A lot has happened in the (cough) months since our last post, but privacy actions have to be right at the top of the list of recent occurrences that worry our clients.  Take, for example, the FTC's new report on mobile application privacy and children, wherein the FTC found that:

  • 59 percent of the apps reviewed transmitted device ID, geolocation, or phone number to the developer, an advertising network, analytics company or other third party.

  • Only 11 percent of the apps disclosed that the app transmitted such data

  • 58 percent of the apps reviewed contained advertising within the app

  • Only 9 percent disclosed that the app contained advertising

  • 22 percent of the apps reviewed contained links to social media

  • Only 9 percent disclosed that fact

Troubling for responsible pubs/devs and regulators alike.  But that's not all.  The Center for Digital Democracy has filed a complaint with the FTC against Mobbles Corporation for violations of the Children's Online Privacy Protection Act

The FTC's not the only one getting in on the act.  California Attorney General Kamala D. Harris has filed the first legal action under California’s online privacy law against Delta Airlines for failing to comply with the state’s Online Privacy Protection Act.

So what do you need to know/do to avoid privacy-related issues?  Here's a brief, non-exhaustive list of thoughts:

  1. Have a privacy policy.  It's not just a good idea, it's the law.  See, e.g., Cal. Bus. and Prof. Code 22575 and 15 U.S.C. 6502. 
  2. Make your policy easy to find from within your game/app.  California's privacy law requires that the policy be disclosed "conspicuously."  The exact definition of "conspicuous" is a grey area, but as of today, general practice is either to include the whole policy within the game/app or to host the policy on a generally-accessible website and provide a link to that website within the game/app.  Whatever you do, though, do not bury the policy/link so deep that no one can find it. 
  3. COMPLY WITH YOUR POLICY.  This is where a lot of companies get into trouble.  Sometimes its because the policy hasn't been updated to reflect what the business is doing.  Other times companies use boilerplate policies or "borrow" from other policies that are available on the web.  Both are bad ideas.  Your policy should reflect what your business, your systems and technologies, and your revenue and monetization practices.  If your policy is not customized to what you are doing, you're not protecting yourself adequately.
  4. Regularly review your policy, and update it as necessary.  Too many times a policy that was accurate years ago does not sync up with your activities today.  We recommend that you review your privacy practices and your policy at least once a quarter to ensure compliance with your own promises.
  5. Be clear about changes.  When making changes to your policy, call them out so consumers can understand what you're doing.  Burying changes increases the risk that the changes will not be given effect if you end up in court.
  6. Get evidence of assent.  Speaking of court, whenever possible obtain evidence of assent from users to your privacy policy.  So-called "browsewrap" agreements are disfavored in court, and may be given little or no effect (especially if the terms are somewhat one-sided).  Obtaining evidence of consent can be done through account creation mechanisms, which you are probably already doing if you are collecting personally identifiable information.  So make sure that in your privacy policy is included in what the user agrees to - you do not want to be left "legally naked."