California AG Gives App Developers 30 Days To Post Privacy Notice

Trailrunner7 writes "California Attorney General Kamala D. Harris today announced a crackdown on mobile application developers and companies that haven't posted privacy policies, at least where users can easily find them. The attorney general is giving recipients 30 days 'to conspicuously post a privacy policy within their app that informs users of what personally identifiable information about them is being collected and what will be done with that private information,' according to a prepared statement. A sample letter defines the issue at hand. 'An operator of a mobile application ("app") that uses the Internet to collect PII is an "online service" within the meaning of CalOPPA. An app's commercial operator must therefore conspicuously post its privacy policy in a means that is reasonably accessible to the consumer. Having a Web site with the applicable privacy policy conspicuously posted may be adequate, but only if a link to that Web site is "reasonably accessible" to the user within the app.'"

Mobile

[Nerdfest]

Why treat mobile apps as a special case? All software applications, client-side or web based should be treated the same way.

Re:Mobile

[captainpanic]

Not sure, but I guess that the reason is that you have a special chapter in your lawbooks regarding mobile phones, and a separate one regarding the internet?
Even though the mobile apps are essentially just a piece of software, it needs to be put into the right lawbook to have an effect in the right way. Bureaucracy, you know.

There was a time when it was easy to distinguish between a phone and a computer, and completely different laws applied. That has changed now, but the lawbooks may still lag behind a little.

Just guessing. I'm not from California.

Re:Mobile

[demonbug]

Why treat mobile apps as a special case? All software applications, client-side or web based should be treated the same way.

They aren't treated as special cases. The rules apply to any online applications, which includes pretty much all mobile apps. It's just that mobile app makers have been very poor at following the rules, likely because so many of them are small fly-by-night companies that don't have a legal department telling them what they are supposed to be doing. So 100 companies get notices that they need to have privacy policies posted, it gets splashed all over the news, and hopefully this will wake the others up to the fact that they need to be doing this just like the big boys.

Re:Mobile

[arisvega]

Why treat mobile apps as a special case? All software applications, client-side or web based should be treated the same way.

Because everybody* has a smartphone.

* "that matters"

Re:Mobile

[DragonWriter]

Not sure, but I guess that the reason is that you have a special chapter in your lawbooks regarding mobile phones, and a separate one regarding the internet?

You could guess that, or you could RTFA -- or even RTFS -- and see that the law applies to all "online services", and the mobile apps that have been the subject of the recent round of notifications were singled out not because they were "mobile apps", but because they were online services within the meaning of the law and weren't following the rules applicable to online services.

Re:Mobile

Many are individuals that just need a Cal approved piece of diatribe. The major players need to play by the rules....like Japanese studios rehashing old "hack 'n slash" game styles and asking for money to buy weapons from newbies to the tedious game play style.

Open source privacy policy

[concealment]

Instead of attaching a sample compliance letter, why didn't the AG attach a sample privacy policy and open source it so that developers can use it?

Pasting in a generic document is much more likely to happen than all those app developers running out and hiring lawyers, so she will either get lower compliance or shoddier privacy policies.

Is it too much to ask that government take the lead in this case? I can't imagine it costs the AG anything, since that office hires a staff of lawyers.

Re:Open source privacy policy

[emj]

What's needed is something like that Terms of Service did not read, with easy bullet points telling you just how evil this app is, sure ToS and privacy policies aren't exactly the same thing. This was discussed on slashdot last week.

Re:Open source privacy policy

[jasper160]

Bureaucrats are incredibly lazy.

Re:Open source privacy policy

[Sarten-X]

Why didn't the AG attach a sample? Because it's a silly idea.

This is a legal document, probably differing for every case, and the point in requiring it is to make developers take a hard look at what information they access and how they use it. Rubber-stamping a boilerplate lets developers say they have a privacy policy, but it doesn't actually encourage any increase in privacy until somebody's sued over it. Once that happens, there will be a few developers who think about privacy, but most won't even know the case happened.

Like most legal documents, you usually don't actually need a lawyer to write it. You may need a lawyer to make it bulletproof against other lawyers, but any statement is enough. You could drop in a note saying "This app doesn't intentionally collect any personally-identifiable information, and doesn't contact external services" and probably satisfy the needs of the law, assuming it's accurate. In the event of a lawsuit, though, that statement would cause a little trouble (and open up room for opposing lawyers to argue), because it doesn't define "personally-identifiable" or "external" adequately. Does a game ask for a name for a high-score list? Does it send usage reports or download updates from a developer's server?

A lawyer could enumerate all the things the app does and doesn't do, in absolutely clear language, so there's no question where users' data goes, but for many apps (especially for those made without the intent of profit) that's unnecessary. Developers should already know how their program works, so they should be able to define one aspect of it.

Disclaimer: IANAL, but I've had my share of dealings with them.

Re:Open source privacy policy

[Bumbles]

A lawyer could enumerate all the things the app does and doesn't do, in absolutely clear language,...

Clear language? Legalese is about as far from clear as one can get.

Re:Open source privacy policy

[Dog-Cow]

Not to mention, but how exactly do you enumerate all the things your app doesn't do?

Re:Open source privacy policy

[Bogtha]

This is a legal document, probably differing for every case, and the point in requiring it is to make developers take a hard look at what information they access and how they use it. Rubber-stamping a boilerplate lets developers say they have a privacy policy, but it doesn't actually encourage any increase in privacy until somebody's sued over it.

This happens anyway. I have to fight this battle every time I build an app that collects personal information. Every single time in four years of developing apps, I have been provided with the privacy policy for their website, that specifically describes things that are only applicable to their website, that doesn't account for their mobile app at all. I've got a current project hanging at the moment where we've chased them for a real privacy policy about half a dozen times. The rest of the app is finished, we're still waiting for the privacy policy, weeks later. If it wasn't for us insisting, the app would be live with a meaningless privacy policy they don't follow, and I'm certain other app developers aren't as insistent as us.

