On February 22, California Attorney General Kamala Harris announced a privacy agreement concerning mobile software applications with the six largest mobile application platform providers — Apple, Google, Microsoft, Amazon, Hewlett-Packard and Research In Motion. This agreement effectively creates regulatory standards for implementing privacy policies within the mobile software application industry. Harris allegedly will sue under California law to enforce these regulatory standards, which allegedly applies nationwide (wherever a single Californian may be affected by a mobile software application).

Under the agreement, mobile software application developers must provide users the opportunity to review a privacy policy in the mobile application marketplace prior to downloading a mobile application. Additionally, the agreement creates a mechanism through which consumers can report mobile software application developers who do not provide privacy policies.

Coming on the heels of multiple reported instances of mobile application developers gathering consumer data, some without informing users or gaining permission, this agreement allegedly is intended to force the mobile software application industry into compliance with California’s current privacy law, which requires parties collecting personal information to publish a privacy policy and abide by it. Specifically, on February 7, reports surfaced that the iPhone version of popular social media software application Path downloaded a user’s address book in an unencrypted state without the user’s permission.

Harris has alleged that more than half of the mobile software applications in existence do not have privacy policies, and this agreement is an attempt to put all mobile application developers on notice.

There is no set deadline by which mobile application developers must comply with the agreement, but Harris indicated that the six platform providers who are party to the agreement will reconvene in six months to assess the state of privacy within the mobile software application industry.

WHAT DOES THIS MEAN TO YOU? If your company distributes mobile applications, we suggest that you consider the following steps:

  1. Develop a privacy policy that provides clear and complete information concerning how personal data is collected from the mobile application, how that info is used, and with whom it is shared.
  2. Contact the resellers of your mobile application and find out what mechanisms they have to help you comply with this new law. Resellers of mobile software applications likely will have an easy-to-use procedure to allow you to post a privacy policy for your mobile application. If possible, consider having users click “I agree” to show affirmative consent.
  3. Maintain a link to this privacy policy on your primary website.
  4. Note that a mobile software application privacy policy likely differs from a website privacy policy, so in developing respective privacy policies, make sure to account for specific technology used/information gathered by each mobile software application.
  5. Reconsider what notice you will provide users of changes to your privacy policy and terms of use. For many years it was common for U.S. businesses to reserve the rights to change a privacy policy and/or terms of use at its discretion without notice. Accordingly, the standard language in most terms of use and privacy policies was to put the responsibility on the user to check the terms of use “frequently” to confirm that the policy had not changed.

The trend at this point is away from this practice, certainly with respect to retroactive changes. Many companies are now asking their users to routinely click that they have read and agree to the changes in their terms of use and privacy policy.