In recent months the state of California has stepped up its efforts to enforce the California Online Privacy Protection Act (COPPA). In December, Attorney General Kamala Harris made an example of Delta Airlines, which had ignored a letter warning the carrier that it was in violation of COPPA. The statute requires every app which collects data about California users (which, practically speaking, means every app) to conspicuously post a privacy policy disclosing what information is collected and how it will be used.
In a new report, Harris's office offers an official set of recommendations for mobile app developers. California urges app developers to "minimize surprises to users from unexpected privacy practices." In addition to posting a standard privacy policy, the state also recommends the use of "special notices" to alert users when an app might be using data in a way the user might not expect. For example, when an app needs the user's location, the user is typically alerted and given the opportunity to allow or block the application from getting the current location. The state recommends using similar notices when an app collects other sensitive information.
The 23-page report offers a wide variety of other recommendations. Most of them are directed at app developers, but there are also recommendations for the companies that operate app stores, advertising networks, and wireless networks. The state recommends that app developers limit data collection, limit data retention, and avoid using global device identifiers that could be correlated across apps.
The report also recommends using encryption to handle data, limiting access to personal user data by employees, and designating an employee to periodically review an app's privacy practices to ensure that the privacy policy remains up to date.
Finally, the state recommends making privacy policies easy to read and easy to understand. For example, the report suggests presenting privacy information in a "grid or 'nutrition label for privacy'" format that "displays your privacy practices by data type."
These seem like sensible suggestions. And for the most part that's all they are: suggestions. The state's authority to regulate mobile data practices flows from the provisions of the COPPA, which don't mention most of the recommendations in the AG's report. To comply with California law, all you have to do is write a privacy policy accurately describing your data practices and post it somewhere your users can easily find it. The law doesn't say anything about "special notices," minimizing collection of sensitive information, encryption, or most of the other topics covered by the report.
"The recommendations go beyond the law," Special Assistant Attorney General Travis LeBlanc acknowledged in a Wednesday interview. "The law sets the floor for what everyone needs to do."
But he said the state hoped to "move the discourse forward" by educating mobile developers about what state officials view as the best practices for mobile privacy. The report, he says, "walks them through in plain English what they need to think about in terms of privacy."
He said the state planned to follow-up the report with training sessions in the spring, which will be targeted at smaller developers that can't afford to hire full-time privacy experts to craft their privacy policies.
At the same time as it deploys the carrot of helpful advice, the state also plans to continue using the stick of stricter enforcement. LeBlanc told us that the state expected to file another lawsuit in the next month or two against a mobile app developer that had failed to comply with COPPA's requirement of a conspicuous privacy policy. And LeBlanc says that the next step will be to begin enforcing the substance of privacy policies: ensuring that what companies say in their privacy policies matches what they actually do with user data.
reader comments
30