California AG Advocates “Surprise Minimization” to Protect Mobile Device Consumers from Unexpected Privacy Practices

California AG Advocates “Surprise Minimization” to Protect Mobile Device Consumers from Unexpected Privacy Practices

Hailing her state as the “epicenter of modern innovation,” California Attorney General Kamala D. Harris has issued recommendations for app developers and providers, advertising networks and others as part of an effort to give consumers "meaningful information" about privacy choices on mobile devices. And while the AG has presented these as mere guidelines, attorneys say they are an indicator of things to come.

Among these recommendations is "surprise minimization," designed to avoid catching consumers off guard with data collection practices they may not have expected or would not have authorized had they had more information. "An obvious way to avoid such unpleasant surprises is to avoid collecting personally identifiable data from users that are not needed for an app's basic functionality," the report says.

Mobile devices present unique problems. They have user information that laptops do not, such as telephone call logs, text messages and a history of the user's location. Because they have smaller screens, it is more difficult to read the privacy-related information and make informed choices.

Another unique problem is the speed at which apps are being created as developers scramble to bring them to market. "Recent studies…have found that mobile apps did not provide users with privacy statements at all. This represents not just a failure in transparency, but it also suggests a lack of attention to the apps' privacy practices," the Attorney General’s report says.

Early last year the Attorney General announced a joint statement of principles endorsed by the major players in the app arena―Amazon, Apple, Facebook, Google and Research in Motion―in an effort to ensure apps comply with the California Online Privacy Protection Act. According to the report, all of these companies' app stores had implemented the principles, such as conspicuous posting of privacy policies and giving consumers the ability to report violations.

It will come as no surprise that the California AG is committed to increasing compliance with privacy laws and is pushing for greater attention to privacy rights. "Our recommendations, which in many places offer greater protection than afforded by existing law, are intended to encourage all players in the mobile marketplace to consider privacy implications at the outset of the design process," the report states. "They are also intended to encourage the alignment of architectural and functional decisions with the widely accepted Fair Information Practice Principles (FIPPs). The FIPPs form the basis for many privacy codes and laws in different parts of the world, including the federal Privacy Act of 1974 and the similar California Information Practices Act of 1977."

The report, available for download at― http://oag.ca.gov/sites/all/files/pdfs/privacy/privacy_on_the_go.pdf?―offers fully explained recommendations including:

App Developers

o Use a checklist to review PII the app could collect

o Avoid or limit collecting PII not needed for the app

o Conspicuously post a clear and accurate privacy policy

o Use tactics to draw attention to "unexpected" data practices

App Platform Providers

o Enable users to review app policies before downloading

o Use the platform to educate users on mobile privacy

Mobile Ad Networks

o Avoid out-of-app ads that modify browsers or install icons

o Share your privacy policy with developers

o Move away from device- or app-specific identifiers

Operating System Developers

o Develop global policies that give users control over app features

Mobile Carriers

o Educate customers on mobile privacy, particular relating to children

Although Attorney General Harris has couched these as recommendations, companies should take them as more than mere suggestions.

“Because of its existing CalOPPA enforcement authority, the significant size and influence of the California economy (the world's 9th largest), and the very nature of mobile application usage not being fixed in one geographic location, California regulation or even mobile application best practices agreed to by businesses operating in California should be considered a least common denominator or minimum standard for mobile applications used elsewhere throughout the U.S. (and perhaps internationally, too),” wrote Drinker Biddle & Reath attorneys Douglas G. Bonner and Jennifer L. Oberhausen.

They go on to say that the recommended practices “are much broader than the possible mobile app transparency voluntary (and enforceable) code of conduct currently under discussion in the federal National Telecommunications and Information Administration (NTIA)-convened multistakeholder process. The California AG-recommended best practices are addressed primarily to app developers, though they include recommendations to all actors within the mobile ecosystem.”

“It remains to be seen,” Bonner and Oberhausen wrote, “which segments of the mobile application ecosystem elect to affirmatively respond to any of these recommendations with concrete actions, beginning with application developers, on whom the California AG appears to focus as the first potential ‘line of defense’ for mobile privacy protection. But given a demonstrated willingness by the California AG to enforce CalOPPA and other privacy laws, and assuming application platform providers and others continue to encourage cooperation with mobile privacy best practices, application developers will likely give serious consideration to implementation of many of these recommendations.”

Mayer Brown’s John Nadolenco says “the report offers significant insight into the California AG’s outlook and planned direction for the industry, and it is expected that the report’s recommendations will be incorporated in some fashion into future enforcement actions . . . The California AG’s office has maintained an active enforcement presence in the area of Internet privacy. Last year, that office created a dedicated unit that focuses on prosecuting perceived violations of state and federal privacy laws. As it stands now, the California AG can bring enforcement actions under the California Online Privacy Protection Act, which requires commercial players in the online-services industry to post a visible privacy policy informing users how the site or app collects and uses personally identifiable information. While the industry waits to see exactly what enforcement actions the California AG will pursue, the plaintiffs’ bar likely will push the limits of current California law—including by arguing that the Attorney General’s ‘best practices’ are enforceable statements of California public policy that give rise to claims under California’s infamous Unfair Competition Law. Accordingly, all companies in the industry will be well served by evaluating the disclosures they make to users—and how they make them.”

Andrew Hoffman of the Information Law Group says that while the guidelines are not breaking new ground―they are notable in that they recommend encryption for the transmittal of personally identifiable information―under a very broad definition that even includes a list of apps downloaded or used. He said the “surprise minimization” aspect also is noteworthy.

“Although these guidelines do not carry the force of law, they should not be taken lightly because of Attorney General Harris’s recent focus on mobile apps. Late last year, the Attorney General warned nearly 100 app makers of the need to have a mobile privacy policy under her interpretation of CalOPPA, and brought suit against one company for failing to heed the warning. Considering that the California Justice Department added a Privacy Enforcement and Protection Unit in July 2012, it is likely that more privacy-focused enforcement actions will be initiated in the near future.”