company to disclose any payment or benefit given to an influencer or endorser, and (3) establishes a monitoring and review program for the company\u2019s endorsement campaigns.\n\nUnauthorized Installation of Mobile Software<\/em>\n\nIn June 2015, the FTC reached a settlement<\/a> with Prized Mobile, a mobile app that grants users points for playing games or downloading affiliated apps, which can be spent on rewards such as clothes and gift cards. The app promised consumers that it would be free of malware and viruses. The FTC alleged that the app\u2019s actual purpose was to infect the consumers\u2019 mobile phones with malicious software to mine virtual currencies. As part of the settlement, the Prized Mobile app developer is banned from creating and distributing malicious software and must destroy all information about consumers collected through the marketing and distribution of the app.\n\nMore recently, in February 2016, the FTC reached a settlement<\/a> with technology company Vulcun on charges that it unfairly replaced a popular web browser game with a program that installed applications on consumers\u2019 mobile devices without their permission. The FTC alleged that Vulcun\u2019s Google Chrome browser extension game, Running Fred, installed apps directly on the Android devices of consumers while bypassing the permissions process required by the Android operating system. The FTC\u2019s complaint charged that Vulcun\u2019s actions unfairly put consumers\u2019 privacy at risk. According to the FTC, \u201cby bypassing the permissions process in the Android operating system, the apps placed on consumers\u2019 mobile devices also could have easily accessed users\u2019 address books, photos, location, and device identifiers.\u201d Under the terms of the settlement, Vulcun is required to tell consumers about the types of information a product or service will access and how it will be used, display any built-in permissions notice associated with installing a product or service, and get users\u2019 express affirmative consent before the installation or material change of a product or service\n\nChildren\u2019s Privacy and the COPPA Rule<\/em>\n\nIn December 2015, the FTC reached two settlements<\/a> with app developers on allegations that they violated the Children\u2019s Online Privacy Protection Rule (COPPA Rule). As we have blogged about previously, the FTC brought actions against app developers LAI Systems (also known as TapBlaze)<\/a> and Retro Dreamer. In both actions, the FTC alleged that the app developers violated COPPA by allowing third-party advertisers to collect personal information from children under 13 through the use of persistent identifiers without first obtaining parental consent. The third-party advertisers then served targeted advertisements to those children. Under the terms of the settlement agreements, Retro Dreamer agreed to pay a $300,000 civil penalty, and TapBlaze agreed to pay a $60,000 civil penalty and post a link on its website that provides notice of its data policies. Both app developers are prohibited from engaging in practices that would further violate the COPPA Rule.\n\nIn addition to its COPPA enforcement actions, the FTC continued to examine data privacy and security issues relating to children. In 2015, the FTC conducted its third kids\u2019 app survey. The survey examined what information kids\u2019 app developers are collecting from users, whom they are sharing it with, and what disclosures they are providing to parents about their practices. The resulting report<\/a> found that privacy policies on children\u2019s apps have become easier to locate, but it encouraged companies to make disclosures that accurately reflect what children\u2019s information the app collects.\n\nMost recently, in January 2016, the FTC\u2019s Bureau of Consumer Protection posted a blog article <\/a>warning parents about weak data security protections in Internet-connected baby monitors. Following its review of five baby monitors, the FTC found that each lacked sufficiently strong password requirements and that nearly half of the monitors did not encrypt the feed between the monitor and the home router. According to the FTC, these security vulnerabilities pose the risk of strangers hacking into the live baby monitor feed. The FTC\u2019s focus on this industry suggests further enforcement actions in the future.\n\nB. Federal Legislation<\/u>\n\nIn January 2015, Sen. Ron Wyden<\/a> (D-OR) and Rep. Jason Chaffetz<\/a> (R-UT) reintroduced the GPS Act, which would create a process for government agencies to get a probable cause warrant to obtain geolocation information, as well as prohibit businesses from disclosing geographical tracking data about a customer to others without the customer\u2019s permission.