On February 22, 2012, California Attorney General Kamala D. Harris announced an agreement with the operators of the six major “app stores” to provide consumers an opportunity to review an app’s privacy policy before downloading the app. The deal with six companies, Amazon, Apple, Google, Hewlett-Packard, Microsoft and Research in Motion requires the app stores to present consumers with the privacy policy for any app that collects personal information.
None of the mobile carriers were involved in the California agreement. The reason for the agreement, according to the AG’s press release, was to bring mobile apps into compliance with the California Online Privacy Protection Act, Calif. Bus. And Prof. Codes,§ 22575-22579. The Act requires operators of commercial websites and “online services” who collect personally identifiable information about Californians to conspicuously post a privacy policy. According to the AG’s office, an “online service” would include a mobile app. According to the Attorney General, only five percent of all mobile apps have a privacy policy.
The agreement further commits the six companies to educate developers about consumer privacy, disclosing to consumers what private information they collect, how they use it and with whom it is shared. In addition, the app stores are to work to improve compliance with privacy laws by giving users tools to report non-compliant apps and collaborate with app developers to implement processes to respond to those reports.
A few days later, Europe’s largest mobile operators and a U.K.-based industry group unveiled voluntary privacy guidelines for mobile app development. These guidelines are for the carriers’ own branded apps, but are designed for all companies that collect and process mobile users’ personal information, including mobile operators, app developers, device makers, and platform providers. The main thrust of the guidelines is for the apps to inform users about what personal information an app will access, store or share, as well as their reasons for using the information. In addition, the guidelines say that an app should gain users’ explicit permission when collection of their information is not essential to the primary purpose of the app, when it shares their information with a third party and when information is retained after immediate use of an app.
“In order to maintain the strong growth in both the sales and popularity of mobile apps, customers need to be confident that their privacy is protected when they use them,” GSMA member Vodafone’s privacy officer Stephen Deadman said in a statement. “This is the responsibility of the entire mobile industry, and these guidelines set an important standard in defining what consumers should expect from their apps.”
Written by Bruce Sarkisian, Associate | Alston & Bird LLP