The Federal Trade Commission has been toughening its stance on consumer privacy protection, and this directly affects the mobile applications banks offer their customers.
On Saturday the agency issued a report, Mobile Privacy Disclosures: Building Trust Through Transparency, that offers advice on keeping using consumers' data private. It offers recommendations to four sets of stakeholders: operating system providers (like Apple and Google), app providers, advertising networks, and app developer trade associations. Banks that provide mobile banking, PFM, trading or wallet apps fit in the app provider category.
The report cites a study showing that consumers are highly concerned about mobile device privacy: the Pew Internet and American Life Project found in September 2012 that 57% of all mobile app users have either uninstalled an app due to concerns about having to share their personal information, or declined to install an app for the same reason.
There are four main things the FTC would like mobile application developers to do to protect consumers' privacy as they bank, shop and surf the web on their mobile devices.
The FTC encourages financial companies to use its financial privacy notice prototype, which it developed with Kleimann Communication Group. The prototype aims for simplicity and the use of design techniques for better readability such as tables, headings, white space, bold text, bulleted lists and a large font size.
"A hidden challenge here is in making it easy for app developers to create good privacy policies," says Jason Hong, associate professor at the Human-Computer Interaction Institute at Carnegie Mellon University. "Most app developers are focused on making apps and on getting revenue, and don't have a lot of expertise in privacy."
The second thing the FTC asks of mobile app developers is that they provide just-in-time privacy disclosures and obtain express consent before collecting and sharing sensitive information such as financial data. One aspect of this that's not clear is whether applications that collect but then discard such data right away, rather than storing it, would be subject to this disclosure requirement. For instance, many mobile banking apps have person-to-person payments features that let the bank go into the user's address book and pull up the contact information of a friend or relative to send money to. Some banks are experimenting with using customers' geographic location information to send them a special offer (e.g. sending a customer who is shopping in the Gap a merchant-funded reward), but they don't necessarily to keep or share that information.
The FTC is aiming for transparency, according to Hong. "Right now, consumers have very little information about what data is being collected, for what purpose, and what is being done with that data," he points out.
Some of the answers about what banks will need to disclose about data collection and when may depend on the design of the app, the expectation of what the app will and won't do, and how often the app uses the customer's data, Hong says.
"In some of our research examining mobile app privacy, we found that people had a pretty good sense of some kinds of information sharing without needing to be explicitly informed of it," he says. "For example, it was clear to a large majority of participants that Google Maps was using data about their current location, since it was in the description of the app, and because it shows you your current location when you load the app. On the other hand, we also found a lot of apps where our participants were highly surprised by an app's behavior."
These include flashlight apps that require Internet access and games that use location data. "We also saw apps where people were uncomfortable with a feature, but were ok with it after it was made clear what the data was being used for," he says. "For example, there is a dictionary app for Android that uses location data. Nearly all of our participants assumed that the app used location data for ads and so were uncomfortable sharing this data. But it turns out that the app uses location data to show what words people around you are looking up, and only does so when you explicitly select the feature (rather than sharing your location data all the time). After being told this, our participants were much more comfortable with the app using their location."
There can be danger in confusing customers with too many disclosures, Hong points out. "If we're not careful, end-users could be inundated with notifications and warnings, some of which will be useful, and many of which won't be."