This post was also written by Joshua B. Marker and Timothy Nagle.
With the start of the new year, California has continued its push to take a leadership role in the realm of mobile privacy. The attorney general’s office recently released a mobile privacy best practices document, “Privacy On The Go: Recommendations For The Mobile Ecosystem,” designed to help all actors in the mobile environment understand and incorporate privacy principles from the outset. As with last year’s agreement with the application platform companies, this document aims to increase privacy compliance through voluntary participation. This is in contrast to the enforcement action, which we previously wrote about, filed by the attorney general against Delta Airlines last month.
The report has recommendations for all participants in the mobile ecosystem, including the application platform providers, advertising networks, operating system developers, and mobile carriers. But its main focus is on application developers, those individuals or companies who are actually developing the applications with which consumers interact directly.
The recommendations made are generally at a high-level, and reinforce principles that have been introduced over the past few years, including privacy-by-design, and accessibility of a privacy policy within the application itself. In order to incorporate privacy from the outset, it is suggested that a developer should start with a “data checklist.” This checklist is a series of questions that any person or company developing an application should be asking at the beginning of the process: What type of data is the application collecting? Is this data necessary for the application’s basic functionality? How is the data used and stored?
Additionally, the report acknowledges that its recommendations go beyond what the minimum legal requirements are today, and provides a glimpse of where privacy principles are headed. For example, the report introduces a concept referred to as “surprise minimization,” which essentially means that an application should minimize any unexpected privacy practices, such as the collection of information not needed for the application’s functionality. Beyond just the existence of a privacy policy, the report suggests using an easy-to-understand format, such as a layered privacy notice, or a “nutrition label for privacy.” Further, you may want to consider the use of special notices that are presented when the application uses or collects information that is outside of what is required for basic functionality, such as geo-location data. Finally, the report reflects an ever-expanding definition of personally identifiable information, some of which is unique to the mobile ecosystem, including unique device identifiers, and geo-location data, as well as a history of applications downloaded or used.
California’s best practices document provides much more information, and is a quick but useful read for any company that has, or will have, a consumer-facing mobile application. At the very least, it will provide you with the right questions to ask to ensure mobile privacy compliance in California.