California AG Releases Mobile App Guidelines; Industry Responds

Last week, California Attorney General Kamala Harris released a set of recommendations titled “Privacy on the Go” directed toward the mobile app industry that seeks to “educate the industry and promote privacy best practices.”  The guidelines separately address app developers, app platform providers, mobile ad networks, operating system providers, and mobile carriers. A coalition of advertising and marketing industry groups recently responded, criticizing the guidelines. The new guidelines are not groundbreaking, and mostly recast the FTC’s “privacy by design” approach and the OECD’s Fair Information Practice Principles. However, the guidelines are notable particularly in two regards. First, they recommend encryption for the transmittal of “personally identifiable information” – under a very broad definition that even includes a list of apps downloaded or used. Second, the guidelines introduce a new catchphrase into the privacy lexicon: “surprise minimization,” meaning an approach seeking to “minimize surprises to users from unexpected privacy practices.” To this end, the guidelines suggest avoiding collecting information that is not necessary for an app’s basic functionality, making available an app’s privacy policy before download, and supplementing the privacy policy with “enhanced measures to alert users and give them control over data practices that are not related to an app’s basic functionality or that involve sensitive information.” The guidelines list just-in-time notices as an example of the “enhanced measures.”

Although these guidelines do not carry the force of law, they should not be taken lightly because of Attorney General Harris’s recent focus on mobile apps. Late last year, the Attorney General warned nearly 100 app makers of the need to have a mobile privacy policy under her interpretation of CalOPPA, and brought suit against one company for failing to heed the warning. Considering that the California Justice Department added a Privacy Enforcement and Protection Unit in July 2012, it is likely that more privacy-focused enforcement actions will be initiated in the near future.

Industry Response

A coalition of seven advertising and marketing industry groups recently responded to the guidelines in a letter objecting because there was no public notice and comment period and neither the groups nor their members were consulted in preparing the guidelines. The letter summarizes the ad industry’s self-regulatory efforts to address mobile privacy and expresses concern that the guidelines “are unworkable,” “would lock in current business models,” and “thwart future innovation.”  The letter also notes that the guidelines “are not grounded in any apparent legal authority, go well beyond existing requirements under California law, as well as Federal law.” Having industry consensus is certainly important, as demonstrated by the recent breakdown in negotiations over Do Not Track (which, notably, involved many of the same industry groups).

Summary of Guidelines

The guidelines suggest that a variety of stakeholders share responsibility for privacy outcomes. The following section distills a few of the key recommendations from the AG’s guidelines:

App Developers. The guidelines suggest that app developers begin app development with a checklist of personal information that the app could collect and make privacy decisions based on this list (i.e., privacy-by-design), and that the collection of personal information unnecessary for the app’s basic functionality should be avoided, and that default settings should be “privacy protective” (i.e., FIPP collection minimization principle). The guidelines also suggest that apps have a clear and accurate privacy policy that is available both before a user downloads the app and in-app (i.e., FIPP transparency and accountability principles). The guidelines suggest the use of encryption in the transmittal of personally identifiable data (using the guidelines’ very broad definition, as noted above). Finally, the guidelines advocate the use of “special notices” (such as just-in-time notices) to alert users to data practices “that may be unexpected.”

App Platform Providers. Privacy policies should be accessible before a user downloads and app, and the platform should be used to educate users about mobile privacy. Users should be able to report apps that are noncompliant with the law.

Mobile Ad Networks. Ad networks should have a privacy policy, which is provided to app developers using the ad networks. Ads generally shouldn’t be displayed outside of an app; but if they are, they should clearly be attributed to the application responsible for the ad. User data should be transmitted securely using encryption, and if necessary, temporary (as opposed to permanent) device identifiers should be used. Moreover, “enhanced measures” should be used before accessing personal information.

Operating System Developers. Security vulnerabilities should be timely patched, and developers should work with mobile carriers to this end. Global privacy settings and overrides should be developed to allow users to have control over the use of personally identifiable information and hardware features that apps can access.

Mobile Carriers. Mobile carriers should educate their users regarding privacy protection and encourage users to review privacy choices available for apps. Carriers should also work with operating system developers to facilitate the patching of security vulnerabilities.