THE MOBILE MAJORITY: BUILDING PRIVACY BY DESIGN INTO MOBILE APPS

THE MOBILE MAJORITY:

BUILDING PRIVACY BY DESIGN

INTO MOBILE APPS

Clarissa Cerda,

EVP, Chief Legal Officer and Secretary, LifeLock Kimberly Cilke, CIPP/US

Deputy General Counsel, GoDaddy.com Timothy Sparapani

Vice President, Law, Public Policy & Government Relations, Application Developers Alliance

PRIVACY IN THE MOBILE

ENVIRONMENT

• Booming Mobile Marketplace1

• 85% Adults In US Own A Cell Phone, 50% Use It To Access The Internet

• 1600 New Apps For Mobile Devices Added Daily, 1M+ Total In Existence

• Consumers Care1

• Over Half of Americans Had Uninstalled Or Decided Not To

Install An App Because Of Concerns About Its Privacy Practices • Privacy Policies Are Complex And Difficult To Read2

• Amount Of Time To Read Policies Is Too Great3

• Misconceptions: Majority of Americans Believe That Websites With Privacy Policies Cannot Sell Data4

¹California Attorney General’s Office, “Privacy on the Go” at 12-13 (Jan. 2013) 2 _{Milne/Culnan and Greene 2006}

²McDonald/Cranor 2008 ³ 4urow/Hoofnagle 2009-2010

FTC AND WHITE HOUSE

INITIATIVES

FTC

“It is of utmost importance that privacy policies … should be clear and conspicuous and written language that is simple and easy to understand”

White House

“Consumer[s] have a right to easily understandable and accessible information about privacy … practices … in a form that is easy to read on devices … consumers … use”

By 2012 The Goals Of The FTC And White House (Privacy White Paper) Were Unambiguous:

TRANSPARENCY PLAYERS

THE FTC

Standardized, Easy-to-Understand Privacy Notices

Have Been At The Core Of FTC Efforts On Privacy For

More Than A Decade.

FTC Emphasizes Clear And

Prominent Notice Of Information

Collection, Use And Disclosure &

Informed Consent For Sensitive

Information.

close proximity) (2012) FTC Staff Report on Mobile Privacy Disclosures (2013)

FTC Staff Report Recommends Icons:

• Icons “offer the ability to communicate key terms and concepts in a clear and easily digestible manner.”

• Icons Allow Consumers To View Data Practice Highlights With A Quick

Glance, Then Hover Or Click Through For More Detailed Information.

• Use Of Icons And Other Short

Disclosures Will Have Greater Success If There Is Some Consistency In

Approaches.

2013

FTC Staff

Report on

Mobile

Privacy

Disclosures

THE FTC

January 2013:

California Attorney General Releases Privacy Recommendations for Mobile Industry

• “These always-on, always-on-us devices pose additional privacy challenges that are unique to mobile space.”

• “Consumers deserve “meaningful information about privacy choices on small screens [in an environment] with many players who may have access…”

• “A centerpiece of these Guidelines are prominent, timely, special notices or short-form privacy notices designed to be read on a mobile device of data practices that involve

sensitive information or are not required for an app’s basic functionality…”

California Attorney General’s Office, “Privacy on the Go” at 12-13 (Jan. 2013)

NTIA

Multi-Stakeholder Process

• Developing Voluntary Code of Conduct for Mobile

Application Transparency.

• Clear, Short Form Notice of Mobile App Collection

of Unexpected or Sensitive Data Elements and

Sharing of that Info with Third Parties.

• Proposal Developed by App Developers Alliance,

World Privacy Forum, ACLU, Consumer Action

and Industry Representatives.

Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers, at iii, 19-20, 26-28, 44, 60, 70-72 (Dec. 1, 2010).

INDUSTRY

• FTC Privacy Report “Calls on Industry Sectors to Work Together to Develop Standard Formats and

Terminology for Privacy Statements Applicable to Their Particular Industries.”

• Clearly Need A Standardized, User-friendly Approach Designed With Industry Input.

• Must Effectively And Succinctly Explain Data Collection, Use And Disclosure Practices.

TWO-PHASED PROPOSAL

PHASE 1

Standardized Privacy Notice Elements

Compare Privacy Practices Of Different Providers. • Encourage Competition Among Companies In The

Privacy Protections They Afford.

• Utilize Standardized Descriptions As Outlined By FTC. • Eliminate “Legalese” - Use Plain English To Effectively

Provide Information On Data Collection, Use, And Disclosure.

