California Attorney General Issues Mobile Industry Privacy Guidelines

This week, California Attorney General Kamala Harris further built on her high-profile 2012 campaign to improve privacy protection for consumers who use mobile devices[1] by issuing a report titled “Privacy on the Go“ (“Privacy Report”) which lists recommended best practices for app developers, mobile advertising networks, operating systems developers, app platform providers, mobile carriers and others in the mobile industry. The Privacy Report is not legally binding; however, it further highlights that consumer privacy is a top priority for California regulators and provides useful guidance on California regulators’ key privacy concerns relating to the mobile industry.

The Privacy Report’s key premise is that mobile device users tend to ignore traditional app privacy notices, because they are complex documents that are difficult to review on small screens. Harris encourages companies to: (1) consider privacy issues at the time they are designing products and services; (2) implement the Fair Information Practice Principles; and (3) adopt a “surprise minimization” approach to alert users about how their information is collected, used and disclosed and give them control over data practices not directly related to an app’s functionality or that involve sensitive information. Harris offers numerous industry-specific recommendations, including without limitation the following:

• Use special notices or privacy controls to draw users’ attention to data practices that may be unexpected (app developers)[2]
• Only collect data you need to operate the app (app developers)
• Obtain prior consent from users before obtaining/accessing personal information (app developers and ad networks)
• Create transparent privacy notices that accurately describe your collection, use and disclosure of consumers’ personally identifiable data (app developers and ad networks)
• Develop cross-platform privacy controls (operating system developers, mobile carriers and device manufacturers)
• Develop global privacy settings that users can use to set controls for personal information and that can be accessed by apps (operating system developers)
• Provide consumers with the opportunity to learn about apps’ privacy practices before downloading apps, and provide app users with tools to report non-compliant apps (app platform providers and ad networks)
• Educate customers on privacy protection (mobile carriers and app platform providers)
• Move away from unchangeable, device-specific identifiers and transition to temporary device identifiers (ad networks)
• Securely transmit user data using encryption for permanent unique device identifiers and personal information (ad networks)

Although the recommendations in the Privacy Report are not currently binding, they reflect a trend towards increasing privacy and data security legislation and increasing regulation of the mobile industry. App developers, mobile advertising networks, operating systems developers, app platform providers and mobile carriers may want to consider implementing these suggestions to stay ahead of the curve.

If you have any questions about how to comply with state or federal privacy laws or whether to implement the best practice recommendations in the Privacy Report, please contact Helen Christakos at helen.christakos@kayescholer.com.

[1] For more information about Attorney General Harris’ campaign, please see: http://www.carrmcclellan.com/california-likely-to-increase-number-of-enforcement-actions-against-app-developers-and-owners-for-privacy-and-data-security-law-breaches/.

[2] One way to do this is through privacy icons. For more information on privacy icons, please see: http://www.carrmcclellan.com/new-app-privacy-icons-supplement-traditional-privacy-notices/.