Ideas and suggestions are always welcome. Please let us know how we can improve your newsletter! We welcome your feedback.
LexisNexis® for Corporate Counsel
LexisNexis® Webinar Center
LexisNexis® Legal Newsroom
Live CLE Webinars | OnDemand Webinars
California AG Advocates “Surprise Minimization” to Protect Mobile Device Consumers from Unexpected Privacy Practices
Hailing her state as the “epicenter of modern innovation,” California Attorney General Kamala D. Harris has issued recommendations for app developers and providers, advertising networks and others as part of an effort to give consumers "meaningful information" about privacy choices on mobile devices. And while the AG has presented these as mere guidelines, attorneys say they are an indicator of things to come.
Among these recommendations is "surprise minimization," designed to avoid catching consumers off guard with data collection practices they may not have expected or would not have authorized had they had more information. "An obvious way to avoid such unpleasant surprises is to avoid collecting personally identifiable data from users that are not needed for an app's basic functionality," the report says.
Mobile devices present unique problems. They have user information that laptops do not, such as telephone call logs, text messages and a history of the user's location. Because they have smaller screens, it is more difficult to read the privacy-related information and make informed choices.
Another unique problem is the speed at which apps are being created as developers scramble to bring them to market. "Recent studies…have found that mobile apps did not provide users with privacy statements at all. This represents not just a failure in transparency, but it also suggests a lack of attention to the apps' privacy practices," the Attorney General’s report says.
Early last year the Attorney General announced a joint statement of principles endorsed by the major players in the app arena―Amazon, Apple, Facebook, Google and Research in Motion―in an effort to ensure apps comply with the California Online Privacy Protection Act. According to the report, all of these companies' app stores had implemented the principles, such as conspicuous posting of privacy policies and giving consumers the ability to report violations.
It will come as no surprise that the California AG is committed to increasing compliance with privacy laws and is pushing for greater attention to privacy rights. "Our recommendations, which in many places offer greater protection than afforded by existing law, are intended to encourage all players in the mobile marketplace to consider privacy implications at the outset of the design process," the report states. "They are also intended to encourage the alignment of architectural and functional decisions with the widely accepted Fair Information Practice Principles (FIPPs). The FIPPs form the basis for many privacy codes and laws in different parts of the world, including the federal Privacy Act of 1974 and the similar California Information Practices Act of 1977."
The report, available for download at― http://oag.ca.gov/sites/all/files/pdfs/privacy/privacy_on_the_go.pdf?―offers fully explained recommendations including:
o Use a checklist to review PII the app could collect
o Avoid or limit collecting PII not needed for the app
o Use tactics to draw attention to "unexpected" data practices
App Platform Providers
o Enable users to review app policies before downloading
o Use the platform to educate users on mobile privacy
Mobile Ad Networks
o Avoid out-of-app ads that modify browsers or install icons
o Move away from device- or app-specific identifiers
Operating System Developers
o Develop global policies that give users control over app features
o Educate customers on mobile privacy, particular relating to children
Although Attorney General Harris has couched these as recommendations, companies should take them as more than mere suggestions.
“Because of its existing CalOPPA enforcement authority, the significant size and influence of the California economy (the world's 9th largest), and the very nature of mobile application usage not being fixed in one geographic location, California regulation or even mobile application best practices agreed to by businesses operating in California should be considered a least common denominator or minimum standard for mobile applications used elsewhere throughout the U.S. (and perhaps internationally, too),” wrote Drinker Biddle & Reath attorneys Douglas G. Bonner and Jennifer L. Oberhausen.
They go on to say that the recommended practices “are much broader than the possible mobile app transparency voluntary (and enforceable) code of conduct currently under discussion in the federal National Telecommunications and Information Administration (NTIA)-convened multistakeholder process. The California AG-recommended best practices are addressed primarily to app developers, though they include recommendations to all actors within the mobile ecosystem.”
“It remains to be seen,” Bonner and Oberhausen wrote, “which segments of the mobile application ecosystem elect to affirmatively respond to any of these recommendations with concrete actions, beginning with application developers, on whom the California AG appears to focus as the first potential ‘line of defense’ for mobile privacy protection. But given a demonstrated willingness by the California AG to enforce CalOPPA and other privacy laws, and assuming application platform providers and others continue to encourage cooperation with mobile privacy best practices, application developers will likely give serious consideration to implementation of many of these recommendations.”
Andrew Hoffman of the Information Law Group says that while the guidelines are not breaking new ground―they are notable in that they recommend encryption for the transmittal of personally identifiable information―under a very broad definition that even includes a list of apps downloaded or used. He said the “surprise minimization” aspect also is noteworthy.