California Attorney General Publishes Recommendations for Developers of Mobile Applications
[26857]
January 10, 2013
TO: PRIVACY ISSUES WORKING GROUP No. 2-13COMPLIANCE MEMBERS No. 2-13
ADVERTISING COMPLIANCE ADVISORY COMMITTEE No. 2-13
SMALL FUNDS MEMBERS No. 3-13
TECHNOLOGY COMMITTEE No. 1-13 RE: CALIFORNIA ATTORNEY GENERAL PUBLISHES RECOMMENDATIONS FOR DEVELOPERS OF MOBILE APPLICATIONS
As you may recall, California’s Attorney General has been engaged in efforts to protect the privacy of on-line consumers, including when using mobile applications (apps). [1] Today the Attorney General published Privacy on the Go; Recommendations for the Mobile Ecosystem. [2] As noted in the document’s Executive Summary, the recommendations – many of which go beyond existing legal requirements – “are intended to encourage app developers and other players in the mobile sphere to consider privacy at the outset of the design process.” The document includes recommendations for app developers, app platform providers, mobile ad networks, operating systems developers, and mobile carriers. [3] The recommendations for app developers, which may be most relevant for members of the Institute, are as follows:
- Start with a data checklist to review the “personally indentifiable data” [4] the app collects and use it to make decisions on your privacy practices;
- Avoid or limit collecting personally indentifiable data not needed for the app’s basic functionality;
- Develop a privacy policy that is clear, accurate, and conspicuously accessible to users and potential users; and
- Use enhanced measures – “special notices” or the combination of a short privacy statement and privacy controls – to draw users’ attention to data practices that may be unexpected to and to enable them to make meaningful choices.
Each of these recommendations, along with suggestions regarding how to implement them, is discussed in more detail in the document.
Tamara K. Salmon
Senior Associate Counsel
endnotes
[1] See, e.g., Institute Memorandum No. 26680 (November 13, 2012), which discussed the Attorney General’s alerting developers of mobile applications to potential violations of California’s Online Privacy Act and the Privacy Enforcement and Protections Unit within the Office of the Attorney General.
[2] This document is available on the Attorney General’s website at: http://oag.ca.gov/sites/all/files/pdfs/privacy/privacy_on_the_go.pdf.
[3] While the document’s “Message from the Attorney General” notes that the recommendations were arrived at “after consulting a broad spectrum of stakeholders,” we understand that no representatives of the financial services or other industries that may communicate with their consumers via their mobile apps were included in the process. The stakeholders listed as participating in the process were: “mobile carriers, device manufacturers, operating system developers, app developers, app platform providers, mobile ad networks, security and privacy professional, technologists, academics, and privacy advocates,”
[4] “Personally indentifiable data” is defined on p. 6 of the document as “any data linked to a person or persistently lnked to a mobile device: data that can identify a person via personal information or a device via a unique identifier. Included are user-entered data, as well as automatically collected data.”