Mobile apps and privacy: US privacy experts highlight enforcement risks

In a recent analysis for the International Association of Privacy Professionals (IAPP), Andrew Folks explores a significant privacy enforcement trend: Actions by the US Federal Trade Commission (FTC) involving mobile apps.  

Mobile apps collect extensive information about billions of people, and recent FTC settlements show the agency is trying to curb the industry’s worst privacy excesses. Here’s a look at the legal risks faced by mobile app developers and providers in the US and beyond. 

This enforcement trend has deep roots  

While the FTC’s intense focus on data-sharing in mobile apps is a relatively recent trend, there has long been awareness of the privacy risks of mobile apps. 

Folks highlights how the whistleblower Edward Snowden raised concerns about the amount of personal data “leaked” by the mobile game Angry Birds back in 2014. The app collected data about users’ device types and locations that could be valuable to intelligence services. 

 The following year, Pew Research published a study of over a million Android apps showing that many collected excessive and unnecessary personal data, with 83% requesting full “network network access.” 

And in 2016, the FTC reached a settlement with mobile developer InMobi for allegedly “deceptively tracking children” via mobile apps. 

Enforcement against mobile app providers is accelerating 

Several years on from its InMobi decision, the FTC began a wave of enforcement against providers of mobile apps under the FTC Act and other laws. 

• GoodRx: A pharmaceutical discount provider that settled with the FTC in February 2023 under the Health Breach Notification Rule. 
• Premom: An ovulation-tracking app that settled in May 2023 for allegedly sharing sensitive health data with AppsFlyer and Google. 
• Monument: A New York-based alcohol addiction clinic banned from sharing health data for advertising purposes in April 2024. 
• Cerebral: An online therapy app fined $7 million for mobile app data-sharing violations, also in April 2024. 

Each of these companies operates in the health sector and provides a mobile app directly to consumers. But the FTC has taken action against other types of companies too. 

Enforcement has occurred at every point in the mobile data supply chain 

Since 2022, the FTC has been engaged in a court battle with Kochava for allegedly “selling geolocation data from hundreds of millions of mobile devices that can be used to trace the movements of individuals to and from sensitive locations.”  

More recently, in January 2024, the agency settled with two “location data aggregators,” X-Mode Social and InMarket, which are also involved in the purchase and sale of supposedly sensitive geolocation information. 

 These cases show how the FTC has been willing to tackle privacy risks at any stage of the supply chain rather than solely targeting companies with a direct consumer relationship. 

This phenomenon doesn’t only exist just at the federal US level 

While the FTC’s enforcement sweep has been high-profile and extensive, the privacy risks associated with mobile apps are being addressed in other ways, too. 

Kochava is one of many mobile companies subject to litigation under California privacy law. Last year, The Weather Channel settled its second class action case over allegations around how its mobile app collected and shared Californian users’ personal information. 

Many similar cases are underway beyond the US.  

• In Canada, the restaurant chain Tim Hortons was sued following revelations about its collection of location data.  
• Dating app Grindr faces a class action case in the UK over allegations about excessive data collection on its mobile app. 
• Google is being sued in the Netherlands for how it allegedly collects data via the Android mobile operating system. 

These are just a few of the many examples of the increased scrutiny of data collection and sharing in the mobile ecosystem. 

Governments, regulators, and – above all – people are increasingly concerned about their privacy. To avoid the sorts of legal nightmares explored above, developers, publishers, and other actors in the mobile app ecosystem should consider whether their practices align with these increased privacy concerns.