Re:Open source privacy policy

[Sarten-X]

"No other personal information is collected" or other similar wordings will do nicely. If there's something that you know your app will never try to do, it can be listed as a reassuring gesture to the user.

By the way, the link in your signature is broken.

Re:Open source privacy policy

[fustakrakich]

...why didn't the AG attach a sample privacy policy and open source it so that developers can use it?

Because the real intention here is to put small independent developers with their 'disruptive' technology who can't afford a gaggle of lawyers out of business. The whole idea of a 'privacy policy' can be nothing more than a jobs program for the legal profession. It is impossible to enforce such nonsense.

Re:Open source privacy policy

[Sarten-X]

The reader's lack of education is not the author's fault.

My opinion is that the problem of "legalese" stems not from obtuse writing, but rather from the lack of adequate reading comprehension skills in today's society. As printed language has become more common, literature has followed the common grammar into a more casual (but imprecise) tone. Schools, in appealing to modern culture, require less reading of older works in favor of modern literature. Where once a student would read The Canterbury Tales or Moby Dick, they now read Harry Potter or Twilight. While modern literature still explores the same questions and themes as the antique works (therefore being valid for a literature class), the language uses common connotations, so the imprecision goes unnoticed.

As a result, English (and indeed, many others) continues its transformation into a common tongue of simplicity, while documents written in a precise form with a wider vocabulary are regarded as being a different language altogether, that many now call Legalese.

Re:Open source privacy policy

[bmo]

Because the real intention here is to put small independent developers with their 'disruptive' technology who can't afford a gaggle of lawyers out of business.

Bullshit. It's not a conspiracy. This is an issue everyone in the 80s running single-line BBSes had to deal with. The ECPA became law 24 years ago. The California AG's message should not surprise you.

Copy someone else's privacy policy. It's what lawyers do anyway. You think they actually work at this stuff? It's all boilerplate.

You can say "we do not collect any user data" and make sure your program doesn't phone home or disclaim all privacy whatsoever. and hope nobody actually reads your privacy policy. Copy Facebook's privacy policy if you want to be evil. They bury the "we own everything you post" in language that you and I can understand but not 90 percent of users.

And at the end of it, say "we reserve the right to change this policy in the future." to further cover your ass.

It's not hard if you're honest and up front. It's only hard if you want to deceive users. That's where the tricky language comes in.

--
BMO

Re:Open source privacy policy

[geekoid]

Becasue not all apps will have the same privacy policy. The compliance letter is standard fair.

Re:Open source privacy policy

Instead of attaching a sample compliance letter, why didn't the AG attach a sample privacy policy and open source it so that developers can use it?

Because she/he's not authorized to do that. He can present works sufficient for communication with his office, but setting policy for external entities? Not within the scope of his office except I suppose with regards to state contracts.

Pasting in a generic document is much more likely to happen than all those app developers running out and hiring lawyers, so she will either get lower compliance or shoddier privacy policies.

Is it too much to ask that government take the lead in this case? I can't imagine it costs the AG anything, since that office hires a staff of lawyers.

If you want California to do that, I think you'll need to talk to the legislature first.

Re:Open source privacy policy

[pmontra]

Like most legal documents, you usually don't actually need a lawyer to write it.

And even if you need them Iubenda is an example of a self service privacy policy generator. They have a legal team that writes the standardized pieces you put together for your site. I've been using it for a couple of web services. Iubenda is specific for the web but I bet the same could be done for mobile applications.

Re:Open source privacy policy

[bmo]

Where once a student would read The Canterbury Tales or Moby Dick, they now read Harry Potter or Twilight.
that many now call Legalese.

Legalese is not prose or poetry. It is not Chaucer, Shakespeare, Emerson, or Auster. It is closer to math than prose. While literary English hinges on "deeper meaning," legal English hinges on the logical operators of "and" "or" "not" and "nor" and punctuation. A single "and" instead of an "or" or "not" can change the entire meaning of a contract. Well written legal documents are concise and unambiguous. Prose and poetry are "good" if the reader can read his own opinions into what is written - plain prose is devalued. Due to all this It is extremely easy write a legal document that looks like "Episode 18 - Penelope" and it is incumbent upon the author (a lawyer in this case) to break it down into sensible chunks if one is trying to be unambiguous.

Unfortunately for many people, there are a lot of lawyers who don't know how to do that last bit, and teaching people Chaucer does not prepare them for legal English or how legal English is abused by lawyers.

Literary English and legal English are two completely different languages separated by a common vocabulary.

--
BMO

P.S. Yes, I did group Paul Auster in there with Shakespeare. Deal with it.
P.P.S. You claim that the classics are no longer taught. This is clearly not the case. High school students are still subjected to the mind-numbing dessicated analysis of Shakespeare and Melville, thus turning many off to classics forever and into the welcoming arms of J.K. Rowling, if they haven't given up on reading altogether.

Re:Open source privacy policy

[DragonWriter]

Instead of attaching a sample compliance letter, why didn't the AG attach a sample privacy policy and open source it so that developers can use it? Pasting in a generic document is much more likely to happen than all those app developers running out and hiring lawyers, so she will either get lower compliance or shoddier privacy policies.

Because the privacy policy has to describe what personally identifying information (PII) the online service actually collects and what the online service operator actually does with the PII, so a "generic document" that got pasted in wouldn't provide any value. (In fact, operators of an existing service pasting in a generic document would just move the violation from not posting a privacy policy to not following the posted privacy policy, except in the extraordinarily unlikely event that the PII the app collected and the manner in which it was used exactly matched what was in the generic document.)

Is it too much to ask that government take the lead in this case?

Yes, it is unreasonable to ask the government to write up the description of what PII online services collect and what they do with that PII.

I can't imagine it costs the AG anything, since that office hires a staff of lawyers.

