This post was written by Cynthia O’Donoghue and Nick Tyler; Paul Bond, Christopher G. Cwalina and Steven B. Roosa.
Following the widely reported allegation that a social network’s iPhone app had uploaded the names, addresses and phone numbers of users’ contacts onto their servers without permission, both Apple and U.S. legislators have moved swiftly to try to curb this practice.
Path, the company responsible, has apologised and promises to delete the uploaded contact information from its servers. Path has released a new version of the app that asks users for permission to upload their contacts onto Path’s servers (similar to their existing Android version of the app).
For its part, Apple has responded to this situation by modifying its app-related policies. Going forward, Apple will require all smartphone apps to obtain users’ permission before accessing users’ contact information. Apple’s existing iOS App Guidelines already prohibited non-consensual collection of such information, but now consent will be defined as “explicit user approval”. For existing apps, changes to the process of obtaining consent will have to wait for the next release of software.
In addition to action taken by Path and Apple, the U.S. government has initiated responsive steps. Two members of the U.S. House of Representatives, Reps. Henry Waxman (D-Cal.) and G.K. Butterfield (D-N.C.), wrote to Apple’s CEO, Tim Cook, wanting to know more about the Guidelines and iTunes Store policies. In their letter, the Congressmen cited an allegation that the practice of uploading and storing user contacts is tacitly accepted - there being “a quiet understanding among many iOS app developers” that they can do so.
If true, this would suggest that the “Path situation” is just the tip of an iceberg. With the proliferation of apps, it is easy for companies to make apps available to the public without terms and conditions and/or privacy policies alerting users to their practices – a situation that creates the potential to flout not only Apple's rules, U.S. laws, and best practices, but also global data privacy laws. Governmental and regulatory hackles will inevitably be raised, particularly as the practice in question was at the heart of Google Buzz, resulting in a class action lawsuit, a US$8.5 million settlement, and a 20-year regulatory audit program.
Not only has Path not followed Apple’s Guidelines, but Google, as reported in the Wall Street Journal, has also been accused of bypassing the default privacy settings on Apple’s Safari browser, allowing Google to track iPhone users’ behavior. Google has now disabled those cookies and stressed that “the advertising cookies do not collect personal information”, a view that may be contrary to the EU data privacy laws. Apple is “working to put a stop” to any ability to get around Safari’s default privacy settings. Consumers have already launched related class action suits against Google in federal courts in Delaware, Kansas, Missouri, and New Jersey.
Stories like these only increase awareness of regulators in the United States and across Europe. With the potential for class actions and consent decrees in the United States, and with the draft EU Data Protection Regulation setting penalties at up to 2 percent of a company’s annual worldwide turnover, organisations need to have mechanisms in place to ensure they are in compliance with their contractual obligations, such as Apple’s iOS Guidelines, and with consumer protection and worldwide privacy laws. A failure to do so will leave companies open to investigation and litigation unless they can get a firm handle on the apps that bear their name and brand reputation.
