California AG Gives App Developers 30 Days To Post Privacy Notice

← Back to Stories (view on slashdot.org)

California AG Gives App Developers 30 Days To Post Privacy Notice

Posted by Unknown on Wednesday October 31, 2012 @12:50AM from the not-gpl-compatible dept.

Trailrunner7 writes "California Attorney General Kamala D. Harris today announced a crackdown on mobile application developers and companies that haven't posted privacy policies, at least where users can easily find them. The attorney general is giving recipients 30 days 'to conspicuously post a privacy policy within their app that informs users of what personally identifiable information about them is being collected and what will be done with that private information,' according to a prepared statement. A sample letter defines the issue at hand. 'An operator of a mobile application ("app") that uses the Internet to collect PII is an "online service" within the meaning of CalOPPA. An app's commercial operator must therefore conspicuously post its privacy policy in a means that is reasonably accessible to the consumer. Having a Web site with the applicable privacy policy conspicuously posted may be adequate, but only if a link to that Web site is "reasonably accessible" to the user within the app.'"

33 of 108 comments (clear)

Min score:

Reason:

Sort:

Mobile by Nerdfest · 2012-10-31 00:55 · Score: 2

Why treat mobile apps as a special case? All software applications, client-side or web based should be treated the same way.
1. Re:Mobile by demonbug · 2012-10-31 03:31 · Score: 3, Informative
  
  Why treat mobile apps as a special case? All software applications, client-side or web based should be treated the same way.
  They aren't treated as special cases. The rules apply to any online applications, which includes pretty much all mobile apps. It's just that mobile app makers have been very poor at following the rules, likely because so many of them are small fly-by-night companies that don't have a legal department telling them what they are supposed to be doing. So 100 companies get notices that they need to have privacy policies posted, it gets splashed all over the news, and hopefully this will wake the others up to the fact that they need to be doing this just like the big boys.
Open source privacy policy by concealment · 2012-10-31 00:57 · Score: 5, Interesting

Instead of attaching a sample compliance letter, why didn't the AG attach a sample privacy policy and open source it so that developers can use it?
Pasting in a generic document is much more likely to happen than all those app developers running out and hiring lawyers, so she will either get lower compliance or shoddier privacy policies.
Is it too much to ask that government take the lead in this case? I can't imagine it costs the AG anything, since that office hires a staff of lawyers.
1. Re:Open source privacy policy by emj · 2012-10-31 01:11 · Score: 2
  
  What's needed is something like that Terms of Service did not read, with easy bullet points telling you just how evil this app is, sure ToS and privacy policies aren't exactly the same thing. This was discussed on slashdot last week.
2. Re:Open source privacy policy by jasper160 · 2012-10-31 01:14 · Score: 2
  
  Bureaucrats are incredibly lazy.
  
  --
  No good deed goes unpunished.
3. Re:Open source privacy policy by Sarten-X · 2012-10-31 01:20 · Score: 4, Insightful
  
  Why didn't the AG attach a sample? Because it's a silly idea.
  This is a legal document, probably differing for every case, and the point in requiring it is to make developers take a hard look at what information they access and how they use it. Rubber-stamping a boilerplate lets developers say they have a privacy policy, but it doesn't actually encourage any increase in privacy until somebody's sued over it. Once that happens, there will be a few developers who think about privacy, but most won't even know the case happened.
  Like most legal documents, you usually don't actually need a lawyer to write it. You may need a lawyer to make it bulletproof against other lawyers, but any statement is enough. You could drop in a note saying "This app doesn't intentionally collect any personally-identifiable information, and doesn't contact external services" and probably satisfy the needs of the law, assuming it's accurate. In the event of a lawsuit, though, that statement would cause a little trouble (and open up room for opposing lawyers to argue), because it doesn't define "personally-identifiable" or "external" adequately. Does a game ask for a name for a high-score list? Does it send usage reports or download updates from a developer's server?
  A lawyer could enumerate all the things the app does and doesn't do, in absolutely clear language, so there's no question where users' data goes, but for many apps (especially for those made without the intent of profit) that's unnecessary. Developers should already know how their program works, so they should be able to define one aspect of it.
  Disclaimer: IANAL, but I've had my share of dealings with them.
  
