On January 10, 2013, California Attorney General Kamala Harris issued a set of mobile privacy recommendations entitled Privacy on the Go, which were primarily targeted at mobile application or “app” developers, but also made suggestions for the entire mobile ecosystem. The guidelines are organized as a series of recommendations that, according to the Attorney General’s office, are intended to help app developers and others “consider privacy at the outset of the design process” and “encourage businesses to adopt privacy best practices.”
The recommendations extend beyond existing legal protections. Indeed, some recommendations resembled aspirational principles more than concrete requirements. The Attorney General has engaged in a series of activities intended to demonstrate that the California Online Privacy Protection Act of 2003 (CalOPPA) applies to mobile applications and websites, although that assertion has not yet been supported in court. These recommendations are only a portion of the Attorney General’s recent activity with regard to mobile privacy, including California’s recent privacy actions against app developers and the Attorney General’s February 2012 “Joint Statement of Principles” with the seven leading mobile app platform providers—Amazon, Apple, Facebook, Google, Hewlett-Packard, Microsoft and Research in Motion. The Attorney General has signaled that, although laudatory, she considers her work on mobile privacy to be de facto compulsory: where the guidelines made recommendations for platform providers in Privacy on the Go, they characterized those recommendations as part of the best practices that the platform providers agreed, in the February 2012 Statement of Principles, to help the Attorney General develop.
The guidelines suggested a number of practices for app developers who collect, use or retain “personally identifiable data” (PI data). The Attorney General defined PI data as any data linked to a person or persistently linked to a mobile device that can identify a person via personal information or identify a device via a unique device identifier. This data includes “unique device identifiers, geo-location (GPS, wifi, or user-entry), mobile telephone number, email address, user’s name, text messages or email, call logs, contacts or address book, financial and payment information, health and medical information, photos or videos, web browsing history, and apps downloaded or used.” This list is notably larger than the “personally identifiable information” category defined under CalOPPA, which defines PI in the more traditional way, such as first and last name, street or email address, telephone number or an identifier that permits physical or online contacting of a specific individual.
The guidelines asked app developers to review any PI data their apps could potentially collect, use or disclose to third parties, and create an internal checklist to help organize their data practices. The guidelines then suggested the following privacy practices (mirroring the Fair Information Practice Principles) for app developers:
Developers should provide special notices (1) when an app collects, uses or discloses PI data outside of basic functionality, (2) when it collects “sensitive information” such as precise geo-location, financial and medical information, passwords, stored information such as contacts, photos and videos and children’s information, (3) when it accesses call logs, contacts, text messages or certain sensitive device features, (4) when data practices change in unexpected ways, (5) when the app discloses PI data to third parties for their own use.
Special notices should:
- appear in context and just-in-time;
- explain intended data uses and recipients;
- provide a way for users to chose whether to allo collection or use of the data;
- As an alternative to special notices, app developers could issue a short privacy statement that highlights the potentially unexpected practices that would otherwise trigger special notices, and give users an easy way to control their privacy options.
- Special notices should:
- Data Minimization: App developers should avoid or limit collecting PI data not necessary for an app’s basic functionality. Apps should also avoid collecting “sensitive information.” App developers should use an app-specific or other non-persistent device identifier rather than a persistent, global and unique identifier. Finally, apps should have “privacy protective” default settings and give users control over collection of PI data not used for basic app functions.
- Data Retention: App developers should not retain PI data beyond the time necessary to complete that data’s function or beyond the time the developer disclosed. Developers should have procedures to delete data when they no longer need it.
- Access: App developers should develop mechanisms to give users access to the data the app collects and maintains about them.
- Data Security: App developers should secure PI data. At a minimum, they should (1) use encryption to transmit and store PI data (including email address and phone number), (2) limit their own employees’ access to PI data, and (3) comply with the Payment Card Industry Data Security Standard for payment card data.
- Accountability: App developers should appoint a person in their organization to be responsible for privacy compliance. Employees should receive privacy training at least annually, and new employees should receive it when hired.
The guidelines specifically referenced targeted and behavioral advertising, and recommended that ad networks follow the Privacy on the Go transparency and security recommendations, including encrypting the transmission of PI data.
- Notice in Privacy Policies: Ad networks should prepare privacy policies—similar to the policies of app developers—that describe practices involving the collection, use, sharing, disclosure and retention of PI data. They should provide this policy to any app developers who will enable delivery of targeted ads through their own ad network.
- Unique Notice Requirements for Ad Networks: Ad networks should provide information on the impact of their practices on app software development kits (SDKs).
- No Deceptive Behavior: Ad networks should not deliver ads outside the context of the app (e.g. by modifying browser settings or adding icons to the mobile desktop) without prior consent through enhanced measures.
- Opt-in Consent for Access to Personal Information on Mobile Device: Ad networks should not access personal information such as phone number, email address or name without prior consent through enhanced measures.
- App-Specific or Non-Persistent Identifier: Ad networks should use an app-specific or other non-persistent device identifier rather than a persistent, global and unique identifier.
- Data Security: Ad networks should use encryption to transmit permanent unique device identifiers and personal information such as email address or phone number.
Operating System Developers
Generally, the guidelines suggested that mobile OS developers should develop privacy settings that let users control the data and features accessible to apps across multiple apps, using “global” privacy settings. They should also collaborate with other parties to patch security vulnerabilities, develop privacy standards and create appdeveloper tools.
The guidelines briefly suggested that mobile carriers should leverage their customer relationships to educate consumers about mobile privacy and, especially, children’s privacy.
App Platform Providers
The guidelines reminded platform providers of their February 2012 agreement under the Joint Statement of Principles and encouraged them to take the following steps:
- Platform providers should make apps’ privacy policies conspicuously accessible before download.
- Platform providers should educate app developers on their obligation to respect consumer privacy and make proper disclosures, and should educate consumers on app privacy, privacy choices and controls and privacy resources.
- Platform providers should provide effective tools for users to report non-compliant apps.
These recommendations from the California Attorney General are the most comprehensive guidelines from state or federal regulators. The admission that these recommendations exceed, at times, current legal requirements demonstrates that these guidelines may be aggressively aspirational, and enforcement risk may be minimal at this time. With that said, Privacy on the Go could easily be transformed from recommendations to legislative language. The California legislature has been a first mover on many privacy issues, and if these recommendations were to becomestate law, compliance in certain areas could prove challenging. For example, the recommendation that app developers use encryption in transit and storage of PI data – including device identifier, email address, or phone number – is technologically infeasible or prohibitively expensive at this time, without any clear increased privacy protection. The “app-specific identifier” recommendation could also be interpreted to attempt to limit multi-site, multi-session behavioral advertising. These guidelines could be inconsistent with “Do Not Track” standards being designed in other multistakeholder fora.