Many of the most popular mobile apps collect personally identifiable information.  Although most app developers are not required to display a privacy policy under federal law, they are contractually required to do so pursuant to the terms and conditions of the websites that market most major mobile device applications (e.g., the Apple Store, or Google Play).  In addition, the California Attorney General has taken the position that applications that collect personal information are required to post a privacy policy pursuant to the CalOPPA discussed in the previous section.

Consider the following privacy issues when developing a mobile app:

1. Does the app have a privacy policy? Privacy policies are a best practice if the app will be used in connection with personally identifiable information.  As discussed above, there is also an argument that they may be required if they solicit information from California residents.
2. Is the app directed to users younger than 13? Under the Children’s Online Privacy Protection Act (“COPPA”), if the app collects information from children it must include a privacy policy as well as comply with additional requirements imposed under that Act.  See the section titled Collecting Information From Children for more information.
3. How is personally identifiable information stored by the app? Apps can store data in multiple places, including the device, backups of the device, and the app provider’s servers.  A best practice is for a mobile app’s privacy policy to state accurately where personally identifiable information is stored.
4. Does the app communicate personally identifiable information to others? A useful privacy policy accurately states whether data that the user provides is relayed to anyone else.
5. Does the mobile app provider securely communicate any personally identifiable information? A 2016 study concluded that 35 percent of apps utilize non-encrypted communications.   Consider stating within the app’s privacy policy whether the app transmits personally identifiable information, and, if so, whether the information is encrypted in transit.

1. California Online Privacy Protection Act (CalOPPA), Consumer Fed’n of Cal. Educ. Found. (July 29, 2015), https://consumercal.org/about-cfc/cfc-education-foundation/california-online-privacy-protection-act-caloppa-3/.

2. Pierluigi Paganini, 11 Percent of Mobile Banking Apps Include Harmful Code, Sec. Affairs (Feb. 7, 2015), http://securityaffairs.co/wordpress/33212/malware/mobile-banking-apps-suspect.html. 

3. Arxan Tech., Inc., 5^th Annual State of Application Security Report: Perception vs. Reality, 2 (2016), https://www.arxan.com/wp-content/uploads/2016/07/Consolidated-Report-SINGLE-PAGE.pdf.

4. IBM Sec. Intelligence, IBM Security Analysis: Dating Apps Vulnerabilities & Risks to Enterprises, 2 (2015), http://www-01.ibm.com/common/ssi/cgi-bin/ssialias?subtype=WH&infotype=SA&appname=SCTE_WG_WM_USEN&htmlfid= WGL03072USEN&attachment=WGL03072USEN.PDF.

[View source.]