Abstract
Activision Blizzard, Inc., which acquired Candy Crush Saga for $5.8 billion in 2016, sounded a warning in its latest filings with the Securities and Exchange Commission (SEC), about its dependency on mobile platforms. If these platforms would be required to change "how the personal information of consumers is made available to developers, our business could be negatively impacted." [1] This paper seeks to systematically examine the dependence of mobile apps on mobile platforms for the collection and use of personal information. The paper discusses how app business models are shaped by governance of user data by mobile platforms, in order to reflect on the role of platforms in privacy regulation more generally. The paper is based upon a study examining privacy and data-related disclosures filed by public companies with the SEC, which we anticipate producing new and unique insights into the data practices and data-related aspects of the business models of popular mobile apps.
Many of the companies behind popular apps have been private companies with closed books, and a full understanding of their data collection practices and business models has been difficult. [2] However there have recently been a number of initial public offerings (IPOs) by major mobile app companies, and a flurry of acquisitions by public companies. This development means that many mobile app companies are required to make certain disclosures to the SEC. These disclosure requirements include the most significant "risk factors" associated with a company's business, including relating to data collection, data privacy, personal information, and role of mobile platforms. This study shows how an examination of SEC disclosures can be uniquely illuminating for communications policy and can provide a new insight into mobile privacy. A preliminary analysis we conducted when designing this study revealed that SEC disclosures by the largest mobile app companies shed light on the gatekeeping role mobile platforms perform in terms the collection and use of personal information. [3] SEC filings can also reveal information on a mobile app company's data practices, and the role user data analytics play in its business model. [4]
The study we will first select public companies that predominantly operate their business, or important parts of their business, as an app in the mobile app environment. Second, a set of specific issues will be analyzed, including collection and use of personal information, use of data analytics software on mobile devices, and the role of mobile platforms in the collection and use of personal information, and The SEC filings over a period will be examined, to discover whether data practices and risks have changed over time. Finally, the findings will be discussed having regard to privacy policies of the respective companies, to determine any differences, and discuss the relevance of both SEC disclosures and privacy policies for transparency purposes. The paper will add to the scholarship on privacy disclosures and builds upon recent research on cybersecurity disclosures and SEC filings. [5] However, scholars have not yet examined SEC disclosures concerning data privacy in mobile app ecosystems or used SEC filings to look at business-to-platform dependencies.
[1] Activision Blizzard, Inc., Form 10-K, February 27, 2018, p. 21, https://investor.activision.com/node/31141/html.
[2] See e.g., I. Liccardi, J. Patoy, and D. Weitzner, "Improving Mobile App Selection through Transparency and Better Permission Analysis," (2013) 5 Journal of Privacy and Confidentiality 1; J. Zang, et al., "Who Knows What About Me? A Survey of Behind the Scenes Personal Data Sharing to Third Parties by Mobile Apps," Technology Science, October 30, 2015.
[3] See e.g., Zynga Inc., Form 10-K, February 15, 2017, p. 11; or Twitter, Inc., Form 10-K, February 17, 2017, p. 31.
[4] King Digital Entertainment plc, Form F-1, February 18, 2014, p. 4, https://www.sec.gov/Archives/edgar/data/1580732/000119312514056089/d564433df1.htm#toc564433_1.
[5] See J. Bronstein, "The Balance Between Informing Investors and Protecting Companies: A Look at the Division of Corporation Finance's Recent Guidelines on Cybersecurity Disclosure Requirements," 13 N.C. J.L. & Tech. 257 (2012); S. Young, "Contemplating Corporate Disclosure Obligations Arising from Cybersecurity Breaches,"38 J. Corp. L. 659 (2013); M. Ferraro, "Groundbreaking or Broken? An Analysis of SEC Cybersecurity Disclosure Guidance, Its Effectiveness, and Implications," 7 lb. L. Rev. 297 (2014); N. Avellan, "The Securities and Exchange Commission and the Growing Need for Cybersecurity in Modern Corporate America," 54 Washburn L.J. 193 (2014); and L. Selznick and C. LaMacchia, "Cybersecurity: Should the SEC Be Sticking Its Nose under This Tent," 2016 U. Ill. J.L. Tech. & Pol'y 35 (2016).
