California AG Gives App Developers 30 Days To Post Privacy Notice

Trailrunner7 writes "California Attorney General Kamala D. Harris today announced a crackdown on mobile application developers and companies that haven't posted privacy policies, at least where users can easily find them. The attorney general is giving recipients 30 days 'to conspicuously post a privacy policy within their app that informs users of what personally identifiable information about them is being collected and what will be done with that private information,' according to a prepared statement. A sample letter defines the issue at hand. 'An operator of a mobile application ("app") that uses the Internet to collect PII is an "online service" within the meaning of CalOPPA. An app's commercial operator must therefore conspicuously post its privacy policy in a means that is reasonably accessible to the consumer. Having a Web site with the applicable privacy policy conspicuously posted may be adequate, but only if a link to that Web site is "reasonably accessible" to the user within the app.'"

Re:It has to be within the app?

[Joehonkie]

Is it a difference a politician can even appreciate? I doubt it.

Re:Open source privacy policy

[Sarten-X]

Why didn't the AG attach a sample? Because it's a silly idea.

This is a legal document, probably differing for every case, and the point in requiring it is to make developers take a hard look at what information they access and how they use it. Rubber-stamping a boilerplate lets developers say they have a privacy policy, but it doesn't actually encourage any increase in privacy until somebody's sued over it. Once that happens, there will be a few developers who think about privacy, but most won't even know the case happened.

Like most legal documents, you usually don't actually need a lawyer to write it. You may need a lawyer to make it bulletproof against other lawyers, but any statement is enough. You could drop in a note saying "This app doesn't intentionally collect any personally-identifiable information, and doesn't contact external services" and probably satisfy the needs of the law, assuming it's accurate. In the event of a lawsuit, though, that statement would cause a little trouble (and open up room for opposing lawyers to argue), because it doesn't define "personally-identifiable" or "external" adequately. Does a game ask for a name for a high-score list? Does it send usage reports or download updates from a developer's server?

A lawyer could enumerate all the things the app does and doesn't do, in absolutely clear language, so there's no question where users' data goes, but for many apps (especially for those made without the intent of profit) that's unnecessary. Developers should already know how their program works, so they should be able to define one aspect of it.

Disclaimer: IANAL, but I've had my share of dealings with them.

Re:It has to be within the app?

[Bogtha]

She's supposedly been consulting with app developers, although not ones representative of the larger industry.

Tthis is what could happen if it had to be within the app:

• Receive letter requiring a policy in your app within 30 days.
• Shit, we outsourced this (common because mobile developers are few and far between).
• Pay for changing the design to include a button to show the policy.
• Pay for a developer to make the necessary changes.
• Shit, the developer we used has a full schedule, we have to find somebody else (again, common).
• Find a new developer.
• Get them up to speed on the project and get them to make the changes.
• Submit the update to Apple.
• Wait an unknown amount of time for it to be reviewed.
• Apple don't like something in your app. Maybe their policies changed, maybe a previous reviewer didn't catch something, maybe you've just got a bad reviewer.
• Go back to the designer and developer and pay for them to do more work, if feasible.
• Resubmit to Apple.
• Wait an unknown amount of time for it to be reviewed.

And you've got to fit that into 30 days. And that assumes the changes Apple requires you to make aren't fundamental to your business model or operation of the app. And that assumes only one round of alterations is required. And that assumes it's feasible for you to pay for expensive mobile developers.

Meanwhile, here's what it would be like if the policy only needs to appear in the App Store:

• Receive letter requiring a policy in your app within 30 days.
• Stick a policy online. It can be anywhere, even if you don't have a website, you can just sign up on Wordpress.com or something and post it there.
• Log into iTunes Connect and put the link into the privacy policy field.

Encourage them to standardize

[concealment]

This is a legal document, probably differing for every case, and the point in requiring it is to make developers take a hard look at what information they access and how they use it.

I disagree that it's going to be that different. If they need to list different data fields that will be retained, or change a length of time, they can edit the open-source document for their specific needs. But this gives them a template to work from which has all of the lawyerese perfected.

I can't agree that the document will differ in every case. In my experience, the differences will be slight, and thus having an open source document would encourage programmers to adopt a general standard (like a community rule) for how they're going to approach privacy issues.

The result would be a raising of the overall standard to that of the proposed document, which is why it's a good idea to have professionals write it and "promulgate" it.

Just Exclude California

[nickberry]

This just sounds like a really good reason to put in a data field for state when signing up for an app, and exclude Californians from use of the app, and explain to them because over burdening regulations our App is not available in your state, please contact the California Attorney Generals office for more information regarding these regulations. While there a lot of people in California, sometimes it's best to just avoid states or places where your work is not appreciated.

Re:It has to be within the app?

[Eraesr]

Actually, that isn't the biggest problem. Yeah sure, an in-app privacy policy is a problem for a developer, but I'm sure that if you've submitted your app to the appstore within the 30 day limit and it's denied by Apple because of a different reason, a judge will probably take that into account when deciding on that issue.

No, a much bigger issue in the difference between in-app or an in-store privacy policy is for the consumer. If the privacy policy is in the store, you can read it and assess it before downloading and installing the app. If you don't like the privacy policy, then don't download and install the app. If it's an in-app document or link, then you have to download, install, run, possibly even create an account an login all before you get to see the privacy policy. By that time, the app has probably already completely sucked all personal information out of your phone and submitted it to the app owner.

Same with a EULA that's presented to you when you install a piece of software on your PC. That EULA is presented to you after you've bought the software. So if you don't agree with the EULA, then I'm pretty sure the seller is forced to completely refund the software to you. It's basically the same thing as buying a bread from the baker and after paying, the baker says that you are only allowed to eat the bread at home, and only if don't put any meat on it.

The AG is simply right...

[vikingpower]

...and doing nothing more than his or her job: to ensure that the state enforces that which by law it must enforce. Period.

Re:Open source privacy policy

[fustakrakich]

...why didn't the AG attach a sample privacy policy and open source it so that developers can use it?

Because the real intention here is to put small independent developers with their 'disruptive' technology who can't afford a gaggle of lawyers out of business. The whole idea of a 'privacy policy' can be nothing more than a jobs program for the legal profession. It is impossible to enforce such nonsense.