|
March 12‚ 2012
Privacy-on-the-Go: California Attorney General and
Major Mobile Application Platforms Agree to Privacy Principles for Mobile
Applications
By Cynthia J. Larose,
CIPP/US and Jake Romero
Application developers have been put on notice by the State
of California. It is time to pay attention to user privacy and collection
of information from user devices.
In an effort led by the office of California Attorney General
Kamala D. Harris, the state has reached an agreement committing the six
largest companies offering platforms for mobile applications (commonly
referred to as “apps”) to a set
of principles designed to ensure compliance with California’s
Online Privacy Protection Act. The agreement with Apple Inc., Google Inc.,
Microsoft Corp., Amazon.com Inc., Hewlett-Packard Co., and Research In
Motion Ltd., who collectively represent over 95% of the mobile application
market, is significant for two reasons. First, it operates as an
acknowledgement that California’s Online Privacy Protection Act applies to
app developers as well as platform providers. Second, the agreement may
effectively create a minimum standard for disclosures and transparency with
regard to the collection of personal information by mobile applications.
Because of the global nature of the Internet, the law will apply to every
mobile app provided through the six firms’ app stores even though it is a
state law.
This alert includes a description of the principles
underlying this agreement, as well as certain best practices to help mobile
app developers ensure compliance. The full text of the agreement, as well
as comments from the Office of the Attorney General, can be accessed online
at http://ag.ca.gov/newsalerts/print_release.php?id=2630.
Mobile Applications and Data Privacy
The most
recent data from the Pew Research Center shows that 50% of
all adult cell phone owners have apps on their mobile phones, a percentage
that has nearly doubled over the past two years. This same survey also
indicated that approximately 43% of those surveyed purchased a phone on
which apps were already installed. Many of these mobile applications, in
order to facilitate the functionality of the app, allow the app developer
broad access to data held on the user’s mobile device. However, as noted by
Attorney General Harris in
a press conference announcing the agreement, many mobile
applications, including twenty-two of the thirty most popular apps, lack a
privacy policy to explain how much of the user’s data is accessible by the
developer, and how and with whom that data is shared.
California’s Online
Privacy Protection Act provides that “[a]n operator of a commercial
Web site or online service that collects personally identifiable
information through the Internet about individual consumers residing in
California who use or visit its commercial Web site or online service shall
conspicuously post its privacy policy on its Web site,” or in the case of
an operator of an online service, make that policy reasonably accessible to
those consumers. In entering into this agreement, the six major platform
providers have acknowledged that this requirement applies equally to mobile
app developers (as “online services”) and the platform providers have
agreed to, among other things, implement a means for users to report apps
that do not comply with this requirement and a process for investigating
and responding to those reports.
The New Privacy Standard and Ensuring Compliance
A likely outcome of this agreement is that compliance with
California’s Online Privacy Protection Act will become a minimum standard
for the mobile application industry, because even those developers located
outside the state of California will likely conclude that it is easier to
have a single policy that meets California’s requirements, rather than risk
inadvertent non-compliance.
To ensure compliance, developers or providers of mobile apps
that collect personal data from users’ mobile devices will be required to
have a privacy policy that meets the requirements set forth in Section
22575(b) of California’s Business and Professions Code (as an incorporated
portion of the Online Privacy Protection Act, Section 22575(b) can be
accessed in full by following the link provided above). Specifically, the
privacy policy must:
·
Identify the categories of personally identifiable
information that the operator collects through the Web site or online
service about individual consumers who use or visit its commercial Web site
or online service and the categories of third-party persons or entities
with whom the operator may share that personally identifiable information.
·
If the operator maintains a process for an individual
consumer who uses or visits its commercial Web site or online service to
review and request changes to any of his or her personally identifiable
information that is collected through the Web site or online service,
provide a description of that process.
·
Describe the process by which the operator notifies consumers
who use or visit its commercial Web site or online service of material
changes to the operator’s privacy policy for that Web site or online
service.
·
Identify its effective date.
In establishing a compliant privacy policy, an app developer
or provider should take great care to ensure that the descriptions and
processes contained therein match the actual operations of the company and
the information it collects, and the policy should be reviewed periodically
by both legal counsel and the app developer’s technical experts so that it
can be updated as necessary. The policy should be clear and easy to
understand, especially with regard to the collection and sharing of
personal data. For those companies who may be affected by this agreement
and already have a privacy policy in place, that policy should be reviewed
to determine whether it should be updated. Developers and platform
providers that do not comply with the law can be prosecuted under
California’s Unfair
Competition Law and/or False
Advertising Law, which has penalties of up to $500,000 per use of
the app in violation, Harris said. “If developers do not follow the privacy
policies we will sue,” she added.
Anticipated Developments
Per their agreement with Attorney General Harris, the six
major mobile app platforms will commence working with app developers to
ensure compliance and provide education regarding privacy and data sharing.
To increase awareness and promote transparency, mobile app developers will
be required, as part of the application submitting an app to the platform,
to provide either a link to that developer’s privacy policy, a statement
describing the policy, or the full text of the policy itself. In each case,
a user who is considering downloading the developer’s app will be provided
access to the privacy policy associated with that app prior to downloading
it.
The six major platforms have agreed to reconvene within six
months to further evaluate any required changes), but no specific timeline
has been stated with regard to implementing the changes described above.
However, for mobile app developers who hope to continue to be a part of
this quickly growing and highly lucrative market, there may not be a more
opportune time to take advantage of the resources being provided on both a
state and industry level.
* * *
For more information regarding helpful resources available to
you or advice, please contact Cynthia Larose at (617) 348-1732 or at
CJLarose@mintz.com or Jake
Romero at (858) 314-1584, or any member of your Mintz Levin service
team.
Click
here to view Mintz Levin’s Privacy & Security attorneys.
Click here to view Mintz Levin’s Venture Capital
& Emerging Companies professionals.
|
