Home Home About Us Practice Areas Our Attorneys Press & Publications Events Diversity Pro-Bono Careers

Digital Media, Technology & Privacy Alert >> A Fallen Warrior in the Game of Mobile Privacy

October 20, 2016

With their proximity to Silicon Valley, it is no surprise that the Golden State Warriors are leading a fast break in the NBA when it comes to technology and social media. But the Warriors' official mobile app that launched earlier this year (the "App") has been grabbing some negative headlines in the last couple of weeks. A lawsuit has been filed in San Francisco federal court alleging that the App eavesdropped on user conversations without consent, in violation of the Electronic Communications Privacy Act.

The lawsuit is seeking class action status and names as defendants the Golden State Warriors, YinzCam (the App’s developer) and Signal360 (a developer of proximity-related products that provided the beacon technology at the center of the complaint).

The filed complaint alleges that the Android version of the App uses audio beacons by activating a smartphone’s built-in microphone. Once the microphone is activated, the App "listens" to and records all audio within range, including user conversations. If the App "hears" one of Signal360's beacons, it may display an ad to the user or send information to Signal360. The complaint claims that forensic accounting of the App determined that it "constantly and continuously record[s] and analyze[s] … conversation." As long as the App is running, even in the background, it is "listening."

When the App is first downloaded onto a user's phone, it asks for certain permissions, one of which is access to the microphone. A screenshot included in the complaint shows that the disclosure merely states the App "uses the device’s microphone(s)," without further explanation of how it’s being used. Allegedly, users were never informed that they would be recorded, nor did they have the opportunity to consent or even the option to opt out of this feature.

This lawsuit has drawn the attention of users of other sports team apps. Just recently a fan filed a proposed class action suit against the Indianapolis Colts and YinzCam (the same app developer used by the Golden State Warriors) over the Colts’ fan app, alleging substantially similar violations.

Teams and leagues in every sport are rushing to take advantage of mobile technologies, seeking to reach fans in their arenas as well as in the world at large. This case holds many lessons in mobile privacy for teams, leagues, app developers, companies and other location-based services that use beacon technology.

Transparent Disclosures
Transparency is key when it comes to consumer privacy. Disclosures of material issues regarding data collection and use should be made separate and apart from privacy policies, either through just-in-time notices at the point of data collection, privacy dashboards or unique icons, or through some other conspicuous method. These approaches were endorsed by the Federal Trade Commission (FTC) in its 2013 staff report "Mobile Privacy Disclosures – Building Trust Through Transparency."

Therefore, companies and their app developers following best practices should:

  • Ensure there is a privacy notice that discloses, among other things: categories of information collected and the methods by which information is collected, categories of third parties with which information may be shared, and the process by which consumers can review and request changes to their information;
  • Make the privacy notice easily accessible through the app and app stores;
  • Coordinate and communicate efficiently with ad networks, analytics companies and other third parties that provide services for the app so that accurate and comprehensive disclosures can be made to consumers;
  • Make sure changes to data use practices are effectively communicated to consumers; and
  • Consider using short form privacy notices, layered notices or icons to address the space limitations on mobile devices.

Consent, Controls and Choices
In addition to the information disclosed by the app to the consumer, another crucial issue to keep in mind when developing and launching an app is what information the consumer is giving to the app, including the scope of the consent provided and consumers' ability to exercise control over their choices. Consumers should have the ability to affirmatively consent to, control and choose how and what an app does with information that belongs to them.

Therefore, companies and their app developers following best practices should:

  • Obtain affirmative express consent before collecting and sharing sensitive information;
  • Use clear opt-in mechanisms for accessing the location, camera, photo or microphone functions on a consumer’s phone, as all of these are increasingly considered access points to sensitive, private information;
  • Provide opt-out controls where feasible, particularly if data is sensitive and/or used in a non-obvious way; and
  • Simplify consumer controls and choices so that they are easy to navigate and comprehend.

Privacy by Design
To avoid mistakes and oversights involving consumer privacy, companies and app developers should practice Privacy by Design (PbD). Since 2012, the FTC has been urging companies to adopt PbD by proactively incorporating and promoting privacy and data protection at every stage in the development of their products and services, and not after the fact.

PbD is comprised of seven principles that help guide data security and privacy decisions when designing, operating and managing apps:

  • Proactive, Not Reactive; Preventative, Not Remedial. Companies need to be proactive in identifying and preventing data privacy and security risks before they occur.
  • Privacy as the Default Setting. Personal data should be automatically protected with no action required by the data subject.
  • Privacy Embedded Into Design. Security safeguards should be incorporated into app design and fully integrated into the components of the app and not as options or add-ons.
  • Full Functionality – Positive-Sum, Not Zero-Sum. Both privacy and security are equally important design goals. PbD opposes the zero-sum approach where tradeoffs are made to accommodate one or the other.
  • End-to-End Security – Full Lifecycle Protection. Protection should be provided throughout the entirety of a piece of data's lifecycle.
  • Visibility and Transparency – Keep It Open. Companies should act in such a way that assures stakeholders that the companies' business practices, products and technologies are operating according to objectives and promises, and are subject to independent verification
  • Respect for User Privacy – Keep It User-Centric. When designing an app, keep individual privacy interests at the forefront of priorities.

The mobile ecosystem is changing rapidly. As more and more technology and apps are created and used, mobile privacy becomes increasingly important. As regulators and law makers move forward with an eye towards privacy, new laws may soon be passed for mobile device recording and its disclosure and consent requirements. Such laws have already appeared in California governing the consent and disclosure requirements for voice controlled televisions, with Assembly Bill No. 1116 taking effect January 1 of this year. Mobile devices can’t be far behind. Teams, leagues and facility operators, along with their app developers, need to be mindful of the relevant laws and best practices surrounding app development and new technology.

The Bottom Line

Teams, leagues and businesses seeking to take advantage of mobile technology need to carefully consider how to implement mobile technology offerings with transparent disclosures, clear consent and built-in privacy protections. Companies should also take advantage of self-regulatory programs, trade associations and industry organizations, all of which can provide guidance on best industry practices.