State of Delaware

Convenience is the product, your

privacy is the cost

Mobile Applications

May 2, 2013

Mobile App Industry Overview

• A report from Gartner in January 2010 said that mobile apps will generate $7

billion in 2010, and will grow to $29.5 billion by 2013.

• A report commissioned by mobile application store GetJar in March 2010 said

that the mobile app market will reach $17.5 billion by 2012, having grown to 50

billion downloads from just 7 billion in 2009.

• A report from Research2Guidance in March 2010 said that the mobile app

market would reach $15.65 billion by 2013.

• In December 2010, IDC said that the mobile application market would see 10.9

billion downloads in 2010, and 76.9 billion by 2014. By 2014, the market is

expected to generate $35 billion in revenue worldwide

• The mobile application marketplace will reach $25 billion by 2015, according to a

new report from World Mobile Applications Market , a U.S.-based market

research firm.

• According to research2guidance.com the mobile health app marketplace is

expected to take off and reach $26B by 2017. 97,000 health and fitness apps

available today

Page | 1

Mobile App Industry Overview

Page | 2

Mobile App Industry Overview

Page | 3

The Business Model

• 89% of apps downloaded for free

• According to Gartner, 87.5% of apps purchases were priced

at less than $2.99

• Dynamic segmentation is possible because of the data

collected

Key consumer behavior data

Geolocation information

Contacts and friends

Sites visited

Page | 4

Policy Questions

• What is the expectation of privacy?

• What is at risk?

• What are the current practices?

• What is the State role in regulating this industry?

• Can we achieve balance – privacy and innovation?

Page | 5

What is the expectation of privacy?

Page | 6

Source: TRUSTe Privacy Index

What is the expectation of privacy?

Page | 7

Source: TRUSTe Privacy Index

What is the expectation of privacy?

Page | 8

Source: TRUSTe Privacy Index

What is at risk?

• Failure to act leads to the further erosion in the expectation of privacy

• Loss of control over data ownership and management

• 4th amendment implications

Page | 9

What are the current practices?

• Complexity beyond comprehension

• Capture of data beyond what is needed to deliver service

• Providing access to information that is not yours to grant access

Page | 10

Complexity

Page | 11

Source: TRUSTe Privacy Index

Sample Privacy Policies

• XYZ Company location info retention & sharing clause:

Information Collected Automatically: When you use the Service, XYZ

Company automatically receives and records information on our server

logs from your browser or mobile platform, including your location, IP

address, cookie information, and the page you requested. We treat this

data as non-Personal Information, except where we are required to

do otherwise under applicable law. Unless otherwise stated in this

Privacy Policy, XYZ Company only uses this data in aggregate form. We

may provide aggregate information to our partners about how our users,

collectively, use our Service, so that our partners may also understand

how often people use their services and our Service.

Page | 12

Sample Privacy Policies

• ABC Company data sharing provision: We aggregate non-personally identifiable information (such as age, gender, household income, interests, zip

code, state, coupon print and redemption data, and other automatically collected information that does not

personally identify you) and share such aggregated information with our Affiliates in order to help them

improve the marketing of their products and services. We may also share such non-personally identifiable

information with our Affiliates when you interact with our promotional content on their websites. An Affiliate

may match the non-personally identifiable information we provide with personally identifiable

information you have previously provided to that Affiliate. For instance, if you have signed up for a

loyalty account from one of our Affiliates, such as a grocery retailer, and request that our coupon be saved to

that loyalty account, we will provide the Affiliate with the coupon and other information necessary to fulfill

your request. The Affiliate will then match the information with your loyalty account which may contain your

personally identifiable information. We also may share such non-personally identifiable information

with third-party ad servers, ad networks, and data exchanges (“Ad Partners”) so that they can tailor

their advertisements to your apparent interests and deliver those advertisements to you while you are either

on our Sites or on third-party websites. For example, if you print pet food coupons, then an Ad Server may

conclude that you have a pet and display a pet care supply advertisement instead of a random

advertisement. In addition, Ad Partners themselves use technologies (such as cookies, pixels, and

beacons) to collect information about your browsing behavior on our Sites which they may match

with information they have previously collected (including personally identifiable information you

have provided to them). However, we do not share personally identifiable information with Ad Partners, and

we do not permit Ad Partners to collect personally identifiable information about you on our Sites.

Page | 13

Sample Privacy Policies

• EFG Company provision allowing complete public access to your

location info:

1.3. Installation of the Application in the User's mobile device is an

acceptance and confirmation of his consent to the terms of this

Agreement.

1.4. By accepting this Agreement, the User confirm his consent to the

processing of his personal data in the purpose of implementation

of this Agreement and the resolution of claims related to the

fulfillment of this Agreement. Application shall use the following

personal data:

- Information about location of the User’s mobile device;

- Information accessible from social networks after login in under

the login and password of the User (such as names and photos of

the friends of the User, etc.);

- Information about the User’s account in www.foursquare.com.

Page | 14

Incomplete Disclosure

Page | 15

Source: TRUSTe Privacy Index

Current Regulatory Structure

• The FTC has oversight responsibility

• Monitors companies for unfair practices which only extends to misuse of

data as not prescribed by the terms of use

• Can charge companies for being vague or omitting info

• FTC has little power over limiting use of data once a user consents

Page | 16

Federal versus State Role

Page | 17

• Federal regulation preferred by industry

Avoids the “patchwork” of regulation

May still be accused of restricting innovation, but not inequity

• Difficult for a state to regulate a mobile application

By definition, it is designed for use in any location

Attempts to regulate may restrict state citizen access

Possible Solutions: Consumer Privacy Bill of Rights

• Individual Control: Consumers have a right to exercise control over what

personal data companies collect from them and how they use it.

• Transparency: Consumers have a right to easily understandable and accessible

information about privacy and security practices.

• Respect for Context: Consumers have a right to expect that companies will

collect, use, and disclose personal data in ways that are consistent with the

context in which consumers provide the data.

• Security: Consumers have a right to secure and responsible handling of personal

data.

• Access and Accuracy: Consumers have a right to access and correct personal

data in usable formats, in a manner that is appropriate to the sensitivity of the

data and the risk of adverse consequences to consumers if the data is

inaccurate.

• Focused Collection: Consumers have a right to reasonable limits on the personal

data that companies collect and retain.

• Accountability: Consumers have a right to have personal data handled by

companies with appropriate measures in place to assure they adhere to the

Consumer Privacy Bill of Rights.

Page | 18

Delaware’s Children’s Online Protection Act

• Age verification

• Limitations to how the data of a minor is used

• Full disclosure of data being collected on a minor, and its intended use

• Prohibits sharing of data on minors with a third party.

Page | 19