California Attorney General Announces Privacy Recommendations for Mobile Apps and the Mobile Industry

more+
less-

Yesterday Kamala Harris, California's Attorney General, issued Privacy on the Go: Recommendations for the Mobile Ecosystem. The report and recommendations are intended to encourage app developers and others in the mobile ecosystem to consider privacy at the beginning of the design process, and to provide detailed suggestions for providing notice of privacy practices.

The recommendations do not have the force of law, but their publication is the latest message from the Attorney General that privacy is at the top of her agenda. California leads the country with the number of privacy laws, and Attorney General Harris has interpreted California's Online Privacy Protection Act as requiring mobile apps that collect personal information to have a privacy policy. In 2012 she sent letters to approximately 100 mobile app developers and companies that were not in compliance with the California Online Privacy Protection Act and gave them 30 days to post a conspicuous privacy policy. A few months later, she filed the state's first mobile privacy enforcement action against a mobile app developer for failing to provide a privacy policy. Earlier in 2012, she announced a Joint Statement of [Privacy] Principles with the companies whose platforms comprise the majority of the mobile app market (Amazon, Apple, Facebook, Google, Hewlett-Packard, Microsoft, and Research In Motion), and she announced the creation of the Privacy Enforcement and Protection Unit.

Privacy on the Go: Recommendations for the Mobile Ecosystem

Most of the recommendations are directed to mobile app developers, but there are also recommendations for others in the industry, including hardware manufacturers, operating system developers, mobile telecommunications carriers, and advertising networks.

A recurring theme in the recommendations is to "minimize surprises to users from unexpected privacy practices." Privacy on the Go recommends that (1) mobile apps avoid collecting personally identifiable data from users that are not needed for an app's basic functionality, and (2) app developers supplement a general privacy policy "with enhanced measures to alert users and give them control over data practices that are not related to an app's basic functionality or that involve sensitive information." Such enhanced notice and control might be provided through special notices that are delivered in context and "just in time." For example, operating systems that use location data can deliver a notice just before collecting the data and give users an opportunity to allow or prevent the practice. The report also provides a checklist for building privacy into app development.

The following are some of the more significant recommendations.

Recommendations for App Developers:

  • Start with a data checklist to review the personally identifiable data your app could collect, and use it to make decisions on your privacy practices.
  • Avoid or limit collecting personally identifiable data not needed for your app's basic functionality.
  • Develop a privacy policy that is clear, accurate, and conspicuously accessible to users and potential users.
  • Use enhanced measures - "special notices" or the combination of a short privacy statement and privacy controls - to draw users' attention to data practices that may be unexpected and to enable them to make meaningful choices.

Recommendations for App Platform Providers:

  • Make app privacy policies accessible from the app platform so that they may be reviewed before a user downloads an app.
  • Use the platform to educate users on mobile privacy.
  • Provide app users with tools to report apps that do not comply with applicable laws, or their privacy policies or terms of service about which they have questions.

Recommendations for Mobile Ad Networks:

  • Avoid using out-of-app ads that are delivered by modifying browser settings or placing icons on the mobile desktop.
  • Have a privacy policy and provide it to the app developers who will enable the delivery of targeted ads through your network.
  • Move away from the use of interchangeable device-specific identifiers and transition to app-specific or temporary device identifiers.

Recommendations for Operating System Developers:

  • Develop global privacy settings that allow users to control the data and device features accessible to apps.
  • Work with mobile carriers and other appropriate parties to facilitate timely patching of security vulnerabilities.
  • Work with device manufacturers and mobile carriers on setting cross-platform standards for privacy controls, means of enabling the delivery of special privacy notices, and privacy icons.
  • Provide tools for app developers that enable comprehensive evaluation of data collection, use, and transmission.

Recommendations for Mobile Carriers:

  • Leverage your ongoing relationship with your mobile customers to educate them on privacy protection.
  • Encourage consumers to review the app privacy policy statement before downloading an app.
  • Encourage consumers to look for privacy choices and controls in apps after downloading.
  • Help educate parents on mobile privacy and safety for their children. Consider, for example, providing information on available resources, such as the FTC's information for parents on the Children's Online Privacy Protection Act.

Attorney General Harris is also participating in the multi-stakeholder process facilitated by the National Telecommunications and Information Administration (NTIA) to develop an enforceable code of conduct on mobile app transparency. The next NTIA meeting will be on January 17.

For more information about these new mobile privacy recommendations or other privacy topics, please contact Ieuan JollyMichael Thurman or Brian Nixon.