California Publishes Mobile Ecosystem Privacy Legal Recommendations

California Attorney General has released Privacy On the Go: Recommendations for the Mobile Ecosystem.In its new Privacy document, the California Attorney General provides privacy recommendations for:

• app developers
• app platform providers
• advertising networks
• others

as well as guidance on the California Online Privacy Protection Act.

According to the AG:

• California law requiring mobile apps that collect personal information to have a privacy policy. The principles include making an app’s privacy policy available to consumers on the app platform, before they download the app.
• Recognizing that the legally required general privacy policy is not always the most effective way to get consumers’ attention, Privacy on the Go recommends a “surprise minimization” approach. This approach means supplementing the general privacy policy with enhanced measures to alert users and give them control over data practices that are not related to an app’s basic functionality or that involve sensitive information.

Recommendations for app developers include:

• Start with a data checklist to review the personally identifiable data your app could collect and use it to make decisions on your privacy practices.
• Avoid or limit collecting personally identifiable data not needed for your app’s basic functionality.
• Develop a privacy policy that is clear, accurate, and conspicuously accessible to users and potential users.
• Use enhanced measures – “special notices” or the combination of a short privacy statement and privacy controls – to draw users’ attention to data practices that may be unexpected and to enable them to make meaningful choices.

The AG previously (2012) announced a Joint Statement of Principles, endorsed by major players in the mobile app market (such as Amazon, Apple, Facebook, Google, HP, Microsoft, and RIM) to ensure that mobile apps comply with the California Online Privacy Protection Act, and include conspicuous posting of a privacy policy by mobile apps.

In the 2013 guidance document, the AG recommends minimizing surprises to users from unexpected privacy practices. The AG gives as one example, avoiding collecting personally identifiable information not needed for the app’s basic functionality; also, making the app’s privacy policy easy to understand and readily available before the app is downloaded.

Key definitions include:

• Personally identifiable data are any data linked to a person or persistently linked to a mobile device: data that can identify a person via personal information or a device via a unique identifier. Included are user-entered data, as well as automatically collected data.
• Sensitive information is personally identifiable data about which users are likely to be concerned, such as precise geo-location; financial and medical information; passwords; stored information such as contacts, photos, and videos; and children’s information.
• Short privacy statement is a privacy policy designed to be read on a mobile device, highlighting data practices that involve sensitive information or are likely to be unexpected because they involve data not required for an app’s basic functionality. Privacy controls are settings available within an app or an operating system that allow users to make or
  revise choices offered in the general privacy policy about the collection of their personally identifiable data.
• General privacy policy is a comprehensive statement of a company’s or organization’s policies and practices related to an application, covering the accessing, collecting, using, disclosing, sharing, and otherwise handling of personally identifiable data.

Contact a skilled privacy and security attorney to draft a compliant privacy policy for your mobile application or website. Often privacy issues dovetail with confidentiality issues such as HIPAA and HITECH compliance relating to personal health information (PHI). Our privacy and security legal team can assist you with compliance needs in your growing healthcare practice or business.