10 Tips for Privacy in

Mobile Games

Steve AugustinoKelley Drye & Warren LLP

(with a little help from Tom Petty)

2

Four Reasons Mobile is Different

Smartphones carried with person at all times

Readily-available location-based information

Access to related phone numbers, pictures and other information on the device

Screen size and consumer notices

Smartphones carried with person at all times

Readily-available location-based information

Access to related phone numbers, pictures and other information on the device

Screen size and consumer notices

3

Legal Landscape:Federal Trade Commission (FTC)

• “All companies involved in information collection and sharing on mobile devices – carriers, operating system vendors, applications, and advertisers – should provide meaningful choice mechanisms for consumers.”

– FTC Staff, Protecting Consumer Privacy in an Era of Rapid Change (Dec. 2010) at p. 59.

“[D]espite many high-visibility efforts to increase transparency in the mobile marketplace, little or no progress has been made.”

FTC Staff, Mobile Apps for Kids: Disclosures Still Not Making the Grade (Dec. 10, 2012)

4

Legal Landscape:Federal Communications Commission (FCC)

• Multiple Bases of Jurisdiction Over Mobile Apps and Privacy– CPNI – Section 222 (Information on quantity, technical configuration,

type, destination, location, and amount of use of telecom service)

– Cable Privacy – Section 631– Wiretap – Section 705

• Google StreetView Investigation• Truth-in-Billing

– Verizon “Mystery Fees” Consent Decree (October 2010)

– “Bill Shock” Notice of Proposed Rulemaking

– “Cramming” restrictions• Mobile Device Declaratory Ruling (2013)

5

Legal Landscape:California

• California Online Privacy Protection Act of 2003 (CalOPPA)– Requires an operator of a “commercial Web site or online service” to

conspicuously post a privacy policy concerning the collection and use of personal data

• Joint Statement of Principles (2012) – Agreement with 7 major platform providers– Agree to provide optional data fields for mobile

app privacy policies– Information available before download

• Delta Airlines– Fly Delta mobile app failed to make privacy

policy readily available in the app

• Privacy on the Go– Providers should make privacy policies available

before download– Supplement policies with “just in time” notices– Limit data collection to what is necessary for the

app’s core functions– Encrypt data in transit and storage

10 Tips

6

The Initial Five – The Basics

• Disclose all relevant terms, including prices– Disclose in-app purchase policies

• Don’t collect more than you need– Don’t keep information longer than you need

• Obtain consent for texts, tweets and social media• Police what your partners do with data• Keep current with federal and state changes

7

Tom’s Tip:

• Location data is easy to collect, but very personal• “Because mobile devices have the ability—and often the

technical requirement—to regularly transmit their location to a network, they also enable the creation of a precise record of a user’s locations over time.”

– FCC Staff Report, Location Based Services (May 2012)

• Don’t collect unless you need it• Halfbrick/Fruit Ninja: “Where you allow us access to

such information, we may also collect information from your device such as your geographic location and your contact lists.”

• Be mindful of unintended use or third party access

8

Tom’s Tip:

Tip: Collect Location Data Sparingly

• FTC Mobile App Survey (Dec 2012)– 20% of apps made info available prior to download– 59% sent info to developer or third party– 17% allowed in-app purchases– 9% link to social media

• COPPA revisions expand “personal information”– City and state– Photographs, videos, audio– Persistent identifiers

9

Tom’s Tip:

Tip: Be Extra Careful with Children

Tip: Comply with FCC Rules if You Partner with a Carrier

• FCC Mobile Device Declaratory Ruling– Customer-specific information stored on a mobile

device is CPNI• Carrier is responsible if information is collected by or at

the direction of the carrier

– Wireless carrier must take reasonable precautions to protect against unauthorized access to information stored on mobile devices

• By carrier or its designee

– Diagnostic and customer-support purposes permitted, however

10

Tom’s Tip:

• Trend to rely on industry guidelines as a safe harbor– Some would say it’s a minimum requirement

• Example: NTIA Mobile Privacy Stakeholder Process– “Agreement” to test short form notices– 8 key areas– “nutrition label” or “ingredients list”?

• Next up: Facial recognition technology

11

Tom’s Tip:

Tip: Follow Industry Codes/Guidelines

Tip: Avoid Legalese

“We’re not going to put up a huge EULA. We’re trying to be open and honest, and we hope people treat us the same way back.

If there’s anything legal you’re wondering about that isn’t answered from this page, don’t do it and ask us about it. Basically, don’t be ridiculous and we won’t”

– Minecraft Terms of Use and Privacy Policy

12

Tom’s Tip:

13

session

X