Earlier this week the Office of the Attorney General for the State of California announced an agreement with leading operators of app platforms to implement privacy principles in the app ecosystem. These principles would require mobile app privacy policies or statements to be presented to the consumer in a consistent way prior to the downloading of the app and would require app stores to create a complaints process.
The California agreement was overshadowed in the press by the White House’s announcement of a Consumer Privacy Bill of Rights and the release of its report entitled “Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy,” which I previously blogged about. However, the California agreement could result in significant changes to the way in which privacy policies are presented in the app ecosystem and the ability of consumers to navigate those data privacy policies and complain about privacy practices of apps.
The California Attorney General stated that the majority of mobile apps did not have a privacy policy and that the agreement would bring the industry in line with California law. The Attorney General cited the California Online Privacy Protection Act (“OPPA”) which states that “[a]n operator of a commercial web site or online service that collects personally identifiable information through the Internet about individual consumers residing in California who use or visit its commercial web site or online service shall conspicuously post its privacy policy on its Web site, or in the case of an operator of an online service, make that policy available” in accordance with the provisions of OPPA. The California Attorney General’s position appears to be that OPPA requires privacy policy disclosure regarding apps at the point of download.
The agreement sets out five principles:
- A privacy policy or statement regarding the app’s privacy practices must be conspicuous posted. The policy or statement must describe how personal data is collected, used and shared.
- New and updated apps must have either (a) an optional data field for a hyperlink to the privacy policy or statement or (b) an optional data field for the text of the privacy policy or statement. Access to a hyper-linked privacy policy or statement must be available from the apps store.
- Apps stores must have provide consumers with a means to report apps that do not comply with applicable terms of service and/or laws.
- Apps stores must develop and implement a process for responding to reported instances of non-compliance with applicable terms of service and/or laws.
- Within six months, the operators of apps platforms will reconvene to evaluate privacy in the mobile space, including the utility of education programs regarding mobile privacy.
