App makers issuing disclosures under Apple Inc.'s new privacy label regime could face scrutiny from federal regulators and potential consumer class action lawsuits if their reporting is considered misleading or inaccurate.
The labels outline types of data an app collects and whether that data is linked to app users or used to track them. They’re meant to make data use and protection easier to understand, since consumers often don’t read through privacy policies before agreeing to them.
What gets said in the labels, or left out of them, could trigger enforcement action from the Federal Trade Commission, which oversees privacy promises made to consumers. The labels could also become fodder for class action lawyers to pursue perceived violations of state consumer protection laws.
The labels show how a corporate giant can serve a regulatory role by requiring new disclosures, though the content is self-reported so members of Congress and the media have raised concerns about accuracy, and whether Apple should do more to verify what app makers say.
“It’s unrealistic to expect Apple to do the policing,” said Jenny Colgate, a member at law firm Rothwell, Figg, Ernst & Manbeck P.C.
Colgate said any privacy misstatements would ultimately fall under the purview of consumer protection regulators like the FTC.
Apple launched the labels in December, and the added disclosures are now required for submitting new apps and app updates to its app store.
App makers will face “a learning curve” as they try to align what’s in their privacy policies with what they disclose on Apple’s platform, according to Daniel Goldberg, a partner in the privacy and data security group at Frankfurt Kurnit Klein & Selz PC.
Goldberg said Apple’s categories of personal data and descriptions of how data is used may differ from existing definitions, which could lead to confusion and bring regulatory attention. Most privacy policies focus on data collection, use, and sharing, while the labels concentrate on data tracking and linkage, he said.
Apps whose privacy practices aren’t accurately disclosed could be subject to enforcement action under Section 5 of the Federal Trade Commission Act, which protects against unfair or deceptive business practices.
A spokeswoman for the FTC said the agency can’t comment on any potential investigations or in reference to specific companies like Apple. But she added that “the FTC monitors the marketplace to ensure companies keep their privacy promises to consumers.”
Apps could also be held liable under consumer protection laws at the state level, either by state attorneys general or in consumer class action lawsuits.
In California, for example, the attorney general could look at the privacy labels under state laws similar to the FTC Act. When asked about the privacy labels, California Attorney General Xavier Becerra’s press office said it can’t comment on potential or ongoing investigations or any complaints that have been filed.
Consumers could also pursue class actions under laws such as California’s Unfair Competition Law, False Advertising Law, and Consumer Legal Remedies Act.
“If a developer’s disclosure is misleading, it likely would violate consumer protection laws,” said Timothy Blood, a co-founding partner at Blood Hurst & O’Reardon LLP who also sits on the board of Consumer Attorneys of California, a professional organization for plaintiffs’ lawyers.
Consumers couldn’t bring claims under the California Consumer Privacy Act because the law’s allowance for private suits is limited to instances of data breaches, Blood added.
Apps available in Apple’s app store are already required to post privacy policies, though the policies can be dense and difficult for consumers to understand.
What’s reported in the labels likely will be drawn from these existing policies, according to James Cooper, a former FTC official who now teaches law at George Mason University.
“So in some ways I don’t know if it’s making new information available,” Cooper said. “But it’s making information more digestible and dramatically lowering the cost of getting it.”
The labels’ standardized format could make it easier to compare privacy promises across apps and help regulators or watchdog groups review their accuracy.
A disclaimer included in the app privacy labels says the information hasn’t been verified by Apple, though the company routinely audits information provided by app developers and responds to reports of inaccuracies. Apple says it works with developers to correct issues, and apps that fail to comply may be removed from its app store.
Apple would know what permissions an app is asking for, like accessing a user’s location. That means the iPhone maker would have a sense of what data is collected, according to John Verdi, vice president of policy at the nonprofit Future of Privacy Forum.
But “Apple will have a tough time knowing if an app developer is being truthful about what the data is being used for,” Verdi said.