California Attorney General Kamala Harris has issued mobile app privacy best practices guidelines that could have significant effects on the mobile marketplace.
The AG’s report, “Privacy on the Go: Recommendations for the Mobile Ecosystem,” encourages app developers and other players in the mobile industry to consider privacy issues at the start of the development process and to go well beyond the state’s online privacy law in providing users with transparent notice, controls over data practices and minimizing information collection.
The codes of conduct differ from best practices. They entail binding promises to follow the terms of the code, rather than guidelines for good business practices. Furthermore, the AG Guidelines address more fair information practices (FIPs) and many more entities in the mobile ecosystem than does the multi-stakeholder process. For these reasons, it remains to be seen whether the AG Guidelines will influence the NTIA code of conduct significantly.
The AG’s Office is also considering proposing amendments to expand California’s Online Privacy Protection Act, which currently requires high-level notice of websites’ and online services’ privacy practices. A high-ranking official in the California Attorney General’s Office indicated the day that the Guidelines were released that although the AG may recommend legislation, she will not propose codifying the Guidelines. However, it is possible that legislators may nonetheless introduce legislation modeled on the Guidelines.
The AG Guidelines offer a number of wide-ranging recommendations, which are primarily directed toward app developers, but also toward app platform providers, advertising networks, operating system developers and mobile carriers.
Overview of key recommendations
For app developers, the Report suggests the following high-level “best practices” (as well as more detailed specific recommendations):
- Create a data checklist to assess the personally identifiable data your app could collect, and use it to make decisions on your privacy practices, including what data you ultimately collect, how it is used, how long it is retained, with whom it is shared, how it is secured, and what choices you will give users about their data.
- Avoid or minimize collecting personally identifiable data for uses not related to your app’s basic functionality; avoid or limit the collection of sensitive information.
- Implement procedures for deleting personally identifiable user data that you no longer need.
The Guidelines encourage app platform providersto make app privacy policies conspicuously accessible from the app platform, so that they may be reviewed before a user downloads an app. Further, app platform providers should use the platform to educate users on mobile privacy and provide them with tools to report apps that do not comply with applicable laws, privacy policies or terms of service.
Moreover, operating system developers are recommended to develop global privacy settings allowing users to control the data and device features accessible to apps, and mobile carriersare recommended to leverage their ongoing relationship with mobile customers to educate them on mobile privacy and particularly on children’s privacy. Both operating system developers and mobile carriers are encouraged to work together and with other appropriate parties to facilitate timely patching of security vulnerabilities.
Additionally, the Report suggests that the full range of Fair Information Practice Principles (FIPPs) developed by the Organization for Economic Cooperation and Development applies to mobile app collected data. These broad principles include transparency, purpose specification, collection limitation, use limitation, individual participation, data quality, security and accountability.
According to the Report, AG Harris consulted with a “broad spectrum of stakeholders” in developing the Guidelines, including app developers, app platform providers, advertising networks, operating system developers, mobile carriers, device manufacturers, security and privacy professionals, academics and privacy groups.
Thinking ahead . . .
Privacy issues raised by mobile apps issues have been a continued area of interest not only of the California AG’s Office, but also for the plaintiffs’ class action bar and the Federal Trade Commission. It is important for app developers, app platform providers, advertising networks, operating system developers, mobile carriers and all others in the mobile app ecosystem to stay abreast of privacy developments affecting mobile apps, to review and reassess their current mobile app privacy practices, and to begin considering how they can bring their mobile app privacy practices more in line with FTC pronouncements and the CA AG’s Guidelines.
DLA Piper represents a coalition of leading media and technology companies that is committed to working with the CA AG and other regulators to develop a set of reasonable “best practices” for mobile app privacy, while ensuring that this does not stifle technological innovation or harm the mobile app economy.