It wouldn't hurt to have a lawyer review the language of the privacy policy once it was written up by someone who knew the relevant facts about the service, but being a lawyer doesn't make you magically know what information services collect and how they use it. Further, the staff of lawyers that work for the California Department of Justice already have work to do, so giving them additional work would have a cost as it would either: 1) Require hiring more lawyers, or 2) Require losing the value of the existing work they are doing.

Re:Open source privacy policy

[chrismcb]

Instead of attaching a sample compliance letter, why didn't the AG attach a sample privacy policy and open source

What is this fascination with "open sourcing things?" Are you afraid someone will take the "sample privacy policy" and copyright it? Or are you afraid people will distribute copies without distributing the source?
The government can't copyright things, so there is no need to "open source" the sample privacy policy.

Re:Open source privacy policy

[cyberfunkr]

Instead of attaching a sample compliance letter, why didn't the AG attach a sample privacy policy and open source it so that developers can use it?

As someone who recently hired a lawyer to go over a Privacy Policy and Terms of Service, I can assure you that what the average person THINKS should be in a Privacy Policy and Terms of Service are vastly different than what is needed to be legal, and most important, enforceable.

A good Privacy Policy should include not just what you store, but how you collect it, and how it is stored. Are you using cookies? Can I opt-out of using cookies? Can anyone else see those cookies? If I delete the app, does that delete my personal data? How can I request it be removed? What steps are you taking to protect my data? What about my financial data? All those in-app purchases, how much of my credit card information do you get? Can you see my personal data? What about employees? Partners? Advertisers?

There is no way to make a "safe" policy that will fit everyone. At best, the AG would put out a document that includes all possible verbiage and it would be up to each user to cut out what isn't needed. But odds are, people are going to screw it up and leave in contradicting clauses, thus nullify the whole thing.

Hire a lawyer. Even if it's just a one-time thing. Just like getting business tax licenses, trademarks, and dev tools, it is the cost of doing business.

Re:Open source privacy policy

[Sentrion]

Just a few hundred years ago, it was not uncommon for a document to break off into several lines of pure Latin, and then jump back into English again without any explanation. The abstruseness of legalese is deliberate for excluding the legally untrained and to justify high fees. Legalese is characterized by long sentences, many modifying clauses, complex vocabulary, high abstraction, and insensitivity to the layman's need to understand the document's gist.

Here's one of my favorite jokes about legalese, but some real life examples are even worse:
When a layperson wants to give you an orange, he or she merely says, “I give you this orange.”

But when a lawyer does it, the words he or she uses are:–

“Know all persons by these present that I hereby give, grant, release, convey, transfer and quitclaim all my right, title, interest, benefit and use whatsoever in, or and concerning this chattel, otherwise known as an orange, or citrus aurantium, together with all the appurtenances thereto of skin, pulp, pip, rind, seeds and juice to have and to hold the said orange, for his own use and behoof, to himself and his heirs, in fee simple forever, free from all liens, encumbrances, easements, limitations, restraints or conditions whatsoever, any and all prior deeds, transfer, or other documents whatsoever, now or anywhere made to the contrary notwithstanding, with full power to bite, cut, suck or otherwise eat the said orange or to give away the same, with or without its skin, pulp, pip, rind, seeds or juice.”

Part of the problem is that courts have long ago set precedent that the precise wording in a contract can be used against a party even if there is clearly no rational reason for such a party to believe that the wording of the contract could be used in such a matter. An example is the "negative pregnant", such as denying that you owe $50 to a creditor. Upon such a denial it was not uncommon just 150 years ago for an opposing party to win a judgment for $49, since you only denied owing $50 (and you didn't deny owing any other amount). It is bullsh*t like this why we have to add phrases like "do not owe $50, or any other amount".

The odds are that both parties to a transaction might be better off absent contract wording, like a privacy policy, since such precisely written documents can be misconstrued to mean something very different from what the author intended or what any layperson would interpret.

For example, my privacy policy may state that I won't divulge your info to third parties, but then I might be culpable if you lose a lawsuit because of evidence provided to an attorney in compliance with a court order. If you don't mention the possibility of sharing info with law enforcement or by court order in your statement you may be liable, but not if you had no statement at all. Of course, my favorite clause to slip into any contract is

"You agree to indemnify, hold harmless and defend us, at your expense, against any and all third-party claims, actions, proceedings, and suits brought against us".

You see it everywhere and it kind of ties the hands of anyone agreeing to your contract.

Re:Open source privacy policy

[Sarten-X]

All very true. I did not mean to imply that prose or poetry would translate directly into a career as a lawyer, but rather that I feel schools simply don't focus enough on difficult works (and I generally find older works to have more difficult material). The goal in a literature class is to explore the deeper meanings and interpretations of literature. For that purpose, many modern works are fine (though I'm partial to science fiction, myself).

What I bemoan is that there is never a class emphasizing reading comprehension as a skill, where students learn to dissect written passages into the parts relevant to the question at hand, where the logical differences between "and" and "or" are explored (with regards to their use in language), and the placement of a comma makes all the difference in the world.

I had intended to include a mention of Shakespeare in my post, complaining about the approach often used to teach it. In the opening of Romeo and Juliet, for example, one character makes a rude gesture to another, but is careful in his phrasing to stay legal (for a while). While a modern literature class would delve into the culture of dueling and family honor, the breakdown of the careful phrasing is overlooked.

Perhaps better would be to complain about the loss of Latin classes. They focused more on grammar, as I recall.

Re:Open source privacy policy

[Sentrion]

Our society has accepted that a fifth-grade reading level should be the defacto standard for most published works. Consumer oriented publications such as newspapers and magazines tend to be written to be easily read by someone with a fifth grade education. Such a level should be appropriate for any contract intended for a general audience. If you write for a specific audience you can use vocabulary that they will (or should) recognize, and sometimes it is more eloquent and precise to use a particular word that is not commonly known or used by the general public. In a few rare cases it is even appropriate to use a word that your audience will have to look up after your speech, to give you enough time to exit the room before your audience realizes you just insulted them all.

