This month, the state of California sued Delta airlines in a very big way for failure to comply with the California Online Privacy Protection Act (CalOPPA). The suit alleges that the Fly Delta mobile app lacked a conspicuous, accurate privacy policy, and seeks up to $2,500 for each download. Delta quickly threw up a policy (though researchers have already found flaws in it), but the suit stands, and the potential damages are very real.
The really dumb thing is that this lawsuit never should have happened. Delta was given 30 days notice by the state of California, and it still couldn’t make the deadline. There’s no excuse for that. It’s a privacy policy, made of words, not code. Delta – and any company in that position – should have had a policy up within a week.
So consider this your company’s official notice. If you don’t have a privacy policy for your mobile apps, write one today. Here are some tips to get started:
Step 1: Review Your App
Get your app developers and your spec together and perform a 6-step review:
1. Document any collection of personally identifiable information (PII). PII can include but is not limited to:
- Name
- Terrestrial or Email Address
- Phone Number
- IP Address
- Current Location
2. Note whether any of the PII your apps collect (for example, a social security number) is more sensitive than others, and any special steps you take when collecting it.
3. Take special note of your target age range. If your apps knowingly collecting information from users under 13, consult your attorney before continuing.
4. List all the parties (such as ad networks and technology partners) who have access to PII and how it will be used.
5. List all user profile control options: can users request, view, edit or delete their information?
6. Outline data retention and disposal policies for all user data, paying particular attention to canceled accounts.
Step 2: Write Your Policy
With that in hand, it’s time to write your policy. If you have an attorney on staff with the requisite experience, start there. If not, there are lots of free templates and tools like the Privacy Choice policy maker to get you started. Customize as you see fit. (There are also plenty of paid services that specialize in privacy policies.)
If you have a privacy policy for your website, you’ve already done most of the work. Your job now consists of identifying the ways in which your app is different from your website, then displaying your policy in a succinct manner that mobile customers will actually read. The Center For Democracy and Technology (CDT) has an excellent, free resource called Best Practices for Mobile Application Developers that will help smooth out the edges.
Step 3: Review Your Policy
In all the prettying up, you may have misinterpreted some facts. Run the finished policy past your developers. Then compare your policy to those mandated by any of the app stores that will be distributing your app. The CDT document has some good summaries, but you’ll want to check the most recent terms from the stores themselves.
Step 4: Get Certified (Optional)
If you really want peace of mind, take the next step and get your app certified by TrustE. It’s not strictly necessary (Google doesn’t even require a privacy policy – but California does, so write one!), but it provides users with an additional layer of confidence, and verifies that you’ve done your job right.
Having a mobile app privacy policy doesn’t guarantee you won’t get into trouble. But not having one is just asking for litigation.
Lead image courtesy of Shutterstock.
