California Attorney General’s office releases privacy guidelines for mobile app developers

The California Attorney General Kamala Harris’ office released today an official set of privacy guidelines for the mobile app developers. The report calls for developers to post a standard privacy policy, use “special notices” to alert users when an app may be using data in a method the user may not expect, for example, when an app asks to use a user’s location, and use similar notices when an app collects other private information that may be deemed sensitive. This report is an effort to enforce the California Online Privacy Protection Act (OPPA), which went into effect in 2004 and requires mobile app developers that collect data about California users to “conspicuously post” its privacy policy that discloses what information is collected and how it will be used.

Notable recommendations in the 23-page report include app developers limiting data collection and retention, avoiding using global device identifiers that could be correlated across apps, using encryption to handle data, limiting access to users’ personal data by employees and designating an employee to occasionally review an app’s privacy practices to ensure that the policy remains up to date. Most of these recommendations are for mobile app developers, but there are some recommendations for other types of companies like app stores, advertising networks and wireless networks.

The state also asks for making privacy policies easier to read and understand. One solution the report suggests is presenting privacy information in format like  “grid or ‘nutrition label for privacy’ format that displays your privacy practices by data type.'”

Keep in mind that these suggestions are, in the end, just suggestions. The authority to regulate mobile data practices in California still falls under OPPA. Most of the suggestions from the AG’s report actually aren’t even in OPPA. So long as a mobile app developers write a privacy policy that accurately describes their data practices and post it somewhere in the app where a user can easily find it, then the developer is in the clear. The Federal Trade Commission recently updated its decade-old child online privacy laws, but explicitly exempted app “platforms” such as the Apple App Store and Google Play.

Assistant Attorney General Travis Leblanc told Ars Technica that the state plans to follow up on the report with training sessions in the spring, targeting smaller developers that don’t have the budget to hire full-time privacy experts to scribe privacy policies. Le Blanc added that the state expected to file another lawsuit in the next month or two against a mobile app developer that had failed to comply with OPPA’s conspicuous privacy polly requirements.

The Association for Competitive Technology executive director, and founder of ACT 4 Apps, Morgan Reed spoke out in support of these efforts.

“ACT appreciates the Attorney General’s ongoing efforts to improve app privacy awareness, said Reed, in a statement. We are encouraged by the AG’s emphasis on non-legislative efforts, like developer and consumer education to improve the mobile ecosystem. The introduction of the ACT 4 Apps Initiative will expand ACT’s efforts to raise developer awareness and engagement in app privacy and data transparency. Development of best practices is essential to support continued innovation and growth in the app marketplace.”

ACT, the advocacy and educational organization, introduced App Privacy Icons in October 2012 in an effort to provide consumers and developers with information regarding privacy settings and features of apps.