\n\nIn February 2015, House Representatives Zoe Lofgren (D-CA), Ted Poe (R-TX), and Suzan Delbene (D-WA) reintroduced the Online Communications and Geolocation Protection Act<\/a>. The act would require the government to obtain a warrant to access the contents of any wire or electronic communication that is stored, held, or maintained by an electronic communication service or remote computing service, as well as prohibit government entities from intentionally intercepting an individual\u2019s geolocation information that was obtained in violation of the act\u2019s prohibitions.\n\nIn November 2015, Senator Al Franken (D-MN) reintroduced the Location Privacy Protection Act of 2015<\/a>, which would prohibit companies from collecting or disclosing geolocation information from an electronic communications device without the user\u2019s consent. It provides exceptions for parents tracking their children, emergency services, law enforcement, and other cases. The bill would also prohibit development and distribution of \u201cstalking apps,\u201d establish an Anti-Stalking Fund at the Department of Justice, and take other steps to prevent geolocation-enabled violence against women.\n\nC. State Regulator Actions and Legislation<\/u>\n\nIn January 2016, the New York Attorney General\u2019s office announced<\/a> that it had reached a settlement with the ride-hailing app Uber Technologies Inc. over its alleged tracking of riders and exposure of drivers\u2019 personal data. This follows intense scrutiny of the company started in 2014<\/a>, after reports about its \u201cGod View\u201d \u2013 which allowed Uber employees real-time access to customers\u2019 location information \u2013 surfaced. Under the terms of the settlement, Uber is required to encrypt riders\u2019 GPS information and adopt authentication measures before any employee can access riders\u2019 sensitive personal information. The New York Attorney General also fined Uber $20,000 for failure to provide timely notice to drivers and his office in the aftermath of a September 2014 data breach.\n\nIn California in 2015, the state legislature introduced a bill, AB886<\/a>, which would have forced Uber, Lyft, and other ride-sharing apps to guard customers\u2019 personal information. The bill would have prohibited smartphone-ordered ride services from disclosing any passenger data except to combat fraud or other crimes. It also would have required the ride-sharing services to destroy all personal information when customers canceled their accounts. The bill died in committee in January 2016.\n\nD. Mobile Industry Self-Regulation<\/u>\n\nIn addition to federal and state laws and regulations, industry self-regulatory groups have developed their own regulations. The Interactive Advertising Bureau (IAB) has recently developed a Mobile Location Data Guide for Publishers<\/a>, which advises companies to strike a balance between collecting accurate location data and delivering an optimal user experience (i.e., preserving battery life, reducing network activity).\n\nBeginning September 1, 2015<\/a>, the Digital Advertising Alliance (DAA) began enforcing its Application of Self-Regulatory Principles to the Mobile Environment<\/a> (Mobile Guidance). The Mobile Guidance urges mobile app advertisers and publishers to be transparent in collection of multisite data, cross-app data, precise location data, and personal directory data. It also sets guidelines for app advertisers and publishers to give consumers control over how and when such data is collected. Entities that are not compliant with the Mobile Guidance risk being subject to DAA accountability mechanisms. For more information, see this previous post on our blog<\/a>.\n\nIn 2015, the DAA also released two mobile tools for consumers<\/a>, the AppChoices<\/a> mobile app and the DAA Consumer Choice Page for Mobile Web<\/a>. AppChoices is a free mobile app that allows consumers to opt out of the collection and use of cross-app data, other than for permitted uses, by listing third-party AppChoices participants that consumers may select. The DAA Consumer Choice Page for Mobile Web is a mobile-web-optimized tool that consumers can use to opt out of the collection of cookie-based data for interest-based advertising by selected participating third parties. For more information, see this previous client alert<\/a>.\n\nLooking Forward: Mobile Privacy and Security in 2016<\/strong><\/b>\n\n2016 is shaping up to see a continuation and acceleration of the mobile trends of the past few years. More specifically, for the balance of 2016, we expect to see the following.\n