That said, below is an excerpt from Bacon's Of Marriage AND SINGLE LIFE:

Certainly wife and children are a kind of discipline of humanity; and single men, though they may be many times more charitable, because their means are less exhaust, yet, on the other side, they are more cruel and hardhearted (good to make severe inquisitors), because their tenderness is not so oft called upon. Grave natures, led by custom, and therefore constant, are commonly loving husbands, as was said of Ulysses, vetulam suam praetulit immortalitati. Chaste women are often proud and froward, as presuming upon the merit of their chastity. It is one of the best bonds, both of chastity and obedience, in the wife, if she think her husband wise; which she will never do, if she find him jealous.

Most would agree that it is not that hard to read and understand this passage. However, the Latin text in bold is presumed to be understood, but most modern readers wouldn't know what this means without access to Google search. About a century ago you couldn't call yourself educated unless you could understand Latin and often Greek as well. It is one reason why lawyers used to have much more Latin terminology in statutes and contracts. There are still some who say that we are less educated than our predecessors because of our deficiencies in Latin and Greek, but I would argue that there is more knowledge to master today than in times gone by, and Bacon would likely be just as bewildered by our use of texting abbreviations, emoticons [ie, :P, ;), etc.], and casual HTML markup.

Re:Open source privacy policy

[Sarten-X]

Note the differences in the statements you gave.

“I give you this orange.”

In this case, the giver is simply handing over a fruit. There is no indication of what the receiver is expected to do with it, whether it will be expected back, or whether it even is actually an edible orange. For all the receiver knows, taking the orange means he's just entered a common-law marriage with the giver's niece, mother, and cat.

“Know all persons by these present that I hereby give, grant, release, convey, transfer and quitclaim all my right, title, interest, benefit and use whatsoever in, or and concerning this chattel, otherwise known as an orange, or citrus aurantium, together with all the appurtenances thereto of skin, pulp, pip, rind, seeds and juice to have and to hold the said orange, for his own use and behoof, to himself and his heirs, in fee simple forever, free from all liens, encumbrances, easements, limitations, restraints or conditions whatsoever, any and all prior deeds, transfer, or other documents whatsoever, now or anywhere made to the contrary notwithstanding, with full power to bite, cut, suck or otherwise eat the said orange or to give away the same, with or without its skin, pulp, pip, rind, seeds or juice.”

Clarity at last! Let's break this down a bit...

Know all persons by these present

This is a public deal, and everybody watching is expected to know about it.

I hereby give, grant, release, convey, transfer and quitclaim all my right, title, interest, benefit and use whatsoever in, or and concerning this chattel

This is a final deal. There is no expectation (of any of several kinds) that the orange will be returned or that it's some kind of loan.

otherwise known as an orange, or citrus aurantium, together with all the appurtenances thereto of skin, pulp, pip, rind, seeds and juice

Specifically, it is an orange of one particular species, and all its parts. Here we can see that the receiver is getting everything, so the giver can't later say "oh, you should have given me those seeds; they were still mine!" and accuse the receiver of theft.

to have and to hold the said orange, for his own use and behoof, to himself and his heirs,

Now we know that the receiver will get this orange for himself, and isn't expected to pass it somewhere else.

in fee simple forever, free from all liens, encumbrances, easements, limitations, restraints or conditions whatsoever, any and all prior deeds, transfer, or other documents whatsoever, now or anywhere made to the contrary notwithstanding,

We now also know who else is looking for that orange: nobody. Once the receiver gets the orange, he owns it outright (in fee simple), and nobody else has a claim to it, regardless of what they might think (though if the orange was the collateral on a loan, the giver might now be in breach of that loan's contract.

with full power to bite, cut, suck or otherwise eat the said orange or to give away the same, with or without its skin, pulp, pip, rind, seeds or juice.”

And lastly, we know what the receiver is expected to do with the orange: bite, cut, suck, or eat, or give it away. Note that the receiver is not expected to throw the fruit at an elected official or bad actor (or both, as the case may be). Doing so could be argued as a breach of contract in court, freeing the giver from any liability, because he didn't give the receiver permission to use the fruit as a projectile (though he didn't exclude it, either, so it's a good point for debate).

This is so much more precise! Look at all the legal pitfalls we've avoided by using the lawyer's nuanced text!

For the record, I go to a game night run by a lawyer. The words he uses are "Beer's in the fridge; help yourself."

Re:Open source privacy policy

[TuFur]

"No other personal information is collected" or other similar wordings will do nicely. If there's something that you know your app will never try to do, it can be listed as a reassuring gesture to the user.

By the way, the link in your signature is broken.

That works for apps off the various stores....But doesn't work for pre-installed bloatware the provider is running while you use your phone. Verizon is great for these apps. They crash your phone not releasing memory while your doing memory intensive activities. No App needs access to your cellular phone except to keep it from sleeping. Asking for contacts is bad programing and presentation....I'm seeing alot of this disappear from the Google apps. But Apple doesn't present rights to the end user....is it too complicated for an iPhone user to grasp program rights? So, maybe she feels she needs to protect Apple users as her office protected the mass murder from Mexico that killed a father and son on the streets of San Francisco. In the end, all those idiots paid to spam the internet on an apple breakout day, could be used to check the battery usage of and I-device....Android user need not worry....just read the tech blogs. BTW, every Apple device calls home on $10 a gig lte line. Apple should post this each time a device connects without user wanting it.