  --
  You do not have a moral or legal right to do absolutely anything you want.
4. Re:Open source privacy policy by Dog-Cow · 2012-10-31 01:39 · Score: 2
  
  Not to mention, but how exactly do you enumerate all the things your app doesn't do?
5. Re:Open source privacy policy by Bogtha · 2012-10-31 02:00 · Score: 3, Interesting
  
  This is a legal document, probably differing for every case, and the point in requiring it is to make developers take a hard look at what information they access and how they use it. Rubber-stamping a boilerplate lets developers say they have a privacy policy, but it doesn't actually encourage any increase in privacy until somebody's sued over it.
  
  This happens anyway. I have to fight this battle every time I build an app that collects personal information. Every single time in four years of developing apps, I have been provided with the privacy policy for their website, that specifically describes things that are only applicable to their website, that doesn't account for their mobile app at all. I've got a current project hanging at the moment where we've chased them for a real privacy policy about half a dozen times. The rest of the app is finished, we're still waiting for the privacy policy, weeks later. If it wasn't for us insisting, the app would be live with a meaningless privacy policy they don't follow, and I'm certain other app developers aren't as insistent as us.
  
  --
  Bogtha Bogtha Bogtha
6. Re:Open source privacy policy by Sarten-X · 2012-10-31 02:00 · Score: 2
  
  "No other personal information is collected" or other similar wordings will do nicely. If there's something that you know your app will never try to do, it can be listed as a reassuring gesture to the user.
  By the way, the link in your signature is broken.
  
  --
  You do not have a moral or legal right to do absolutely anything you want.
7. Re:Open source privacy policy by fustakrakich · 2012-10-31 02:12 · Score: 4, Insightful
  
  ...why didn't the AG attach a sample privacy policy and open source it so that developers can use it?
  Because the real intention here is to put small independent developers with their 'disruptive' technology who can't afford a gaggle of lawyers out of business. The whole idea of a 'privacy policy' can be nothing more than a jobs program for the legal profession. It is impossible to enforce such nonsense.
  
  --
  “He’s not deformed, he’s just drunk!”
8. Re:Open source privacy policy by Sarten-X · 2012-10-31 02:30 · Score: 2
  
  The reader's lack of education is not the author's fault.
  My opinion is that the problem of "legalese" stems not from obtuse writing, but rather from the lack of adequate reading comprehension skills in today's society. As printed language has become more common, literature has followed the common grammar into a more casual (but imprecise) tone. Schools, in appealing to modern culture, require less reading of older works in favor of modern literature. Where once a student would read The Canterbury Tales or Moby Dick, they now read Harry Potter or Twilight. While modern literature still explores the same questions and themes as the antique works (therefore being valid for a literature class), the language uses common connotations, so the imprecision goes unnoticed.
  As a result, English (and indeed, many others) continues its transformation into a common tongue of simplicity, while documents written in a precise form with a wider vocabulary are regarded as being a different language altogether, that many now call Legalese.
  
  --
  You do not have a moral or legal right to do absolutely anything you want.
9. Re:Open source privacy policy by bmo · 2012-10-31 02:32 · Score: 4, Informative
  
  Because the real intention here is to put small independent developers with their 'disruptive' technology who can't afford a gaggle of lawyers out of business.
  Bullshit. It's not a conspiracy. This is an issue everyone in the 80s running single-line BBSes had to deal with. The ECPA became law 24 years ago. The California AG's message should not surprise you.
  Copy someone else's privacy policy. It's what lawyers do anyway. You think they actually work at this stuff? It's all boilerplate.
  You can say "we do not collect any user data" and make sure your program doesn't phone home or disclaim all privacy whatsoever. and hope nobody actually reads your privacy policy. Copy Facebook's privacy policy if you want to be evil. They bury the "we own everything you post" in language that you and I can understand but not 90 percent of users.
  And at the end of it, say "we reserve the right to change this policy in the future." to further cover your ass.
  It's not hard if you're honest and up front. It's only hard if you want to deceive users. That's where the tricky language comes in.
  --
  BMO
10. Re:Open source privacy policy by geekoid · 2012-10-31 02:34 · Score: 2
  
  Becasue not all apps will have the same privacy policy. The compliance letter is standard fair.
  
