“Mobile devices are subject to the privacy risks of the online world,” stated California Attorney General (AG) Kamala D. Harris (D) as she introduced her office’s recommendations for mobile app privacy, “PRIVACY ON THE GO: RECOMMENDATIONS FOR THE MOBILE ECOSYSTEM.” Harris' report is part of an effort by her office and the AG's Privacy Enforcement and Privacy Unit to encourage businesses to adopt privacy best practices for any interactions with California consumers.

The AG acknowledged that the recommendations are not legally binding, but the Marketing Research Association (MRA) and others are concerned that the guidelines may not have been fully vetted -- and if used as a guide for the AG's enforcement efforts, may go well beyond California law. The AG's office has already been involved in the mobile apps privacy space, coming to agreement with app platform providers and stepping up enforcement on mobile apps of California's law requiring online privacy policies, including a recent lawsuit against Delta Airlines.

AG Harris also noted her office's ongoing participation in the National Telecommunications and Information Administration (NTIA) multistakeholder process for mobile apps privacy, with which MRA is also engaged. While the AG’s recommendations cover a broader range of mobile privacy issues than NTIA is expected to address, the AG hopes that the document is useful to the process -- and MRA expects this report to be discussed at length at the next NTIA meeting on January 17.

MRA provides this summary and highlights for everyone in the survey, opinion and marketing research profession involved in the mobile apps ecosystem.

Executive Summary

  • Recommends greater protection than existing law.
  • Intends to encourage app developers and others in the mobile space to consider privacy at the outset of the design process (known as “privacy by design”).
  • Mobile app industry is still in the early stages of development; practitioners are not all alert to privacy implications and how to address them.
  • Recognizes that legally required general privacy policies are not always the most effective way to get consumers’ attention.
  • Offers a “surprise minimization” approach: Supplementing the general privacy policy with enhanced measures to alert users and given them control over data practices: (1) that are not related to an app’s basic functionality; or (2) that involve sensitive information.

Highlights of the Recommendations for specific mobile interest areas
For App Developers:

  • Start with a data checklist to review the personally identifiable data your app could collect and use it to make decisions on your privacy practices.
  • Avoid or limit collecting personally identifiable data not needed for your app’s basic functionality.
  • Develop a privacy policy that is clear, accurate, and conspicuously accessible to users and potential users.
  • Use enhanced measures, such as “special notices”, or the combination of a short privacy statement and privacy controls, to draw users’ attention to data practices that may be unexpected and to enable them to make meaningful choices.

For App Platform Providers:

  • Make app privacy policies accessible from the app platform so that they may be reviewed before a user downloads an app.
  • Use the platform to educate users on mobile privacy.

For Mobile Ad Networks:

  • Avoid using out-of-app ads that are delivered by modifying browser settings or placing icons on the mobile desktop.
  • Have a privacy policy and provide it to the app developers who will enable the delivery of targeted ads through your network.
  • Move away from the use of interchangeable device-specific identifiers and transition to app-specific or temporary device identifiers.

For Operating System Developers:

  • Develop global privacy settings that allow users to control the data and device features accessible to apps.

For Mobile Carriers:

  • Leverage your ongoing relationship with mobile customers to educate them on mobile privacy and particularly on children’s privacy.

As MRA discussed in relation to the most recent NTIA multistakeholder meetings on mobile apps privacy, definitions will be key. Here are some definitions AG Harris outlines in the report:

  • Personally identifiable data: any data linked to a persona or persistently linked to a mobile device: data that can identify a person via personal information or a device via a unique identifier. Includes user-entered data and automatically collected data.
  • Sensitive information: personally identifiable data about which users are likely to be concerned, such a precise geo-location; financial and medical information passwords; stored information such as contacts, photos and videos; and children’s information.
  • Special notice: timely, contextual notice that alerts users to a data practice that is likely to be unexpected because it involves sensitive information or data not required for an app’s basic functionality.
  • Short privacy statement: a privacy policy designed to be read on a mobile device, highlighting data practices that involve sensitive information or are likely to be unexpected because they involve data not required for an app’s basic functionality.
  • General privacy policy: a comprehensive statement of a company’s or organization’s policies and practices related to an application, covering the accessing, collecting, using, disclosing, sharing, and otherwise handling of personally identifiable data.