Re:Open source privacy policy

What an idiotic post. *golf clap*

Re:Open source privacy policy

[TuFur]

I remember finding out about forms during a DIY child custody. I turned to Nolo books and they had the boiler plate doc. The family judge signed it off in 10 mins...$500 lawyer fee saved. Since then, I've learned how much of our judicial system could be lawyer free. This only applied to a non-arguable situation. A trained mad hatter arguable individual is your friend in other situations....Melvin Beli was my favorite for beating a drunk driving complaint and giving up his driving license to win. Simple English (no boffin/pundit London speak) works in America. Lawyer are the bain of the common man as they prosecute one and protect one under law created by them....The arguments for the 2nd amendment was a short breath of freedom.

Re:Open source privacy policy

[dgatwood]

I think it would be more precise to say that English has largely replaced Latin and Greek as the shared language of communication across cultures. Thus, in much the same way that someone native to Greece two hundred years ago did not need to know English to communicate with people in other countries, someone native to an English-speaking nation today need not learn Latin for that purpose except as an intellectual exercise.

Re:Open source privacy policy

[dgatwood]

Clear language? Legalese is about as far from clear as one can get.

Apart from severability and choice of law/venue clauses, there should be almost no legalese in a privacy policy, for two reasons.

• First, a contract requires a meeting of the minds. If your policy is so abstruse that one party doesn't actually understand the terms, you may not actually have a contract.

• Second, if you can't explain in common English what you are doing with my data, that almost always means that you're doing something nefarious, or at least dodgy. And if it requires a hundred-word compound-complex sentence, you need to hire a better writer who knows how to split things up into manageable paragraphs. Seriously, it just isn't that hard to explain your policies in plain and simple English. And it shouldn't require tens of pages of text just for your privacy policy. If it does, your policy probably has way too many exceptions and special cases for my taste.

I'm in the process of writing a terms-of-service/privacy-policy document for a website right now, for a site I'm currently in the process of developing. It combines a fair bit of snark and humor with a very simple, easy-to-understand explanation of what information the site collects and how that information is or is not disclosed. You can read the current version here.

Comments or chuckles welcome.

Only 30 days?

[Manfre]

With only 30 days to get a policy written and added to the app, I guess that means that most iPhone apps will not be able to comply.

We ownz you

[Opportunist]

Don't like it? Stop using the app you paid for!

No refunds. Sucks to be you.

It has to be within the app?

[Bogtha]

The article contradicts itself. Early in the article, it states that the policy has to be within the app, then later on, it says it has to be in the App Store. There's a huge difference between the two in what it means for app publishers.

Re:It has to be within the app?

[Joehonkie]

Is it a difference a politician can even appreciate? I doubt it.

Re:It has to be within the app?

[Bogtha]

She's supposedly been consulting with app developers, although not ones representative of the larger industry.

Tthis is what could happen if it had to be within the app:

• Receive letter requiring a policy in your app within 30 days.
• Shit, we outsourced this (common because mobile developers are few and far between).
• Pay for changing the design to include a button to show the policy.
• Pay for a developer to make the necessary changes.
• Shit, the developer we used has a full schedule, we have to find somebody else (again, common).
• Find a new developer.
• Get them up to speed on the project and get them to make the changes.
• Submit the update to Apple.
• Wait an unknown amount of time for it to be reviewed.
• Apple don't like something in your app. Maybe their policies changed, maybe a previous reviewer didn't catch something, maybe you've just got a bad reviewer.
• Go back to the designer and developer and pay for them to do more work, if feasible.
• Resubmit to Apple.
• Wait an unknown amount of time for it to be reviewed.

And you've got to fit that into 30 days. And that assumes the changes Apple requires you to make aren't fundamental to your business model or operation of the app. And that assumes only one round of alterations is required. And that assumes it's feasible for you to pay for expensive mobile developers.

Meanwhile, here's what it would be like if the policy only needs to appear in the App Store:

• Receive letter requiring a policy in your app within 30 days.
• Stick a policy online. It can be anywhere, even if you don't have a website, you can just sign up on Wordpress.com or something and post it there.
• Log into iTunes Connect and put the link into the privacy policy field.

Re:It has to be within the app?

[Eraesr]

Actually, that isn't the biggest problem. Yeah sure, an in-app privacy policy is a problem for a developer, but I'm sure that if you've submitted your app to the appstore within the 30 day limit and it's denied by Apple because of a different reason, a judge will probably take that into account when deciding on that issue.

No, a much bigger issue in the difference between in-app or an in-store privacy policy is for the consumer. If the privacy policy is in the store, you can read it and assess it before downloading and installing the app. If you don't like the privacy policy, then don't download and install the app. If it's an in-app document or link, then you have to download, install, run, possibly even create an account an login all before you get to see the privacy policy. By that time, the app has probably already completely sucked all personal information out of your phone and submitted it to the app owner.

Same with a EULA that's presented to you when you install a piece of software on your PC. That EULA is presented to you after you've bought the software. So if you don't agree with the EULA, then I'm pretty sure the seller is forced to completely refund the software to you. It's basically the same thing as buying a bread from the baker and after paying, the baker says that you are only allowed to eat the bread at home, and only if don't put any meat on it.

Not in California

In UKRANE Capitalist Country!!!!! DOES Not apply.

Hahah.

$$$$$

Re:Not in California

Kazakhstan number one exporter of potassium! Better than shit Ukrane!

Re:Not in California

Kalashnikov > POTASSIUMS!!!

Is this guy serious?

[SuperMooCow]

Does this guy expect app developers from other states to comply with the laws of California? What about developers from other countries?

Re:Is this guy serious?

Does not apply IN UKRANE Capitalist COUNTRY.

Sorry try AGAINS.

Re:Is this guy serious?

[Mormz]

Well he need to earn a pay check somehow. I mean seriously, this is a patent-troll lawyer wannabe. He doesn't give a shit about privacy, he just want's to have a new car and a boat.

Re:Is this guy serious?

He's a Californian, according to them, all laws are overruled by California's laws.

I think app authors should just add a line to their store pages stating "This application may be illegal in California." (Or the old "This product is known by the state of California to cause cancer.")

Re:Is this guy serious?

Of course he does, at least if they want to sell their apps to California's 40 million consumers.

Would you expect to be able to sell your app in China without following their laws?

Re:Is this guy serious?

[guttentag]

Does this guy expect app developers from other states to comply with the laws of California? What about developers from other countries?

People can be forgiven for not realizing Kamala Harris is African American and Asian American, but she's definitely not a guy.

Re:Is this guy serious?

[geekoid]

If you want to sell your product in California, then yes.

Re:Is this guy serious?

[weiserfireman]

So attach a statement to your app description in the Apple Store "Not Legal for Sale in California".

Re:Is this guy serious?

[DragonWriter]

Does this guy

Kamala Harris is not a guy.

expect app developers from other states to comply with the laws of California?

All of the specific businesses I've seen mentioned as recipients of these notices are businesses that do businesses in California in a fairly substantial way besides having their relevant online service available in California (e.g., major US airlines.)

Re:Is this guy serious?

[DragonWriter]

Well he need to earn a pay check somehow. I mean seriously, this is a patent-troll lawyer wannabe. He doesn't give a shit about privacy, he just want's to have a new car and a boat.

Kamala Harris, the Attorney-General of California, is not a "he" (strike one), is not any kind of "lawyer wannabe" (strike two), and doesn't get any more money for doing this than she would get as Attorney-General not doing it (strike three).

Re:Is this guy serious?

the only law i am aware of... you must relinquish your IP

Re:Is this guy serious?

[zlives]

"may not be Legal for Sale in California" FTFY

Re:Is this guy serious?

Of course he does, at least if they want to sell their apps to California's 40 million consumers.

Are you sure you know how the Internet works?

Re:Is this guy serious?

[Dasuraga]

Laws don't work that way. If you distribute something in a certain area, you must abide by their laws (at least concerning usage).

"App" now officially defined in law

[Compaqt]

OK, it's official, "app" is known to the State of California to be defined as a "mobile application".

Encourage them to standardize

[concealment]

This is a legal document, probably differing for every case, and the point in requiring it is to make developers take a hard look at what information they access and how they use it.

I disagree that it's going to be that different. If they need to list different data fields that will be retained, or change a length of time, they can edit the open-source document for their specific needs. But this gives them a template to work from which has all of the lawyerese perfected.

I can't agree that the document will differ in every case. In my experience, the differences will be slight, and thus having an open source document would encourage programmers to adopt a general standard (like a community rule) for how they're going to approach privacy issues.

The result would be a raising of the overall standard to that of the proposed document, which is why it's a good idea to have professionals write it and "promulgate" it.

Re:Encourage them to standardize

[Sarten-X]

A privacy policy shouldn't just be a checkbox on a compliance procedure. Like any policy, it should only be the result of careful consideration. Yes, eventually many developers will come to broadly the same conclusions, but the process of writing (and verifying) the policy conveys the importance it should have. The privacy policy is effectively a promise of what your app will or won't do, and if that promise is made just to save time, it likely won't mean anything to the person making it.

Sure, there could be a Creative Commons-like system, where developers pick and choose what options they include. My concern is that by having an easy-to-make policy, the policy is also easy to forget. When a later version adds a new feature or advertisements, how likely is it that the long-forgotten privacy policy will be updated to match? If a legally-bulletproof blanket-permission policy can be made cheaply and easily, why not just apply that to all apps, regardless of the actual capabilities of the program?

The PowerPoint Effect may be lies

[concealment]

There's a lot of pushback against bullet points, with people talking about "The Power Point effect," where somehow reading a lot of bullet points turn ordinary people into morons. I'm with you -- I think whatever works to make the simplest and clearest communication is best. Going to the level of memes might be taking it too far, but no one's suggest that yet thankfully.

Re:The PowerPoint Effect may be lies

[RobertLTux]

the problem is that Power Point Bullets do not have a large enough Caliber (or the person doing the Power Point was not threatened with Bullets of a large enough Caliber)

the best way to prevent the PPE is to act as if you need to travel by Air with actual Bullets (and a matching FireArm of course)

1 DO NOT JUST READ THE SLIDES
2 have roughly an index card worth of info on each slide (not counting what you are just stating)
3 don't get "cute" with your transitions/embedded media
4 limit yourself to maybe a dozen slides (not counting "Blank" slides for Videos but limit those)
5 include any "reference" documents (or tools mentioned) as part of the Notes/Take Away packet
6 Do not read Urls below top domain level (include with Notes)
7 DO NOT JUST READ THE SLIDES
8 any screen shots should be cropped for the screen being used (if you run with a 2096X screen then crop to say 800X600 if you are going to use a "normal" screen for your Presentation
9 have a 97 excel version of your Presentation and or a flashkey with Libre Office "just in case"
9 DO NOT JUST READ THE SLIDES

Re:The PowerPoint Effect may be lies

Any person using FTFY or editing my postings agrees to a US$0.00 charge

FTFY.

I have only one thing to say about this...

[RedBear]

CalOPPA Gangnam Style!

Great. Now all apps:

[queazocotal]

Permission: Fine GPS position (to verify that you're not in california, so as to not show it)

Re:Great. Now all apps:

[zlives]

UID and user info to confirm records of sale from vendor that the product was billed in califaornia, then sell info... profit?

Just Exclude California

[nickberry]

This just sounds like a really good reason to put in a data field for state when signing up for an app, and exclude Californians from use of the app, and explain to them because over burdening regulations our App is not available in your state, please contact the California Attorney Generals office for more information regarding these regulations. While there a lot of people in California, sometimes it's best to just avoid states or places where your work is not appreciated.

Re:Just Exclude California

[geekoid]

Yes, becasue no one want to tap a market that huge.

"because over burdening regulations"
Yes, telling them they have to post there privacy policy where the consumer can reasonably get to is so overburdening~

"avoid states or places where your work is not appreciated."
there is no rule people need to appreciate your work, so get over it.

Re:Just Exclude California

[nickberry]

And there is no rule where I have to participate in a state with over burdening regulations. And California is that place.

The AG is simply right...

[vikingpower]

...and doing nothing more than his or her job: to ensure that the state enforces that which by law it must enforce. Period.

Re:The AG is simply right...

[Attila+Dimedici]

This is correct. It is a law which I do not see any way for them to constitutionally enforce on developers who operate out of another state (let alone another country). Although I suspect that the state legislature could have written something into the law forcing the App Store to remove any app which is in violation of the law (assuming the company that runs the App Store is based in CA).

Re:The AG is simply right...

[AuMatar]

Unless they're selling to someone who lives in California. In which case the sale is governed by California law. Now if the developers said CA residents can't buy it (and are not themselves CA residents) then they can ignore this.

Re:The AG is simply right...

The app store sells the product, not the developers. The app store is the intermediary. Therefore that law does not apply.

So sorry CA, your laws only apply to your citizens. My state wrote a law that specifically states that no California law applies to it's citizens, period.

So nyah nyah nyah!!! Now whatcha gonna do? Go to war with my state? Stupid retard CA AG.

Re:The AG is simply right...

[Sloppy]

I'm not so sure about that. Maybe I'm reading the wrong thing (someone please correct me if you have a better reference) but I don't see anything in here which suggests a client application which interoperates with an online service is an online service, or that a client application which downloads other clients, is somehow governed by this law to display those other applications' policies in addition to its own.

You might say this is splitting hairs and ignoring the spirit of the law, but the text I'm reading is already so hair-splitting (talks about icons and color contrasts?!) and detailed that I'm not sure it's fair for AG to expect anyone to infer spirit.

That itself doesn't mean he's wrong in his interpretation (though I happen to think he is) but he sure seems to be going above-and-beyond the call of duty, in interpreting it so .. um .. progressively instead of leaving it to the legislature.

Re:The AG is simply right...

[DragonWriter]

It is a law which I do not see any way for them to constitutionally enforce on developers who operate out of another state (let alone another country).

The firms whose apps have been mentioned as recipients of non-compliance notices (e.g., United Airlines, Delta Airlines, and OpenTable) all have significant operations in California besides the mere presence of their mobile app (and OpenTable is headquartered in San Francisco.) So...what's your point?

Re:The AG is simply right...

[DragonWriter]

I'm not so sure about that. Maybe I'm reading the wrong thing (someone please correct me if you have a better reference) but I don't see anything in here which suggests a client application which interoperates with an online service is an online service

The app is just the mechanism by which a consumer "visits" the online service, which is the point at which the cited law requires the operator of the online service to make the privacy policy available.

or that a client application which downloads other clients, is somehow governed by this law to display those other applications' policies in addition to its own.

If you are referring to the App Store as the "client application which downloads other clients", that's not mandatory under the law, but it is the subject of an agreement between the AG and many app store operators (the original agreement is announced here, and Facebook joining the agreement is announced here; its also a mechanism by which the operator of the online service accessed through the mobile act could mean the "reasonably accessible means" requirement of the law without actually including the privacy policy within the application itself.

Re:The AG is simply right...

[Attila+Dimedici]

My point is that this is a law which will encourage businesses to locate as much of their operations outside of California as possible. It will encourage companies to create divisions outside of California that can be considered separate entities from the parts that do business in California and use those divisions to write apps.

Re:The AG is simply right...

[Kalriath]

Two of the three app stores are owned by entities headquartered in California. Only Microsoft's app store would be able to legally ignore it if they decided to go that approach.

Only applies to developers in CA.

Sorry AG, you cannot enforce your laws across borders.
Have a nice day.

Re:Only applies to developers in CA.

[bickerdyke]

And developers who want to sell their apps in California?

Re:Only applies to developers in CA.

[weiserfireman]

Developer doesn't have any stores in California. The California resident has to seek them out.

The law could require Apple or Google to delist any app that doesn't accommodate their laws, but a developer in Kazakhstan or Nevada has no presence in California.

Re:Only applies to developers in CA.

[DragonWriter]

The law could require Apple or Google to delist any app that doesn't accommodate their laws, but a developer in Kazakhstan or Nevada has no presence in California.

Unless, as is the case of many out-of-state HQ'd operations, they do. United Airlines and Delta Airlines are examples (and, unlike abstract hypotheticals, are actual recipients of non-compliance notices in this case.)

Yeahletmethinkaboutthathowaboutno?

[pla]

Dear California Attorney General Kamala D. Harris:

Go pound sand.

Sincerely,
Someone who doesn't live in California.

Re:Yeahletmethinkaboutthathowaboutno?

[geekoid]

You don't live there, why would they give a shit about you? why would you give a shit about them?
Yes, let stop consumer protection, what could go wrong?

Re:Yeahletmethinkaboutthathowaboutno?

It doesn't matter where you live, it's 2012, posting your privacy policy should be SOP.

But your thoughtful response is very helpful the conversation.

Re:Yeahletmethinkaboutthathowaboutno?

If the economy of every US state was comapred with a country -- California would be France. It is the *8th* largest economy in the world.

People care what happens in CA, because what happens in CA impacts you as measurably as french legislation.

So -- not a lot on a day-to-day basis, but very substantially on a month-to-month basis. And a lot more so if you're in an adjoining state engaged in direct trade.

When CA passes laws in the US, it tends to immediately impact any gas or automobile company, virtually all software companies by virtue of their presence, many PR firms, and of course... media. In addition to its actual alrgest industries -- transportation and real estate. Dollar for dollar agriculture isn't considered large, but it is huge in terms of US percent-output.

So -- when the California attorney general does something like this, it impacts the rest of the company.

I happen to agree with the concept behind this legislation. But he did basically just put an additional lawyer-tax on every small business doing app development in the state.

And let's be clear -- this isn't really consumer protection. There's a potential huge cumulative fine that will be effortlessly bypassed by nearly every large corp -- same as the fines for their other behavior. When you see a big sony rootkit type fiasco, you'll see him settle for $0.50 on the download.

Re:Yeahletmethinkaboutthathowaboutno?

[pla]

You don't live there, why would they give a shit about you? why would you give a shit about them?

Because:
1) TFA says nothing about the AG threatening only companies located in CA, and
2) California has a long history of strong-arming their regulatory environment onto the rest of the US simply by virtue of the size of their economy.

We don't need another Andrew Cuomo wannabe destroying a major part of the online world in a pathetic attempt to make a name for themselves while forcing their morals on the rest of the world. Thanks for the nannyism, but I've outgrown the diapers. I'll decide whether or not to do business with someone online, and while a privacy policy may factor into that, I think we can all figure out the meaning of not having one at all.


Yes, let stop consumer protection, what could go wrong?

Posting a privacy policy does not equate to "consumer protection".

Every year, all my banks and credit cards and other financial institutions send me a copy of their "privacy" policy. It unwaveringly boils down to "we share this, and you can't do a goddamned thing about it, so neener-neener".

Re:Yeahletmethinkaboutthathowaboutno?

[mcgrew]

You don't have to live in California to be bound by their laws. If you visit there or do business there, you are bound by their laws.

You will be the one losing out, not California. Someone else has written the equivalent to your app, and they'll get the sales you would have.

And... if you have to be sneaky to get their info, I don't think much of your morality. IMO that's really assholish behavior and I wish you people would stop it.

Re:Yeahletmethinkaboutthathowaboutno?

[pla]

if you have to be sneaky to get their info, I don't think much of your morality. IMO that's really assholish behavior and I wish you people would stop it.

FWIW, I agree with you. But as I said in my other response, this doesn't stop anyone from collecting anything. It just requires posting a privacy policy. And if you've read any privacy policies lately, you'll know that they virtually all say "we do what we want, deal with it or piss off".

I support real consumer protection laws. I don't support feelgood nuisances that punish everyone.

Re:Yeahletmethinkaboutthathowaboutno?

Your, both are going bankrupt too! and will probably need bailouts soon...Frankly I'm glad my state doesn't follow in the foot steps of California.

Come to Mississippi

If you're a developer, Mississippi welcomes you with open arms.

Let's see

[SmallFurryCreature]

• There's a lot of pushback against bullet points:
  • people talking about "The Power Point effect,"
     
  • where somehow reading a lot of bullet points turn ordinary people into morons.
• I'm with you --
  • I think whatever works to make the simplest
  • clearest communication is best.
• Going to the level of memes might be taking it too far, but no one's suggest that yet thankfully.

In Sweeden

This is happens too,

Both; two diff parties will require diff things

I don't think it's a contradiction. The AG is demanding that software developers put the policy in their app; he's saying that he intends to prosecute those who don't, as though they were violating some law which regulates online services. (If we assume this is a valid argument, BTW, it brings up an amazing variety of subtle issues about the [lack of] distinction between services and software which interoperates with those services. You could mentally wank over this forever, and I'm sure here on /. we'll be doing plenty of that, as I will in my final paragraph...)

The AG also has an "agreement" with seven particular repository maintainers ("platform stores"), that those maintainer's dedicated software which is the only thing allowed to talk to repository (imagine how bizarre a concept this would have seemed from around 1994-2007, but before and after that period was/is relatively "normal"), must have the capacity to display these policies prior to downloading the software stored in the repository.

Ergo, it sounds like what'll happen to developers is that there will be two pressures: AG will require them to show the policy to users, and the repository maintainers will further require that the policy be made available separately, so that the "application-download screen in the platform store" can show it too.

The fun begins when you ask "which privacy policy?" It's all so cut-and-dried when the client software only interoperates with a single backend server which happens to be under the control of the same entity who develops the client software. But if you fast-forward beyond "AOL thinking" to mid-1990s consumer tech (the web) it's suddenly impossible to comply with. No web browser for you!

CA AG has a lot of free time

[jsepeta]

who's going to do all the policing? Kamala D. Harris?

Socialists can't even defend their own policies

The sad thing is that everybody who will comment negatively about this socialist policy will simply ignore or even champion the hundred or even thousands of other socialist policies that do far more damage to society. Sad indeed!

RTFS:Mobile apps are not treated as a special case

[DragonWriter]

Why treat mobile apps as a special case?

They aren't. The law, as explained in TFS, applies to all "online services".

My apps policy

This app may collect and distribute any personal information it has access to.
It may be used in the most nefarious of ways to defraud you and enrich others.

Re:My apps policy

And if you said this, you would be keeping within the regulation AND give me the opportunity to never, ever, install any application that you develop on any device within my area of responsibility (roughly 10,000), regardless of its utility.

To bad

The Laws are created by the legislature and enforced by the executive.

The AG has no say in the matter.

Kiss our asses.

Re:To bad

[HiThere]

There is a theory that what you say is true. It isn't, however, the practice.

The enforcement of laws is riddled with favoritism from top to bottom. People will often justify it by saying "But they couldn't have meant it to cover that situation.". Often, however, there is no justification available, but the laws are enforced with favoritism anyway. This is why there is (in the locality I live) a "crime" described informally as "Driving while brown or black." But that's merely an easily observable instance of a widespread effect.

French poet F. Villon once observed "The law, in it's majestic equality, forbids both the rich man and the poor man from sleeping under the bridge." What he ignored is that if the rich man *IS* arrested for sleeping under the bridge, not only is he less likely to be prosecuted, if he is prosecuted, the penalty will be less. (At least proportionally. A $500 fine means a lot less to a rich man than to a poor man.)