\n\t
Regulators will continue to follow companies and advertisers to mobile.<\/strong> Along with a steady rise in mobile marketing, we expect to see increased regulatory scrutiny of advertisers that engage in native advertising and paid endorsements, especially on mobile screens. As evidenced by the FTC\u2019s recent settlement with Lord & Taylor, advertisers that do not clearly disclose the nature of these ads are at risk of facing an FTC enforcement action.<\/li>\n\t
Advertisers and retailers will increase their use of location-based ads.<\/strong> With the number of mobile devices and the types of personal information users are comfortable sharing through their devices continuing to grow, advertisers will be able to craft more personalized and sophisticated real-time ads targeted at individuals\u2019 unique characteristics and preferences. Location-based tracking, including the use of web beacons, will continue to play a large role as advertisers and retailers continue to reach consumers where they are, in many cases even in their own stores. As the collection and use of location-based data grow, we also expect to see traction in the legislatures and from the regulators regarding the collection and use of location-based consumer data.<\/li>\n\t
Privacy by Design in IoT will become increasingly important.<\/strong> As consumer-facing companies continue to expand and experiment with IoT functionality and capabilities across all industry verticals, data privacy and security will continue to","order":0,"get_parent":{},"attributes":{"content":" $\"phone$ To say that mobile device usage has reached a tipping point would be an understatement. There are now more mobile devices<\/a> than people in the world, a staggering 7.9 billion mobile devices for 7.4 billion people on Earth. In the U.S., more time is spent on mobile media than on desktop<\/a> and other media, 2.8 hours per day per person. Mobile devices are dominating<\/a> consumers\u2019 media consumption: 80 percent of Internet users own a smartphone, and other \u201csmart\u201d devices are quickly gaining ground. The proliferation of mobile devices and apps has touched nearly every aspect of our lives and is playing an increasingly integral role in such wide-ranging areas as retail, health, finance, and home security.\n\nAs consumers embrace mobile technology, companies have more access than ever to a wide range of sensitive personal information. Not surprisingly, consumer concerns about the privacy and security of their data are at an all-time high: a recent survey shows that 89 percent of consumers<\/a> reportedly have avoided companies that do not protect their privacy, and 45 percent are now more worried about online privacy than they were a year ago. This post updates our 2014 Mobile Privacy and Security Trends and What to Look for in 2015<\/a> article and examines recent developments in mobile marketing, mobile payments, and the Internet of Things (IoT), as well as the ever-evolving mobile legal and regulatory landscape.\n\nMobile Trends<\/strong><\/b>\n\nA. Mobile Marketing<\/u>\n\nWith consumers spending ever more time on mobile devices, marketers are finding them where they are. Advertisers spent an estimated $68.69 billion<\/a> on mobile advertising in 2015, with spending expected to top more than $195 billion by 2019<\/a>. With 90 percent of mobile consumers<\/a> using location-based services to get directions and local recommendations, location-based advertising has skyrocketed and is expected to reach $15 billion by 2018<\/a>. While these certainly are high figures, when compared with the total amount spent on Internet advertising, mobile still has plenty of room to grow. Figures for 2014<\/a> show that of the $50 billion spent on Internet advertising that year, mobile accounted for about only 25 percent.\n\nAdditionally, social media marketing<\/a>, <\/u>estimated at $24 billion in 2015, continues to be a lucrative investment for advertisers. Given that nearly 70 percent of mobile users<\/a> in the 18-29 age group access social media sites on their mobile devices, marketers are adapting advertisements for mobile consumption. Native advertising and paid endorsements have become popular trend<\/a>s<\/u> in social media and mobile marketing, with 90 percent of advertisers reportedly using native ads and 70 percent of Internet users reportedly wanting to learn about products through content instead of traditional ads.