Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends
Posted in Consumer Privacy

California Attorney General Releases Mobile App Guidance

James Denvil, an associate in our Washington office, contributed to this entry.

California Attorney General Kamala Harris is starting 2013 right where she left off in 2012: focusing on mobile device application (“app”) privacy.  On January 10, the Attorney General’s Privacy Enforcement and Protection Unit released Privacy on the Go: Recommendations for the Mobile EcosystemPrivacy on the Go encourages parties to minimize the potential for consumer surprise over privacy practices and contains recommendations for a variety of participants in the mobile device ecosystem.  To that end, Harris recommends that parties consider privacy issues from the outset of the design process and develop enhanced notice mechanisms that highlight unexpected data practices.  Privacy on the Go also encourages mobile carriers, operating system developers, and device manufacturers to work on cross-platform standards for privacy controls.

Harris acknowledges that many of the recommendations go beyond what is required by existing law, in hopes that Privacy on the Go will shape privacy practices in the rapidly growing mobile app ecosystem. 

Additional highlights from Privacy on the Go include the following: 

Recommendations for app developers 

  • Start the app development process by using a checklist that assesses an app’s data collection, use, and sharing practices.
  • Minimize the collection of personally identifiable data.
  • Develop accurate, conspicuous, and easy-to-understand privacy policies that are available to consumers prior to download.
  • Use enhanced notice mechanisms to highlight potentially unexpected data practices (e.g., collecting sensitive information, accessing text messages or call logs, or disclosing personally identifiable information that is not required for an app’s functionality).
  • Store personal data only as needed to perform the functions for which the data was collected. 
  • Make default settings of an app “privacy protective” (e.g., do not permit the automatic sharing of contact information by default). 

Recommendations for app platform providers 

  • Make the privacy policies of app developers available to consumers on the app platform.
  • Educate app developers about their privacy obligations and privacy best practices.
  • Educate consumers on mobile privacy by providing links to information on the app platform.  

Recommendations for mobile ad networks 

  • Provide a privacy policy to app developers associated with the network so that consumers may view the policy before they download or activate apps enabling the delivery of ads through the network.  
  • Avoid placing ads that appear outside the app (e.g., in notification bars or on the mobile desktop). 

Recommendations for operating system developers 

  • Develop global privacy settings within the operating system by which users can control whether apps can access personally identifiable data or alter system settings.  

Mobile carriers 

  • Educate mobile customers about privacy issues.
  • Work with operating system developers to address security vulnerabilities.