California AG Issues Privacy Recommendations for the Mobile App Ecosystem

Today, the California Attorney General released the report, Privacy on the Go: Recommendations for the Mobile Ecosystem, which offers a series of consumer privacy recommendations for mobile app developers, platform providers, ad networks, and mobile carriers. According to the Attorney General, the recommendations exceed the protections afforded by existing privacy laws in certain instances and are intended to encourage all stakeholders in the mobile app ecosystem to consider privacy at the outset of the design process.”

The recommendations in the report focus on the concept of surprise minimization,” which entails minimizing surprises to app users that result from unexpected privacy practices. According to the report, the obvious ways” that app developers can avoid unpleasant surprises include: (1) only collect personal data that is necessary for the app’s basic functionality; and (2) provide users with a conspicuous, easy to understand privacy policy prior to download. Additional recommendations in the report include the following:

Developers: Maintain a checklist of all personal data that your app collects; use just-in-time special notices” that will draw users’ attention to unexpected data practices.
Platform Providers: Make app privacy policies accessible from the app platform prior to download, and implement efforts to educate users on mobile privacy.
Mobile Ad Networks: Avoid out-of-app ads that modify browser settings or place icons on the mobile desktop; use app-specific or temporary device identifiers rather than interchangeable device-specific identifiers.
Operating System Developers: Develop global privacy settings that allow users to control the data and device features accessible to apps.
Mobile Carriers: Educate customers on mobile privacy, including children’s privacy (more information on the carrier recommendations is available here).

The report is the latest effort by the Attorney General to promote mobile app industry compliance with California’s Online Privacy Protection Act. In December, the Attorney General filed a lawsuit against Delta Airlines alleging that Delta violated state privacy laws by failing to post a privacy policy within its FlyDelta mobile app. The lawsuit was the first legal action following the Attorney General’s announcement in October 2012 that it sent notices to a number of app operators that their apps failed to comply with state privacy laws. These actions followed agreements reached in early 2012 between the Attorney General’s Office and seven mobile app platform providers, including Facebook, Apple, Google, and Amazon, to improve privacy protections on mobile apps.