\n\nCompanies and advertisers also are increasingly developing mobile apps to reach consumers. According to Red Hat\u2019s Mobile Maturity Survey 2015<\/a>, 52 percent of companies now have a fully implemented mobile strategy, with 90 percent of surveyed companies reporting that investment in mobile apps would increase in 2016. Not only are web-based companies leading the charge, but in-store retailers also are increasingly leveraging mobile capabilities. More and more retailers are using in-store web beacons and other similar technologies to track consumers\u2019 in-store location data, analyze consumers\u2019 purchasing activity, and push relevant, real-time, in-store promotions to consumers.\n\nB. Mobile Payments<\/u>\n\nMobile payment systems are also on the rise. The value of purchases made on mobile devices is projected to grow<\/a> from $52 billion in 2014 to $142 billion by 2019. While mobile commerce currently represents 22 percent of all U.S. digital commerce revenue, it is expected to jump to 50 percent <\/a>\u00a0<\/u>by 2017. The Apple Pay mobile payment and digital wallet system illustrates the growing popularity of mobile payments, with more than a million credit cards<\/a> registered for use with the service in the first three days of availability. Starbucks<\/a> also has seen great success with its member loyalty program, which has driven mobile payments and resulted in Starbucks earning 90 percent of the $1.6 billion spent in U.S. stores via smartphones in 2013.\n\nC. Internet of Things<\/u>\n\nAlong with the rise of mobile devices, the IoT industry has grown exponentially. The term IoT refers to \u201cthings\u201d such as devices or sensors \u2013 other than computers, smartphones, or tablets \u2013 that connect, communicate, or transmit information with or between each other through the Internet. It is hard to imagine any industry that has not been affected by this new form of technology, from wearable technology<\/a> and health trackers<\/a>,<\/u> to smart thermostats<\/a>, networked baby monitors<\/a>, and connected cars<\/a>. There will be an estimated 24 billion connected<\/a> IoT devices by 2020, and nearly $6 trillion will be spent on IoT solutions over the next five years.\n\nData Privacy and Security Risks and Legal and Regulatory Trends<\/strong><\/b>\n\nWhile mobile and IoT devices offer immense real-time convenience and functionality, they raise commensurate privacy and security concerns about the collection and use of sensitive personal data. As consumers and the companies that market to them move to mobile, the regulators are following. In the past year, regulators increasingly have turned a watchful eye toward all things mobile.\n\nA. Federal Trade Commission<\/span>\n\nThe FTC has continued to focus on the mobile industry, in both its enforcement actions and educational workshops and reports. We summarize below the FTC\u2019s recent actions relating to the mobile industry.\n\nInternet of Things<\/em>\n\nIn January 2015, the FTC released a report<\/a> titled The Internet of Things: Privacy and Security in a Connected World <\/em>(the \u201cIoT Report\u201d) following a 2013 FTC workshop by the same name. Echoing the FTC\u2019s core fair information practice principles<\/a> (FIPPs), the IoT Report recommends a number of concrete steps companies can take to enhance and protect consumers\u2019 privacy and personal information collected by the multitude of Internet-connected devices, including:\n\n(1) Build security into devices at the outset rather than as an afterthought in the design process.\n\n(2) Train employees about the importance of security, and ensure that security is managed at an appropriate level in the organization.\n\n(3) Ensure that outside services are capable of maintaining reasonable security, and provide reasonable oversight of the providers.\n\n(4) When a security risk is identified, consider a \u201cdefense-in-depth\u201d strategy whereby multiple layers of security may be used to defend against a particular risk.\n\n(5) Consider measures to keep unauthorized users from accessing a consumer\u2019s device, data, or personal information stored on the network.\n\n(6) Monitor connected devices throughout their expected life cycle, and where feasible, provide security patches to cover known risks.\n\n(7) Limit the collection of consumer data, and retain that information only for a set period of time, not indefinitely.\n\n(8) Notify consumers about their choices about how their information will be used, particularly when the data collection is beyond consumers\u2019 reasonable expectations.\n\nThe FTC also released a companion business guide to the IoT Report, titled Careful Connections: Building Security in the Internet of Things<\/em><\/a>. This guide summarizes, in plain English, the best practices set forth in the IoT Report and encourages businesses to take reasonable steps to protect consumers.