Article

Federal Investigators Eyeing Data Collection By Smartphone Apps

April 8, 2011

As companies continue to use smartphone applications and online services to expand their potential audiences, a federal prosecutor is exploring whether some applications illegally collect and share personal information.  A federal grand jury in New Jersey apparently is investigating whether app publishers properly disclose the full extent of their data collection and sharing practices. 

Streaming-music provider Pandora disclosed in a recent Securities and Exchange Commission filing that it and other smartphone app publishers received subpoenas about their practices in early 2011.

Prosecutors appear to be focused on whether such data collection practices violate the Computer Fraud and Abuse Act (CFAA), an anti-hacking law passed in 1994, long before the recent iPhone-fueled proliferation of mobile apps.  The Act prohibits a person or company from, knowingly and with the intent to defraud, exceeding authorized access to devices with storage capabilities.  Thus, prosecutors could be proceeding under a theory that app publishers exceed their authority to access personal information via smartphones, as users granted only limited authority to publishers when they downloaded apps.  Some mobile app publishers may be harvesting personal information, location information and financial account details made available through apps. 

Notably, the CFAA does not prevent companies from using a smartphone app or other online service to collect and share personal information.  Rather, it focuses on whether such collection exceeds authorized access and amounts to fraud.

Also, it remains to be seen whether prosecutors will proceed further than seeking subpoenas from mobile app providers.  Prosecutors may find it difficult actually to establish a CFAA violation.  In 2001, federal courts in New York and California rejected civil lawsuits claiming that installing cookies on computers violated the CFAA, holding that individual damages did not exceed the $5,000 threshold required for a CFAA claim. 

Yet, to avoid potential liability under the CFAA, companies with an online presence should conduct a thorough review of how they collect, use and share personal information-via mobile apps and other online services.  Such a review should examine whether published privacy policies reflect actual data usage practices and are reasonably comprehensive, easy to read and easy to access. 

Wiley Rein regularly helps its clients conduct reviews of current privacy practices and privacy policies, and can provide guidance on how your business can avoid potential liability under the CFAA and other privacy-related legal regimes.

Read Time: 2 min
Jump to top of page

Wiley Rein LLP Cookie Preference Center

Your Privacy

When you visit our website, we use cookies on your browser to collect information. The information collected might relate to you, your preferences, or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. For more information about how we use Cookies, please see our Privacy Policy.

Strictly Necessary Cookies

Always Active

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Functional Cookies

Always Active

Some functions of the site require remembering user choices, for example your cookie preference, or keyword search highlighting. These do not store any personal information.

Form Submissions

Always Active

When submitting your data, for example on a contact form or event registration, a cookie might be used to monitor the state of your submission across pages.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek