California Attorney General Warns App Developers About Privacy Law Compliance Issues
Creators of mobile applications with insufficiently prominent privacy policies received notices of noncompliance from California Attorney General Kamala Harris’s office earlier this week. Harris previously worked with app platforms including Apple’s App Store and Google Play to develop privacy principles (CD Feb 23 p12) that comply with the California Online Privacy Protection Act, which requires that websites and online services that collect personally identifiable information from California residents prominently display their privacy policies. Harris’s office said (http://xrl.us/bnxgft) the notice is being sent to “up to 100 non-compliant apps at this time, starting with those who have the most popular apps available on mobile platforms."
Sign up for a free preview to unlock the rest of this article
Communications Daily is required reading for senior executives at top telecom corporations, law firms, lobbying organizations, associations and government agencies (including the FCC). Join them today!
Operators have 30 days to develop a plan for improving transparency around their privacy policies, said a “sample letter” offered by Harris’s office (http://xrl.us/bnxgsi), signed by Supervising Deputy Attorney General Adam Miller and sent to operators who apps do “not currently have a privacy policy reasonably accessible for consumers.” Within the 30 days of receiving the notice, the letter said, operators should respond with “specific plans and timeline to comply with” the state’s privacy law or an explanation for why the app should not be subject to the law. Operators that fail to comply with the law could face a fine of $2,500 every time that app is downloaded, the letter said.
The move “is a reasonably prudent step to improve legal compliance,” said Application Developers Alliance President Jon Potter in a statement, calling the notices “a gentle reminder.” But privacy policies are “traditionally written in legalese by lawyers for defensive reasons and can be challenging for consumers to understand,” Potter said. The upcoming fifth NTIA multistakeholder discussion to address application transparency (CD Aug 23 p7) can provide a chance to encourage industry members to adopt “voluntary, short notices that tell consumers exactly what they need to know in words that consumers understand,” he said.
The compliance notices are “only a step in the right direction,” Consumer Watchdog Advocate John Simpson told us. Requiring applications to notify users about privacy policies and practices “is a commendable step forward,” but it doesn’t address the unnecessarily broad abilities these policies allow by establishing “any kind of serious regulation on what an application is allowed to do.” Requiring user notification is important, Simpson said, “but I believe that consumers deserve more than simply notice.”
Stronger government regulation could give consumers the privacy options they deserve, Simpson said: “I think you really need meaningful rules with some enforcement teeth,” which would come from stronger regulation. Self-regulation -- such as the potential result of the upcoming NTIA multistakeholder discussions -- “is less effective than imposed regulation,” he said. Simpson suggested a mandated Do Not Track feature for mobile devices as an example of regulation that could increase consumer privacy in the largely-untouched “wild west” of mobile.