Mobile App Developers Need To Have A Privacy Policy If They Want To Do Business With Apple, Google, Amazon… And Capitalize On Social Media

more+
less-

“Say what you mean, and mean what you say.” This simple expression is very fitting for how mobile app developers should be drafting their privacy policies. Now that the major platforms for your apps have entered into an agreement with the California Attorney General’s Office to ensure that mobile apps that collect personal information have a privacy policy, some guidance on what this means for your business may come in handy.

 1. California Attorney General’s Agreement With App Platforms = Mandatory Privacy Policy For App Developers.

This agreement was reached with Amazon, Apple, Google, Hewlett-Packard, Microsoft and Research in Motion (Blackberry). The California AG wanted the agreement as a way to force apps, many of which do not have any privacy policy, to comply with the California Online Privacy Protection Act (“CA OPPA”).

The CA OPPA requires an operator of a commercial website or online service that collects personally identifiable information from consumers (e.g. name, address, phone number, or email address), to have a privacy policy which describes, among other things, “the categories of personally identifiable information” that is being collected, and the categories of third parties who may also have access to this information. The privacy policy must be posted conspicuously with CA OPPA setting forth alternative ways in which this can be done, and it must also describe how consumers will be notified of material changes in the privacy policy. Cal. Bus. & Prof. Code §§ 22575-22579.

The agreement with the California AG also means that consumers must have the opportunity to review your app’s privacy policy before downloading the app. If app developers do not comply with their stated privacy policies, they can be prosecuted under California’s Unfair Competition Law and its False Advertising Law. These same risks of being sued already exist under Section 5(a) of the Federal Trade Commission’s Act. The FTC Act prohibits unfair or deceptive acts of practices. 15 U.S.C. §45(a). The state and federal agencies have made it clear through their actions that they take privacy protections very seriously, and are pursuing legal actions against businesses irrespective of their size. Some of these actions by the FTC are discussed here, and, more recently, the FTC settled an action against Myspace.

2. Common Privacy Mistakes to Avoid.

The common theme in these FTC privacy cases is that there has been an alleged disconnect between what the social media sites have been telling consumers about how their personal data is being collected, used, or shared, and what the sites are actually doing. The FTC also expects that when privacy policies state that reasonable measures are being taken to protect the personal information of users that the website collecting the information is taking reasonable precautions. As demonstrated by Anonymous, there is no fail safe method to stop cyberhacking (with even websites owned by the FTC and the Bureau of Consumer Protection being hacked in February 2012), but reasonable steps need to be taken.

On the bright side, there is incredible demand for your apps so you should not be dissuaded from spending some time and money to comply with state and federal privacy laws. Mobile app developers are in a great position to make lots of money from developing apps for smart phones, tablets, etc. It is estimated that 98 billion mobile applications will be downloaded by 2015, and the $6.8 billion market for mobile apps is expected to grow to $25 billion in the next four years.

3. Some Hallmarks of a Good Privacy Policy.

Here are some recommendations to get you started:

(1) Ensure that your privacy policy is current and reflects what state and federal laws are requiring in terms of what the privacy policy must disclose, how the disclosure must be made, and what you need to do to notify consumers of changes in your privacy policy. It is also a good idea in general to have consumers buy in to the privacy policy and your terms of use.

(2) Make sure the privacy policy reflects what information is being collected from users, and that the disclosures are being stated without unnecessary and lengthy legalese. Ask yourself if someone at a seventh-grade reading level would understand your privacy policy. Simple and short disclosures are ideal especially because they are being viewed on small screens.

(3) If you are using a social media analytics company, advertising company, or third party to provide services with your app, make sure they have received a copy of your privacy policy and that they are not collecting or using consumer information in ways that you have not disclosed in your privacy policy. Make sure your privacy policy discloses that you are sharing consumer information with these third party service providers.

(4) Is the website using your app under any legal requirement (such as a consent decree with the FTC) to get express permission from users in advance to share information with your app. If so, you may want to ask the website for reasonable assurances that they have done so.

(5) If your app is intended for use by kids, make sure your privacy policy complies with the additional requirements of the Children’s Online Privacy Protection Act (“COPPA“). Also, it is a good business practice to let parents know in advance if your app has in-app purchase capabilities prior to it being downloaded.

(6) Take reasonable measures to safeguard consumer information. Conduct an audit on how consumer information is being safeguarded. Learn from the mistakes of other businesses. Here are some suggestions taken from the FTC settlement with Twitter over some hackers who gained administrative access to Twitter personal accounts on Twitter.