PHASE 2

A Simple Icon Solution to Solve

Transparency

• Color And Symbol Icon/seal System.

• Works Offline, Online & On Mobile Devices.

• Simple, Quick Solution Requiring Minimal Technical Work.

• Easy-to-Understand.

• Incentivizes Parties With Relationship With Consumers Not To Proliferate Personal Data.

CASE STUDY:

GODADDY.COM

• World’s largest domain name registrar and hosting provider.

• 3,300+ employees, 600+ in-house software developers, 9 global locations including U.S., Canada, UK, Netherlands, Singapore and India.

• More than 10.7 million customers.

• 10+ corporate websites, 1 mobile website, 3 mobile apps with over 1.7 million downloads.

• 2.5 million paid hosted customer websites; another 2.5 million free hosted sites.

• Mobilized more than 700,000 customer websites as part of November 2012 Website Builder product launch.

• Bolstered “Mobile First” strategy with acquisition of M.Dot in February 2013.

REFRESHER:

PRIVACY BY DESIGN

1. Proactive, not reactive - Preventative, not remedial. 2. Privacy as the default setting.

3. Privacy embedded into design.

4. Full functionality – Positive sum, not zero-sum. 5. End-to-end security – Full lifecycle protection. 6. Visibility and transparency – Keep it open.

GO DADDY’S

PRIVACY PROGRAM

• Customer privacy owned by Go Daddy Legal Department. Team with IT Security, Internal Audit, Product and Marketing Managers, Lead Developers, and HR.

• Every new product, IT project, and marketing program, as well as project/program updates, undergoes privacy review as part of legal screening.

• “Customer Information Privacy Policy” in Employee Handbook specifies Privacy Policy requirements for all employees.

• Legal/privacy review embedded into Software Development Lifecycle (SLD).

• Technical collection of PII undergoes additional security review by “Privacy Tech Committee.”

CUSTOMER INFORMATION

PRIVACY POLICY

• Defines “PII” – “Any and all personal information about a Customer that can be used to uniquely identify, contact or locate the Customer.”

• Defines “Sensitive PII” – PII subject to heightened degree of internal protection and review, generally follows data breach PII definitions.

• Sets Company Policy – “PII shall never be collected unless such collection is necessary for a legitimate business purpose related to Go Daddy’s business. Where the collection of PII is necessary, only the minimum amount of information

necessary to satisfy the legitimate business purpose may be collected.”

CUSTOMER INFORMATION

PRIVACY POLICY

• Prohibits disclosure of user PII to third-parties without privacy review.

• Provides for internal security procedures and authorized locations for PII.

• Provides process for notifying Privacy team in the event of an inadvertent or unauthorized disclosure of PII to any

third-party.

• Provides process for privacy review; in our case, simple as email to Legal Department in connection with any new

product, IT project, or marketing program, with:

– Summary of project, including measures to be used to secure PII. – All categories of PII involved in the project.

– Who will have access to the PII and/or to whom it will be disclosed. – The real or best estimate of the number of users whose PII will be

collected/affected.

– Date project is scheduled to commence and/or deploy. – Any relevant documents or creatives.

CUSTOMER INFORMATION

PRIVACY POLICY

THE FIRST QUESTIONS

1. With what types of operating systems will the app be compatible?

2. With which Web browsers will the app be compatible?

3. Will we store app-related data in the cloud or on our own servers?

4. What is the extended cyber-enterprise related to the app? Will it access third-party apps, such as ad

networks and analytics companies?

5. In which app stores will our app be available? Are we in compliance with the app stores’ privacy requirements? Consider all third-party agreement/TOS requirements (e.g., device, OS, browser, cloud provider, ad network, etc.).

WHAT DATA WILL WE COLLECT?

• In addition to traditional PII, consider:

– Unique device identifier?

– Geo-location (GPS, WiFi, user-entered) – Mobile phone number

– Email address – User’s name

– Text messages or email – Call logs

– Contact/address book

– Financial and payment information – Health and medical information – Photos or videos

– Web browsing history

HOW WILL WE USE THE DATA?

• For each type of data, consider:

– Is the data type necessary for your app’s basic functionality (ie, within the expected context of the app’s functions as described to users)?

– Is the data type necessary for business reasons (ie, billing)? – How will you use the data?

– Will it be necessary to store data off the device, on your servers? – How long will you need to store the data on your servers?

– Will you share the data with third-parties (eg, ad networks, analytics companies, service providers)? If so, with whom?