\n\nMost recently, on March 31, 2016<\/a>, FTC Chairwoman Edith Ramirez made remarks at an American Bar Association IoT Conference in Washington, D.C. suggesting that companies need to take steps to deal with the \u201csignificantly magnified\u201d risks posed by the rapidly evolving IoT industry. Commissioner Ramirez stated, \u201cIn light of various studies showing consumers are deeply concerned about IOT\u2019s data collection, disclosure of sensitive information and their lack of control and awareness of who has access to the data that\u2019s collected, it\u2019s particularly important for IOT manufacturers to design devices that take into consideration unexpected uses of their IOT data, and the potential for misuse.\u201d\u00a0 Commissioner Ramirez emphasized the importance of developing IoT products with a \u201cprivacy by design\u201d approach, and addressing issues as they arise throughout the product\u2019s life cycle. Commissioner Ramirez also stated that the FTC would hold a series of workshops this fall 2016 to look at the variety of consumer protection issues posed by drones, \u201csmart\u201d televisions, and ransomware.\n\nLocation-Based Tracking and Cross-Device Tracking<\/em>\n\nIn April 2015, the agency reached a settlement<\/a> with retail tracking firm Nomi Technologies, Inc. Nomi places sensors in retail stores to track customers\u2019 purchasing behavior by recording their mobile device\u2019s MAC addresses. Nomi\u2019s privacy policy promised that it would provide an opt-out mechanism at stores using its services, which, according to the FTC, implied that consumers would be informed when stores were using Nomi\u2019s tracking technology. In reality, the FTC alleged, Nomi failed to notify consumers when their mobile devices were being tracked and failed to provide the ability to opt out of the tracking. Under the terms of the settlement, Nomi is prohibited from misrepresenting consumers\u2019 options for controlling whether information is collected, used, disclosed, or shared about them or their devices, as well as the extent to which consumers will be notified about information practices.\n\nIn November 2015, the FTC hosted a workshop<\/a> focused on cross-device tracking of consumer behavior. The workshop focused on new methods the mobile industry has adopted to track consumer behavior, including \u201cdeterministic\u201d tracking, which requires a consumer to sign into a platform to access its service. This allows the company to then link the consumer\u2019s various devices to a single account. Another method is \u201cprobabilistic\u201d tracking, which involves the collection of information such as device type, operating system, fonts, and IP address to create a \u201cdigital fingerprint\u201d of the user to link him or her to different devices. The FTC\u2019s workshop focused mainly on this probabilistic type of tracking, which is generally invisible to consumers and therefore poses privacy concerns. The FTC identified the following takeaways, which may shed light on the FTC\u2019s potentially emerging position on cross-device tracking: (1) companies need to work toward providing greater transparency, choices, and education for consumers; (2) companies should engage consumers in a way that will not cause consumers to lose trust in the marketplace; (3) data minimization policies and technologies will become more important as the amount of data collected about consumers increases; and (4) companies should be mindful of, and comply with, the privacy representations they make to consumers, both about their own actions and the actions of affiliated third parties. For more information, see this previous post on our blog<\/a>.\n\nNative Advertising and Paid Endorsements<\/em>\n\nAnother area the FTC has recently focused on is native advertising and paid endorsements in the mobile environment. Native advertising is advertising that bears a similarity to the news, feature articles, product reviews, entertainment, and other material that surrounds it online. A related advertising trend is paid endorsements on social media, where advertisers will pay celebrities or \u201cinfluencers\u201d with a strong social media following to post pictures or videos of them with the advertiser\u2019s product. Last December, the FTC issued its long-awaited Enforcement Policy Statement on Deceptively Formatted Advertisements<\/a> (the \u201cPolicy Statement\u201d) and its companion Native Advertising: A Guide for Businesses<\/a> (the \u201cBusiness Guide\u201d).