Many of the most popular mobile apps collect personally identifiable information. Although most app developers are not required to display a privacy policy under federal law, they are contractually required to do so pursuant to the terms and conditions of the websites that market most major mobile device applications (e.g., the Apple Store or Google Play). In addition, the California Attorney General has taken the position that applications that collect personal information are required to post a privacy policy pursuant to the CalOPPA.

Consider the following privacy issues when developing a mobile app:

1. Does the app have a privacy policy? Privacy policies are a best practice if the app will be used in connection with personally identifiable information. As discussed above, there is also an argument that they may be required if they solicit information from California residents. 
2. Is the app directed to users younger than 13? Under the Children’s Online Privacy Protection Act (“COPPA”), if the app collects information from children it must include a privacy policy as well as comply with additional requirements imposed under that Act. 
3. How is personally identifiable information stored by the app? Apps can store data in multiple places, including the device, backups of the device, and the app provider’s servers. A best practice is for a mobile app’s privacy policy to state accurately where personally identifiable information is stored.
4. Does the app communicate personally identifiable information to others? A useful privacy policy accurately states whether data that the user provides is relayed to anyone else.
5. Does the mobile app provider securely communicate any personally identifiable information? A 2013 study concluded that 18 percent of apps sent usernames and passwords by non-encrypted communications.¹ Consider stating within the app’s privacy policy whether the app transmits personally identifiable information, and, if so, whether the information is encrypted in transit.
6. If the app crashes, does diagnostic data about the crash include personally identifiable information? Some apps do not transmit personally identifiable information in their normal operation, but diagnostic data may inadvertently capture such information in an unencrypted manner.
7. Can access to the app be revoked remotely? The revocation of access to an app potentially raises privacy concerns that may need to be addressed in a privacy policy.

 The following provides snapshot information concerning mobile app privacy policies. 

[1] PR Newswire, IBM Security Finds Over 60 Percent of Popular Dating Apps Vulnerable to Hackers, (February 11, 2015), http://www.prnewswire.com/news-releases/ibm-security-finds-over-60-percent-of-popular-dating-apps-vulnerable-to-hackers-300034321.html. 

[2] California Attorney General Website, Attorney General Kamala D. Harris Notifies Mobile App Developers of Non-Compliance with California Privacy Law (October 30, 2012), http://oag.ca.gov/news/press-releases/attorney-general-kamala-d-harris-notifies-mobile-app-developers-non-compliance.

[3] Pierluigi Paganini, 11 percent of mobile banking apps includes harmful code, Security Affairs, (February 7, 2015), http://securityaffairs.co/wordpress/33212/malware/mobile-banking-apps-suspect.html. 

[4] PR Newswire, IBM Security Finds Over 60 Percent of Popular Dating Apps Vulnerable to Hackers, (February 11, 2015), http://www.prnewswire.com/news-releases/ibm-security-finds-over-60-percent-of-popular-dating-apps-vulnerable-to-hackers-300034321.html.