California Attorney General Kamala Harris has issued mobile app privacy best practices guidelines that could have significant effects on the mobile marketplace.

The AG’s report, “Privacy on the Go: Recommendations for the Mobile Ecosystem,” encourages app developers and other players in the mobile industry to consider privacy issues at the start of the development process and to go well beyond the state’s online privacy law in providing users with transparent notice, controls over data practices and minimizing information collection.

The codes of conduct differ from best practices.  They entail binding promises to follow the terms of the code, rather than guidelines for good business practices.  Furthermore, the AG Guidelines address more fair information practices (FIPs) and many more entities in the mobile ecosystem than does the multi-stakeholder process.  For these reasons, it remains to be seen whether the AG Guidelines will influence the NTIA code of conduct significantly.

The AG’s Office is also considering proposing amendments to expand California’s Online Privacy Protection Act, which currently requires high-level notice of websites’ and online services’ privacy practices.  A high-ranking official in the California Attorney General’s Office indicated the day that the Guidelines were released that although the AG may recommend legislation, she will not propose codifying the Guidelines.  However, it is possible that legislators may nonetheless introduce legislation modeled on the Guidelines.

The AG Guidelines offer a number of wide-ranging recommendations, which are primarily directed toward app developers, but also toward app platform providers, advertising networks, operating system developers and mobile carriers.

The Report recommends a “surprise minimization” approach to minimize unpleasant surprises to users from unexpected privacy practices and “supplement the legally required general privacy policy with enhanced measures to alert users and give them control over data practices that are not related to an app’s basic functionality or that involve sensitive information.”

Overview of key recommendations

For app developers, the Report suggests the following high-level “best practices” (as well as more detailed specific recommendations):

  • Create a data checklist to assess the personally identifiable data your app could collect, and use it to make decisions on your privacy practices, including what data you ultimately collect, how it is used, how long it is retained, with whom it is shared, how it is secured, and what choices you will give users about their data.
  • Avoid or minimize collecting personally identifiable data for uses not related to your app’s basic functionality; avoid or limit the collection of sensitive information.
  • Develop a privacy policy that is clear, understandable, accurate and conspicuously accessible to users and potential users.
  • Implement procedures for deleting personally identifiable user data that you no longer need.
  • Supplement your general privacy policy with enhanced measures – “special notices” or the combination of a short privacy statement and privacy controls – to draw users’ attention to data practices that may be unexpected and to enable them to make meaningful choices.

The Guidelines encourage app platform providersto make app privacy policies conspicuously accessible from the app platform, so that they may be reviewed before a user downloads an app.  Further, app platform providers should use the platform to educate users on mobile privacy and provide them with tools to report apps that do not comply with applicable laws, privacy policies or terms of service.

The Guidelines also encourage mobile advertising networksto shift away from the use of interchangeable device-specific identifiers and transition to app-specific or temporary device identifiers.  Additionally, ad networks should avoid using out-of-app ads that are delivered by modifying browser settings or placing icons on the mobile desktop.  They should also have a privacy policy that describes their practices, and this should be provided to the app developers who will enable the delivery of targeted ads through the ad network.

Moreover, operating system developers are recommended to develop global privacy settings allowing users to control the data and device features accessible to apps, and mobile carriersare recommended to leverage their ongoing relationship with mobile customers to educate them on mobile privacy and particularly on children’s privacy.  Both operating system developers and mobile carriers are encouraged to work together and with other appropriate parties to facilitate timely patching of security vulnerabilities.

Additionally, the Report suggests that the full range of Fair Information Practice Principles (FIPPs) developed by the Organization for Economic Cooperation and Development applies to mobile app collected data.  These broad principles include transparency, purpose specification, collection limitation, use limitation, individual participation, data quality, security and accountability.

According to the Report, AG Harris consulted with a “broad spectrum of stakeholders” in developing the Guidelines, including app developers, app platform providers, advertising networks, operating system developers, mobile carriers, device manufacturers, security and privacy professionals, academics and privacy groups.

Thinking ahead . . .

Privacy issues raised by mobile apps issues have been a continued area of interest not only of the California AG’s Office, but also for the plaintiffs’ class action bar and the Federal Trade Commission.  It is important for app developers, app platform providers, advertising networks, operating system developers, mobile carriers and all others in the mobile app ecosystem to stay abreast of privacy developments affecting mobile apps, to review and reassess their current mobile app privacy practices, and to begin considering how they can bring their mobile app privacy practices more in line with FTC pronouncements and the CA AG’s Guidelines.

DLA Piper represents a coalition of leading media and technology companies that is committed to working with the CA AG and other regulators to develop a set of reasonable “best practices” for mobile app privacy, while ensuring that this does not stifle technological innovation or harm the mobile app economy.