  --
  The Kruger Dunning explains most post on /. http://en.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect
11. Re:Open source privacy policy by bmo · 2012-10-31 03:33 · Score: 2
  
  Where once a student would read The Canterbury Tales or Moby Dick, they now read Harry Potter or Twilight.
  that many now call Legalese.
  Legalese is not prose or poetry. It is not Chaucer, Shakespeare, Emerson, or Auster. It is closer to math than prose. While literary English hinges on "deeper meaning," legal English hinges on the logical operators of "and" "or" "not" and "nor" and punctuation. A single "and" instead of an "or" or "not" can change the entire meaning of a contract. Well written legal documents are concise and unambiguous. Prose and poetry are "good" if the reader can read his own opinions into what is written - plain prose is devalued. Due to all this It is extremely easy write a legal document that looks like "Episode 18 - Penelope" and it is incumbent upon the author (a lawyer in this case) to break it down into sensible chunks if one is trying to be unambiguous.
  Unfortunately for many people, there are a lot of lawyers who don't know how to do that last bit, and teaching people Chaucer does not prepare them for legal English or how legal English is abused by lawyers.
  Literary English and legal English are two completely different languages separated by a common vocabulary.
  --
  BMO
  P.S. Yes, I did group Paul Auster in there with Shakespeare. Deal with it.
  P.P.S. You claim that the classics are no longer taught. This is clearly not the case. High school students are still subjected to the mind-numbing dessicated analysis of Shakespeare and Melville, thus turning many off to classics forever and into the welcoming arms of J.K. Rowling, if they haven't given up on reading altogether.
Only 30 days? by Manfre · 2012-10-31 01:06 · Score: 5, Funny

With only 30 days to get a policy written and added to the app, I guess that means that most iPhone apps will not be able to comply.
We ownz you by Opportunist · 2012-10-31 01:06 · Score: 2

Don't like it? Stop using the app you paid for!
No refunds. Sucks to be you.

--
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
It has to be within the app? by Bogtha · 2012-10-31 01:13 · Score: 4, Informative

The article contradicts itself. Early in the article, it states that the policy has to be within the app, then later on, it says it has to be in the App Store. There's a huge difference between the two in what it means for app publishers.

--
Bogtha Bogtha Bogtha
1. Re:It has to be within the app? by Joehonkie · 2012-10-31 01:19 · Score: 3, Insightful
  
  Is it a difference a politician can even appreciate? I doubt it.
2. Re:It has to be within the app? by Bogtha · 2012-10-31 01:27 · Score: 3, Insightful
  She's supposedly been consulting with app developers, although not ones representative of the larger industry.
  Tthis is what could happen if it had to be within the app:
  
  Receive letter requiring a policy in your app within 30 days.
  
  Shit, we outsourced this (common because mobile developers are few and far between).
  
  Pay for changing the design to include a button to show the policy.
  
  Pay for a developer to make the necessary changes.
  
  Shit, the developer we used has a full schedule, we have to find somebody else (again, common).
  
  Find a new developer.
  
  Get them up to speed on the project and get them to make the changes.
  
  Submit the update to Apple.
  
  Wait an unknown amount of time for it to be reviewed.
  
  Apple don't like something in your app. Maybe their policies changed, maybe a previous reviewer didn't catch something, maybe you've just got a bad reviewer.
  
  Go back to the designer and developer and pay for them to do more work, if feasible.
  
  Resubmit to Apple.
  
  Wait an unknown amount of time for it to be reviewed.
  
  And you've got to fit that into 30 days. And that assumes the changes Apple requires you to make aren't fundamental to your business model or operation of the app. And that assumes only one round of alterations is required. And that assumes it's feasible for you to pay for expensive mobile developers.
  Meanwhile, here's what it would be like if the policy only needs to appear in the App Store:
  
  Receive letter requiring a policy in your app within 30 days.
  
  Stick a policy online. It can be anywhere, even if you don't have a website, you can just sign up on Wordpress.com or something and post it there.
  
  Log into iTunes Connect and put the link into the privacy policy field.
  --
  Bogtha Bogtha Bogtha
3. Re:It has to be within the app? by Eraesr · 2012-10-31 01:44 · Score: 3, Insightful
  
  Actually, that isn't the biggest problem. Yeah sure, an in-app privacy policy is a problem for a developer, but I'm sure that if you've submitted your app to the appstore within the 30 day limit and it's denied by Apple because of a different reason, a judge will probably take that into account when deciding on that issue.
  
  No, a much bigger issue in the difference between in-app or an in-store privacy policy is for the consumer. If the privacy policy is in the store, you can read it and assess it before downloading and installing the app. If you don't like the privacy policy, then don't download and install the app. If it's an in-app document or link, then you have to download, install, run, possibly even create an account an login all before you get to see the privacy policy. By that time, the app has probably already completely sucked all personal information out of your phone and submitted it to the app owner.
  