<\/u> As discussed more fully in our previous post<\/a>, the Policy Statement and Business Guide apply the FTC\u2019s long-standing consumer protection standards to the native context. The key takeaways from the Policy Statement are: (1) native ads should clearly be identified as consumer advertising; (2) promotional content is deceptive if it misleads consumers into believing it is independent or impartial; (3) qualifying information, such as the advertiser\u2019s connection to the content, must be clear, conspicuous, and prominent; and (4) the FTC will decide whether an ad is deceptive based on the net impression the ad conveys to the reasonable consumer in the context of the platform and any qualifying information in the ad.\n\nAdditionally, in June 2015, the FTC updated its frequently asked questions (FAQs) guidance to the FTC\u2019s 2009 Endorsement Guidelines (the \u201cGuidelines\u201d). The Guidelines FAQs provide helpful commentary on how to apply the agency\u2019s endorsement guideline standards to evolving forms of digital marketing and promotion. As we discussed in more detail in our previous post<\/a>, the Guidelines FAQs provide greater clarity on when social media influencers and bloggers must make disclosures about their connection to the brand they are promoting.\n\nThe FTC has been actively enforcing its native advertising and endorsement guidelines in the past year. For instance, in September 2015, the FTC announced<\/a> that it had settled charges against Machinima, Inc., that the online entertainment network had engaged in deceptive advertising by paying influencers to post YouTube videos endorsing Microsoft\u2019s Xbox One system and several games. The FTC alleged that the influencers paid by Machinima failed to adequately disclose that they were being paid for their seemingly objective opinions. As part of the final order<\/a>, just recently approved by the FTC this March, the company is prohibited from misrepresenting in any influencer campaign that the endorser is an independent user of the product or service being promoted. Notably, Machinima must also ensure that all its influencers are aware of their responsibility to make required disclosures, by monitoring them and prohibiting payment to influencers who do not make such disclosures.\n\nMost recently, on March 15, 2016, the FTC settled charges that Lord & Taylor<\/a> deceived consumers by paying for native advertisements, including a seemingly objective article and Instagram post, without disclosing that the posts actually were paid promotions. The FTC also charged the company with paying 50 online fashion influencers to post Instagram pictures of themselves wearing the same dress design while failing to disclose they had paid each influencer thousands of dollars and given each influencer a dress in exchange for her endorsement. The agreement (1) prohibits Lord & Taylor from misrepresenting that paid commercial advertising is from an independent or objective source and misrepresenting that any endorser is an independent or ordinary consumer, (2) requires the company to disclose any payment or benefit given to an influencer or endorser, and (3) establishes a monitoring and review program for the company\u2019s endorsement campaigns.\n\nUnauthorized Installation of Mobile Software<\/em>\n\nIn June 2015, the FTC reached a settlement<\/a> with Prized Mobile, a mobile app that grants users points for playing games or downloading affiliated apps, which can be spent on rewards such as clothes and gift cards. The app promised consumers that it would be free of malware and viruses. The FTC alleged that the app\u2019s actual purpose was to infect the consumers\u2019 mobile phones with malicious software to mine virtual currencies. As part of the settlement, the Prized Mobile app developer is banned from creating and distributing malicious software and must destroy all information about consumers collected through the marketing and distribution of the app.\n\nMore recently, in February 2016, the FTC reached a settlement<\/a> with technology company Vulcun on charges that it unfairly replaced a popular web browser game with a program that installed applications on consumers\u2019 mobile devices without their permission. The FTC alleged that Vulcun\u2019s Google Chrome browser extension game, Running Fred, installed apps directly on the Android devices of consumers while bypassing the permissions process required by the Android operating system. The FTC\u2019s complaint charged that Vulcun\u2019s actions unfairly put consumers\u2019 privacy at risk. According to the FTC, \u201cby bypassing the permissions process in the Android operating system, the apps placed on consumers\u2019 mobile devices also could have easily accessed users\u2019 address books, photos, location, and device identifiers.