– How will third-parties use the data?

– Who in your organization will have access to user data?

– What parts of the mobile device do you have permission to access? Can users modify their permissions?

KEY PRIVACY BY DESIGN ELEMENTS

• Transparency, Choice, and Control

– Give prior “who-what-why” notice and obtain a user’s “active

consent” for the collection, use, and sharing of personal information, as well as any application changes affecting privacy (“active

consent” occurs where a user has the opportunity to agree to the specific use of personal information)

– Provide just-in-time disclosures and obtain affirmative express consent before collecting and sharing sensitive information.

– Collect and use only reasonable amounts of information within the scope of the user’s expectations

– Allow users to control the frequency of reminders about features which use personal information

– Provide users with information and choice regarding an application’s privacy settings

KEY PRIVACY BY DESIGN ELEMENTS

• Data Retention and Security

– Ensure applications using unique identifiers are linked to the rightful user

– Protect personal information from unauthorized access or disclosure and establish justifiable retention and deletion periods

• Social Networking and Social Media

– Ensure default settings protect privacy and allow easy control of profile information

– Provide additional, heightened privacy measures for underage users – Obtain consent for any access, use, and/or sharing of location data

• Mobile Advertising

– Inform users, prior to download and/or activation, if applications are ad-supported

– Obtain active consent for targeted advertising, profiling, and/or viral marketing

KEY PRIVACY BY DESIGN ELEMENTS

• Children and Adolescents

– Provide age-targeted information regarding the consequences of using an application

– Ensure the default location setting prevents a user from publishing his or her location

– Comply with applicable jurisdictional laws regarding the protection of children

– Where possible, include an age verification mechanism

• Accountability and Enforcement

– Assign responsibility for privacy issues throughout the application’s lifespan

“SPECIAL NOTICES”

• Supplement your mobile privacy policy with enhanced measures to alert users to :

– Collection, use or disclosure of PII not required for app’s basic functionality.

– Accessing text messages, call logs, contacts or potentially privacy sensitive features such as camera, dialer and microphone.

– A change in your data practices that involves new, unexpected uses or disclosures of PII.

– The collection or use of sensitive

information, such as precise geo-location, financial or medical information, passwords, etc.

– The disclosure of PII to third-parties for their own use, including use for advertising.

“SPECIAL NOTICES”

• Deliver notice in context, just before the data is to be collected.

• Explain the intended use and any third-parties to which data will be disclosed.

• Provide an easy way for users to choose whether or not to allow the collection of the data. If use of the app is contingent on collection of the data, make that clear.

WHEN YOU GET BACK

TO THE OFFICE…

• Make someone responsible for mobile app privacy. • Take stock of the data you collect and retain.

• Carefully scrutinize collection/integration of PII data and sensitive information such as geo-location data and user contacts access.

• Conduct due diligence on libraries and other third-party code.

• Consider any special requirements related to financial, health or kids’ data.

• Don’t rely on the platform alone to protect your users. • Ensure that you are generating user credentials securely. • Use transit encryption for usernames, passwords and

other important data.

• Don’t store passwords in plaintext.

• Protect data stored on a user’s device. • Protect your servers.

• Audit app regularly following deployment.

WHEN YOU GET BACK

TO THE OFFICE…

• Privacy On The Go - CA Attorney General's set of privacy practice recommendations to assist app developers, and others, in considering privacy early in the development process.

• CA Business Privacy Resources - CA Attorney General's links to

helpful resources concerning privacy, data breach, Child Online Privacy Protection Act (COPPA) and other relevant privacy laws.

• CA AG's Developer Agreement - CA AG's agreement committing the

leading operators of mobile application platforms to improve privacy protections for millions of consumers around the globe who access the Internet through applications (“apps”) on their smart phones, tablets and other mobile devices.

• Marketing Your Mobile App - FTC publication presenting guidelines

to help developers comply with truth-in-advertising standards and basic privacy principles.

• Protecting Consumer Privacy In An Era Of Rapid Change - FTC

report with recommended best practices for mobile transparency and protecting consumer privacy.

ADDITIONAL READING

AND RESOURCES

THE MOBILE MAJORITY:

BUILDING PRIVACY BY DESIGN

INTO MOBILE APPS

Clarissa Cerda,

EVP, Chief Legal Officer and Secretary, LifeLock Kimberly Cilke, CIPP/US

Deputy General Counsel, GoDaddy.com Timothy Sparapani

Vice President, Law, Public Policy & Government Relations, Application Developers Alliance