attorney general recently released a set of privacy practice recommendations
for app developers
The recommendations, which the California AG acknowledged offer greater protection than existing privacy law,
are not legally binding. However, since the AG is charged with enforcing the
California Online Privacy Protection Act (OPPA), the recommendations provide
insight into how that law may be interpreted in connection with privacy
investigations and enforcement actions. And since any app that collects data
from California users must comply with the requirements of OPPA, the scope of
that law is broad and, like the federal Children’s Online Privacy Protection
Act, which we recently analyzed, these recommendations could have far-reaching effects that must be seriously
into law by the state legislature in 2003, OPPA requires a “conspicuously
information” from consumers. The policy must identify what information will be
collected, explain how users can edit personal information, describe how users
date. The California AG commenced a suit against Delta Airlines in 2012
alleging that Delta failed to properly clarify what personal information it
collects and what it does with that information. A second lawsuit against another developer
is expected in the coming months.
new recommendations were targeted at a variety of parties, but app developers
were the primary focus. The California AG suggested developers (1) use a data
checklist to review what personally identifiable data an app could collect and
use it to make decisions on privacy practices, (2) not collect any personally
identifiable data not needed for an app’s basic functionality, (3) develop a
privacy controls to identify collected data not needed for basic app
ad networks and app platform providers also received a fair amount of guidance.
to app developers to enable targeted ad delivery through the network, and move
away from unchangeable device-specific identifiers and transition to
app-specific or temporary device identifiers. Platform providers were
instructed to make privacy policies accessible from the app platform so a user
could review them before downloading any apps and to generally use the platform
to educate users on mobile privacy.
the California AG made limited recommendations to operating system developers
and mobile carriers. Operating system developers should create global privacy
settings to allow users to control the data and device features accessible to
apps, while mobile carriers ought to leverage their customer relationships to
educate on mobile privacy.
new recommendations force virtually any company in the “app space” to
reconsider their privacy and data collection practices and consider whether or
not those policies comply with the California AG’s views on how privacy
policies should be scoped and implemented. Since nearly all mobile apps can be
accessed and used by California users, any developer whose app collects
information from users should take notice.