\u201d Under the terms of the settlement, Vulcun is required to tell consumers about the types of information a product or service will access and how it will be used, display any built-in permissions notice associated with installing a product or service, and get users\u2019 express affirmative consent before the installation or material change of a product or service\n\nChildren\u2019s Privacy and the COPPA Rule<\/em>\n\nIn December 2015, the FTC reached two settlements<\/a> with app developers on allegations that they violated the Children\u2019s Online Privacy Protection Rule (COPPA Rule). As we have blogged about previously, the FTC brought actions against app developers LAI Systems (also known as TapBlaze)<\/a> and Retro Dreamer. In both actions, the FTC alleged that the app developers violated COPPA by allowing third-party advertisers to collect personal information from children under 13 through the use of persistent identifiers without first obtaining parental consent. The third-party advertisers then served targeted advertisements to those children. Under the terms of the settlement agreements, Retro Dreamer agreed to pay a $300,000 civil penalty, and TapBlaze agreed to pay a $60,000 civil penalty and post a link on its website that provides notice of its data policies. Both app developers are prohibited from engaging in practices that would further violate the COPPA Rule.\n\nIn addition to its COPPA enforcement actions, the FTC continued to examine data privacy and security issues relating to children. In 2015, the FTC conducted its third kids\u2019 app survey. The survey examined what information kids\u2019 app developers are collecting from users, whom they are sharing it with, and what disclosures they are providing to parents about their practices. The resulting report<\/a> found that privacy policies on children\u2019s apps have become easier to locate, but it encouraged companies to make disclosures that accurately reflect what children\u2019s information the app collects.\n\nMost recently, in January 2016, the FTC\u2019s Bureau of Consumer Protection posted a blog article <\/a>warning parents about weak data security protections in Internet-connected baby monitors. Following its review of five baby monitors, the FTC found that each lacked sufficiently strong password requirements and that nearly half of the monitors did not encrypt the feed between the monitor and the home router. According to the FTC, these security vulnerabilities pose the risk of strangers hacking into the live baby monitor feed. The FTC\u2019s focus on this industry suggests further enforcement actions in the future.\n\nB. Federal Legislation<\/u>\n\nIn January 2015, Sen. Ron Wyden<\/a> (D-OR) and Rep. Jason Chaffetz<\/a> (R-UT) reintroduced the GPS Act, which would create a process for government agencies to get a probable cause warrant to obtain geolocation information, as well as prohibit businesses from disclosing geographical tracking data about a customer to others without the customer\u2019s permission.\n\nIn February 2015, House Representatives Zoe Lofgren (D-CA), Ted Poe (R-TX), and Suzan Delbene (D-WA) reintroduced the Online Communications and Geolocation Protection Act<\/a>. The act would require the government to obtain a warrant to access the contents of any wire or electronic communication that is stored, held, or maintained by an electronic communication service or remote computing service, as well as prohibit government entities from intentionally intercepting an individual\u2019s geolocation information that was obtained in violation of the act\u2019s prohibitions.\n\nIn November 2015, Senator Al Franken (D-MN) reintroduced the Location Privacy Protection Act of 2015<\/a>, which would prohibit companies from collecting or disclosing geolocation information from an electronic communications device without the user\u2019s consent. It provides exceptions for parents tracking their children, emergency services, law enforcement, and other cases. The bill would also prohibit development and distribution of \u201cstalking apps,\u201d establish an Anti-Stalking Fund at the Department of Justice, and take other steps to prevent geolocation-enabled violence against women.\n\nC. State Regulator Actions and Legislation<\/u>\n\nIn January 2016, the New York Attorney General\u2019s office announced<\/a> that it had reached a settlement with the ride-hailing app Uber Technologies Inc. over its alleged tracking of riders and exposure of drivers\u2019 personal data. This follows intense scrutiny of the company started in 2014<\/a>, after reports about its \u201cGod View\u201d \u2013 which allowed Uber employees real-time access to customers\u2019 location information \u2013 surfaced. Under the terms of the settlement, Uber is required to encrypt riders\u2019 GPS information and adopt authentication measures before any employee can access riders\u2019 sensitive personal information. The New York Attorney General also fined Uber $20,000 for failure to provide timely notice to drivers and his office in the aftermath of a September 2014 data breach.