January 10, 2013 – California Attorney General Kamala Harris today issued “Privacy on The Go: Recommendations For The Mobile Ecosystem,” the goal of which is to provide mobile app developers and other parties with guidance for considering privacy early in the app development process.
Not surprisingly, the guidance recommends minimizing data collected by apps, developing a privacy policy that is clear, accurate, and conspicuous and “minimizing surprise” by drawing users’ attention to data practices that may be unexpected and enabling them to make meaningful choices.
Describing them as “enhanced measures,” the guidance calls for apps to provide “special notices” outside of a privacy policy that alert a mobile device user to the app’s collection of sensitive information or personally identifiable data “not needed for its basic functionality,” as well as for the sharing of personal data with other businesses, access to certain device information or a change in the app’s data practices involving new uses or disclosures.
In each instance, the guidance recommends that such alerts should be provided “in context, in many cases just before the specific data are to be collected,” and the app should explain the intended uses, identify any third parties who may receive the data, and obtain the user’s affirmative (opt-in) consent before the data is collected and used by an app.
The guidance comes on the heels of other recent activity by the Attorney General in the mobile app space, including formal notification of up to 100 mobile app developers and companies in October, 2012 that they were not in compliance with California privacy law because they had failed to conspicuously post privacy policies within their apps. The letter offered a way for apps to be in compliance with the law by providing a link within the app to a privacy policy posted online. California’s guidance released today, however, says such a link should be included in the app “if feasible,” recommending the “enhanced measures” described above as the first option.
In response to the release, a group of Internet marketing and advertising trade associations co-signed a letter to the California Attorney General outlining their “significant concerns” with the newly released recommendations. The letter faults the AG for stating that the recommendations were based on prior consultations with a “broad spectrum” of stakeholders, which did not include their associations or “thousands of member companies” that reflect the industry perspective. “As a result,” states the letter, “industries involved in retail, banking, advertising, insurance, travel, gaming, entertainment and media are only now beginning to learn that these guidelines have even been drafted.”
The letter also notes that industry has been working to address mobile data practices at the federal level with the Department of Commerce, whose National Telecommunications and Information Administration (NTIA) has hosted an open multistakeholder process including extensive public notice and comment periods. In addition to the potential confusion California’s release will cause, the industry letter argues that the AG’s “recommendations extend far beyond existing legal requirements under California law” and that, “if implemented, will chill innovation in the marketplace, cost jobs, harm California’s economy, and deprive consumers of the benefits of mobile applications, products, and services.”