This past month marked two notable announcements for privacy advocates. Most recently, the six major mobile app platform providers have agreed to take steps to improve privacy notification and protection in mobile apps. As a result of the agreement between these companies – Apple, Google, Microsoft, Amazon, Hewlett-Packard, and Research In Motion – and the California Office of the Attorney General, it is now clear that mobile app developers must include privacy policies in their apps.

California Attorney General Kamal Harris was behind the announcement, explaining that California’s Online Privacy Protection Act will now be applied to mobile apps. Cal. Bus. & Prof. Code §§ 22575-22579. The law, which was enacted almost a decade ago, was one of the first of its kind in the United States. It requires commercial web sites or online services that collect personally identifiable information about consumers to, among other things, post a privacy policy that details the type of information that is gathered, how the information may be shared and how a consumer may review and make changes to their stored data. As a result of Harris’ announcement, it is now clear that this law also applies to mobile apps that collect information from California residents.

Harris has explained that developers and platform providers that do not comply with the law will be prosecuted under California's Unfair Competition Law and/or False Advertising Law, which has penalties of up to $500,000 per use of the app in violation. During the course of her announcement, Harris explained that "if developers do not follow the privacy policies, we will sue.”

With the agreement of these six industry players, it now will be easier for mobile app developers to comply. This is largely because each of the six mobile platforms have agreed to redesign their app stores and marketplaces so that the text of the privacy policy for each app is visible on the store or there is a link to it on a web site. The companies then will be required to monitor that developers are following the guidelines.

This announcement comes only a short time after the Mobile Marketing Association (MMA) released its new guidelines for application privacy. The guidelines, called the “Mobile Application Privacy Policy Framework,” establish a baseline for mobile app developers to use when developing a privacy policy for mobile applications. As a result of the announcement in California, it is likely that developers will now be looking to the guidelines to determine the appropriate disclosures for their privacy policies, since it appears that they are now required in California.

MMA Privacy and Advocacy Committee co-chair Alan Chapell commented that the Framework offers “developers the foundation from which to craft a document that reflects the privacy practices of each of their apps and helps them stay in compliance with applicable law and industry standards.” The Framework walks through the most important disclosures for mobile app privacy policies, and advises that the following areas must be covered:

1. Identify the type of information that is collected and used by the application
   
   The Framework advises developers to consider all data that is used and collected, including automatic data collection, such as the IP address or the device ID, as well as information that is provided by the consumer during his or her use of the application, such as name or email address. Also, consider whether the app syncs with social media sites to draw data from these resources. The privacy policy should also explain how this data is used, and the Framework provides some sample language to assist developers.
   
   
2. Address whether the application collects precise real-time location data
   
   Next, the Framework advises that the privacy policy needs to identify whether the application collects precise real-time location information. If it does, the policy should explain how and why this is done in a way that is clear to the consumer. Also, it should explain if there is an opt-out.
   
   
3. Identify and explain whether third parties have access to the data
   
   The Framework also requires the policy to describe with whom the developer intends to share the data, and what third parties may have access to the data. This is an important section, as to the disclosure and transfer of data to third parties is often a point of interest for both regulators and consumers. Given this, it is important to be clear, accurate and thorough. Developers should consider all transfer points, all access and disclosure points, and cover each one in this section. Here, the Framework urges application developers to work with privacy professionals and legal counsel to ensure the accuracy of this provision, although it does provide sample language for consideration.
   
   
4. Explain the automatic data collection and advertising
   
   Application developers should consider whether the app is ad supported and whether data is obtained by an ad network or other third party for the purposes of ad targeting. If it is, this needs to be explained in the policy. Also, any opt-out choices must also be listed.
   
   
5. The users opt-out rights
   
   This section will be unique to the developer, the application and, if utilized, the ad network that is relied upon by the app. The Framework lists the opt-out options; which are: (i) opting out of all information collection by uninstalling the application; (ii) opt-out of the use of information for serving targeted adds; (iii) opting out of the use of location data.
   
   
6. Data Retention Practices
   
   Next the privacy policy must explain the application developer’s data retention policy. How long does it maintain data? How can a user request their data to be deleted?
   
   
7. Children
   
   The collection of data from children under the age of thirteen is always a sensitive issue. Thus, the Framework focuses on this point and advises that each privacy policy should explain what, if any, data is collected from children under the age of thirteen. Developers should also consider the requirements of the Children’s Online Privacy Protection Act (COPPA) and ensure compliance with COPPA when administering an app aimed at children. In this regard, app developers who are targeting children are encouraged to work with legal counsel.
   
   
8. Security
   
   The privacy policy should identify the developer’s security procedures and how they intend to safeguard user information.
   
   
9. Changes
   
   The policy should explain how it will notify users of any change to the developer’s privacy practices.
   
   
10. Consent
    
    Finally, the Framework advises developers to obtain consent from users to the terms of the privacy policy. The proposed consent language provided by the MMA also addresses the data transfer in the United States. This provision also should identify a contact email for the developer, in the event the user has a question.
    
    

While the Framework provides a good foundation for mobile app developers, it is important to keep in mind that Chapell has also noted that the MMA urges “app developers to consult with their legal counsel when adapting these guidelines for their purposes." Further, given the announcement from California, it is very likely that mobile app privacy policies will likely become a regulatory issue in the coming year, so it is important for mobile app developers to consider their data collection, use and storage practices sincerely and confirm compliance with all the applicable requirements.

Arent Fox is monitoring these issues. Please contact Sarah Bruno or Anthony Lupo with questions.