California's New Mobile App Privacy Guidelines Go Beyond The Law

"The mobile app industry is growing fast, but it is still in the early stages of development, with practitioners who are not all alert to privacy implications and how to address them. To help educate the industry and promote privacy best practices, the Attorney General’s Privacy Enforcement and Protection Unit has prepared Privacy on the Go: Recommendations for the Mobile Ecosystem. The recommendations, which in many places offer greater protection than afforded by existing law, are intended to encourage app developers and other players in the mobile sphere to consider privacy at the outset of the design process."  

California Attorney General Kamala Harris, writing in Privacy On The Go: Recommendations for the Mobile Ecosystem.

On Thursday, California Attorney General Kamala Harris released a 22-page report on mobile privacy intended to strengthen user protection and regulation. The document specifically calls for readable privacy policies, transparency when it comes to alerting users if third party vendors collect their personal information, and an end to unnecessary data collection unless it is critical for the app to function. 

"We are now offering this set of privacy practice recommendations to assist app developers, and others, in considering privacy early in the development process," Harris wrote in the report, which was completed after dialogue with mobile developers, carriers, manufacturers, advertisers and privacy experts. The report was prompted both by a recent directive from President Obama to define an online strategy to fight terrorism, and by Harris' own interest in how mobile apps collect user data.

In December 2012, Harris sued Delta Air Lines for violating California’s online privacy law and not informing people how their personal data is collected. Before that she was instrumental in getting Apple and Facebook to require that apps display privacy policies. 

Report Card

Harris' report recommends developers make clear to users the details of just what information they are collecting, how long they store it, and what third parties the data is shared with. It also asks ad networks to do away with tracking devices in favor of "using app-specific and/or temporary device identifiers," and create plain-language privacy policies that spell out all of the above in layman's terms. 

While having app makers follow these guidelines would clearly benefit consumers, the extra red tape probably won't sit well with most developers.

"In general that report is inline with common sense and I agree that apps should be more transparent.  However, with the average price of apps being so low, developers and companies are forced to explore other monetization strategies which almost always involve selling user information to advertisers," said Jad Meouchy, a developer and founder of Osurv, a custom mobile survey app. "While I agree with all the directives, I don't see any way to enforce them."

Enforcement Is The Issue

That's the key issue right now. Since Harris' report goes above and beyond existing law, these recommendations are just that - recommendations - and are not enforceable by law. Still, they're a step in the right direction, towards transparency and broader awareness of information. Over time, it's likely that more states will draft their own recommendations - and even bills that could become mandates. 

The Future of Privacy Forum's director and co-chair, Jules Polonetsky, says California's recommendations could be a guideline for app makers. "As a best practices guide, the document is very reasonable, and many app developers already comply with the key points the reports make," he said. 

Polonetsky also liked the fact that the recommendations' tone and direction mirror the President's National Telecommunications and Information Administration (NTIA), which calls for a push towards improved telecommunications and information policy. "The guide also supports the direction that the NTIA multi-stakeholder process has taken and will be a useful input into the national effort to come up with an enforceable code of conduct for developers," he said. 

Where These Recommendations Go, The Law Is Likely To Follow

With more than half of the U.S. accessing the Internet via mobile devices, more than a million mobile apps available and roughly 1,600 new ones added every day, it's only a matter of time until recommendations like these become regulations. That doesn't have to be a bad thing -- especially if there is full communication between legislators, developers and consumers. 

"Our hope is that privacy-respectful practices such as those we are recommending here will be adopted by app developers and others, enabling consumers to make informed choices from the vast array of mobile apps while maintaining the level of privacy control they desire," the report states. "Our recommendations, which in many places offer greater protection than afforded by existing law, are intended to encourage all players in the mobile marketplace to consider privacy implications at the outset of the design process. They are also intended to encourage the alignment of architectural and functional decisions with the widely accepted Fair Information Practice Principles."

This may very well be the year that the U.S. government steps up to the plate and hammers out laws that actually make sense for all parties concerned. Harris' plan is a good step towards that goal.


Photo courtesy of Shutterstock.