The data free-for-all that’s been enjoyed by the app industry is over … more or less. No longer should the industry expect to collect and use customer data – so accessible and abundant in smartphones and tablets – without notice to its customers. Since the Path fiasco (and the revelation of other major data collection controversies), data collection practices by companies with mobile applications have come under increased scrutiny on a number of levels. Congress, federal regulators (like the FTC), state regulators (like the California Attorney General), consumer advocacy groups and the media are in action mode.
Initiatives by some state and federal regulators have clearly been in the works for some time. But the Path story – in which the app company acknowledged that it took users’ address book data without permission when the app loaded on an iPhone or Android machine — brought another group into the mix of those in pursuit of the app world and its data collection practices: plaintiffs’ attorneys. A class action suit was filed in federal district court in Texas in mid-March against Path, Twitter, Apple, Facebook and other companies with online services that use consumer address books. While the suit may not get very far – the complaint does not allege much in the way of damages other than privacy violations – it nonetheless is an added cost for the companies that have to defend against it.
The best way to shift the harsh light of public concern away from the app industry is for the industry to change its practices. This has been under way since the big six mobile application platforms entered into an agreement with the California Attorney General in late February. Apple, Google, Microsoft, Amazon, Hewlett-Packard and Research In Motion signed onto a Joint Statement of Principles with the attorney general that aims to “increase awareness among application developers about their obligations to respect consumer privacy and to promote transparency in privacy practices” (and to get apps to comply with the California Online Privacy Protection Act, which is basis of the AG’s agreement).
Toward this end, the Big Six agreed to help build the framework requiring privacy policies (and easy access to those policies) for mobile applications that collect personal data. The principles are as follows:
(1) Where required by law, apps that collect personal data must conspicuously post their privacy policies, providing clear and complete information on how that data is collected and used.
(2) The Big Six will require apps to demonstrate clear access to privacy policies as a part of the application submission process (for launch on the mobile app platforms).
(3) The Big Six will develop systems for customers to report apps that do not comply with their terms of service and/or laws.
(4) The Big Six will develop systems to respond to non-compliance.
(5) The Big Six will continue to work with the AG on effective privacy measures, agreeing to reconvene in six months to evaluate privacy measures.
Notably, this agreement is yet one more instance of the way in which government agents are deputizing private companies to carry out their initiatives. While exerting pressure on major players has historically been an expeditious tack taken occasionally by government regulators, in the online world, it is the default strategy.
Here, the Big Six are clearly acting as gatekeepers to carry out the California AG’s goals: they will require app developers to institute privacy policies and they will monitor and enforce compliance. Similar deputized roles are being assumed by search engines (like Google, again) through the White House’s initiatives in its Online Privacy Bill of Rights and regulatory enforcement actions.
At first glance, this may seem troubling – who wants yet another layer of oversight? But the government and major players may be right. There are two somewhat opposing issues: interest in privacy protection and interest in encouraging app industry growth. Who best to figure the balance than companies that have skin in the game?