California Attorney General Announces Privacy Protocol for App Developers

February 27, 2012

On Feb. 22, 2012, California Attorney General Kamala D. Harris released a “Joint Statement of Principles”1 with smartphone industry leaders (Amazon, Apple, Google, Hewlett-Packard, Microsoft and Research In Motion) to clarify privacy protections for users of mobile applications (“apps”). According to the Attorney General, the principles are designed to improve compliance with California's Online Privacy Protection Act (“the Act”).

The Act requires an operator of a commercial website or online service that collects the personal data of users residing in California to “conspicuously post” a privacy policy detailing the kinds of information gathered, how the information may be shared with other parties and the process, if any, users can use to review and make changes to their stored information.

The Joint Statement sets forth five non-binding “principles” that could help simplify the process for safeguarding consumer privacy:

1. Where applicable law so requires, an app that collects personal data must conspicuously post a privacy policy. In a press release accompanying the Joint Statement,2 the Attorney General stated that developers who do not comply with their stated privacy policies can be prosecuted under California's Unfair Competition Law and/or False Advertising Law.

2. As part of the submission process for new or updated apps, platform companies should include optional data fields for app developers to insert the whole text of, or a hyperlink to, a complete privacy policy or a summary thereof. Platform companies should allow consumers to access that information if provided by the developers. The Attorney General’s press release states that the agreement will allow consumers to review privacy policies for their apps before downloading them.

3. Platform companies should implement a means for consumers to report apps that do not comply with applicable terms of service and/or laws

4. Platform companies should implement a process for responding to reported instances of non-compliance with applicable terms of service and/or laws. Any action taken with respect to such an application will not limit law enforcement or regulatory action for alleged violation of applicable law.

5. Platform companies should continue to work with the Attorney General to develop best practices for mobile privacy in general and model mobile privacy policies in particular. The Joint Statement also calls for the parties to convene to evaluate privacy in the mobile space and the utility of education programs regarding mobile privacy within six months.

The Joint Statement states that it is not intended to impose legally binding obligations. However, it also states that it does not affect existing obligations under the law, and comes amid scrutiny at the federal3 and state level regarding the adequacy of privacy disclosures in the industry generally. App developers and others affected by the Act should review their practices and determine whether their polices should be modified or updated.



3 /Media.aspx?MediaID=13512&eID=13512

This article was originally published by Bingham McCutchen LLP.