\n\nIn California in 2015, the state legislature introduced a bill, AB886<\/a>, which would have forced Uber, Lyft, and other ride-sharing apps to guard customers\u2019 personal information. The bill would have prohibited smartphone-ordered ride services from disclosing any passenger data except to combat fraud or other crimes. It also would have required the ride-sharing services to destroy all personal information when customers canceled their accounts. The bill died in committee in January 2016.\n\nD. Mobile Industry Self-Regulation<\/u>\n\nIn addition to federal and state laws and regulations, industry self-regulatory groups have developed their own regulations. The Interactive Advertising Bureau (IAB) has recently developed a Mobile Location Data Guide for Publishers<\/a>, which advises companies to strike a balance between collecting accurate location data and delivering an optimal user experience (i.e., preserving battery life, reducing network activity).\n\nBeginning September 1, 2015<\/a>, the Digital Advertising Alliance (DAA) began enforcing its Application of Self-Regulatory Principles to the Mobile Environment<\/a> (Mobile Guidance). The Mobile Guidance urges mobile app advertisers and publishers to be transparent in collection of multisite data, cross-app data, precise location data, and personal directory data. It also sets guidelines for app advertisers and publishers to give consumers control over how and when such data is collected. Entities that are not compliant with the Mobile Guidance risk being subject to DAA accountability mechanisms. For more information, see this previous post on our blog<\/a>.\n\nIn 2015, the DAA also released two mobile tools for consumers<\/a>, the AppChoices<\/a> mobile app and the DAA Consumer Choice Page for Mobile Web<\/a>. AppChoices is a free mobile app that allows consumers to opt out of the collection and use of cross-app data, other than for permitted uses, by listing third-party AppChoices participants that consumers may select. The DAA Consumer Choice Page for Mobile Web is a mobile-web-optimized tool that consumers can use to opt out of the collection of cookie-based data for interest-based advertising by selected participating third parties. For more information, see this previous client alert<\/a>.\n\nLooking Forward: Mobile Privacy and Security in 2016<\/strong><\/b>\n\n2016 is shaping up to see a continuation and acceleration of the mobile trends of the past few years. More specifically, for the balance of 2016, we expect to see the following.\n
\n\t
\nRegulators will continue to follow companies and advertisers to mobile.<\/strong> Along with a steady rise in mobile marketing, we expect to see increased regulatory scrutiny of advertisers that engage in native advertising and paid endorsements, especially on mobile screens. As evidenced by the FTC\u2019s recent settlement with Lord & Taylor, advertisers that do not clearly disclose the nature of these ads are at risk of facing an FTC enforcement action.<\/li>\n\t
\nAdvertisers and retailers will increase their use of location-based ads.<\/strong> With the number of mobile devices and the types of personal information users are comfortable sharing through their devices continuing to grow, advertisers will be able to craft more personalized and sophisticated real-time ads targeted at individuals\u2019 unique characteristics and preferences. Location-based tracking, including the use of web beacons, will continue to play a large role as advertisers and retailers continue to reach consumers where they are, in many cases even in their own stores. As the collection and use of location-based data grow, we also expect to see traction in the legislatures and from the regulators regarding the collection and use of location-based consumer data.<\/li>\n\t
\nPrivacy by Design in IoT will become increasingly important.<\/strong> As consumer-facing companies continue to expand and experiment with IoT functionality and capabilities across all industry verticals, data privacy and security will continue to<\/li>\n<\/ol>"},"attributesType":{"content":{"type":"string","source":"html"},"lock":{"type":"object"}},"dynamicContent":null}]

2016 Mobile Data Privacy and Security Update and 2015 Review