  Same with a EULA that's presented to you when you install a piece of software on your PC. That EULA is presented to you after you've bought the software. So if you don't agree with the EULA, then I'm pretty sure the seller is forced to completely refund the software to you. It's basically the same thing as buying a bread from the baker and after paying, the baker says that you are only allowed to eat the bread at home, and only if don't put any meat on it.
Is this guy serious? by SuperMooCow · 2012-10-31 01:24 · Score: 5, Interesting

Does this guy expect app developers from other states to comply with the laws of California? What about developers from other countries?
1. Re:Is this guy serious? by guttentag · 2012-10-31 02:23 · Score: 2
  
  Does this guy expect app developers from other states to comply with the laws of California? What about developers from other countries?
  People can be forgiven for not realizing Kamala Harris is African American and Asian American, but she's definitely not a guy.
2. Re:Is this guy serious? by geekoid · 2012-10-31 02:35 · Score: 2
  
  If you want to sell your product in California, then yes.
  
  --
  The Kruger Dunning explains most post on /. http://en.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect
Encourage them to standardize by concealment · 2012-10-31 01:29 · Score: 4, Insightful

This is a legal document, probably differing for every case, and the point in requiring it is to make developers take a hard look at what information they access and how they use it.
I disagree that it's going to be that different. If they need to list different data fields that will be retained, or change a length of time, they can edit the open-source document for their specific needs. But this gives them a template to work from which has all of the lawyerese perfected.
I can't agree that the document will differ in every case. In my experience, the differences will be slight, and thus having an open source document would encourage programmers to adopt a general standard (like a community rule) for how they're going to approach privacy issues.
The result would be a raising of the overall standard to that of the proposed document, which is why it's a good idea to have professionals write it and "promulgate" it.
1. Re:Encourage them to standardize by Sarten-X · 2012-10-31 03:05 · Score: 3, Interesting
  
  A privacy policy shouldn't just be a checkbox on a compliance procedure. Like any policy, it should only be the result of careful consideration. Yes, eventually many developers will come to broadly the same conclusions, but the process of writing (and verifying) the policy conveys the importance it should have. The privacy policy is effectively a promise of what your app will or won't do, and if that promise is made just to save time, it likely won't mean anything to the person making it.
  Sure, there could be a Creative Commons-like system, where developers pick and choose what options they include. My concern is that by having an easy-to-make policy, the policy is also easy to forget. When a later version adds a new feature or advertisements, how likely is it that the long-forgotten privacy policy will be updated to match? If a legally-bulletproof blanket-permission policy can be made cheaply and easily, why not just apply that to all apps, regardless of the actual capabilities of the program?
  
  --
  You do not have a moral or legal right to do absolutely anything you want.
The PowerPoint Effect may be lies by concealment · 2012-10-31 01:31 · Score: 2

There's a lot of pushback against bullet points, with people talking about "The Power Point effect," where somehow reading a lot of bullet points turn ordinary people into morons. I'm with you -- I think whatever works to make the simplest and clearest communication is best. Going to the level of memes might be taking it too far, but no one's suggest that yet thankfully.
Just Exclude California by nickberry · 2012-10-31 01:44 · Score: 3, Insightful

This just sounds like a really good reason to put in a data field for state when signing up for an app, and exclude Californians from use of the app, and explain to them because over burdening regulations our App is not available in your state, please contact the California Attorney Generals office for more information regarding these regulations. While there a lot of people in California, sometimes it's best to just avoid states or places where your work is not appreciated.
1. Re:Just Exclude California by geekoid · 2012-10-31 02:38 · Score: 2
  
  Yes, becasue no one want to tap a market that huge.
  "because over burdening regulations"
  Yes, telling them they have to post there privacy policy where the consumer can reasonably get to is so overburdening~
  "avoid states or places where your work is not appreciated."
  there is no rule people need to appreciate your work, so get over it.
  
  --
  The Kruger Dunning explains most post on /. http://en.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect
The AG is simply right... by vikingpower · 2012-10-31 01:44 · Score: 3, Insightful

...and doing nothing more than his or her job: to ensure that the state enforces that which by law it must enforce. Period.

--
Religous speak to God. Insane are spoken to by God. When all shut up, one can finally hear Shostakovich in peace
1. Re:The AG is simply right... by Attila+Dimedici · 2012-10-31 02:05 · Score: 2
  
  This is correct. It is a law which I do not see any way for them to constitutionally enforce on developers who operate out of another state (let alone another country). Although I suspect that the state legislature could have written something into the law forcing the App Store to remove any app which is in violation of the law (assuming the company that runs the App Store is based in CA).
  
  --
  The truth is that all men having power ought to be mistrusted. James Madison
2. Re:The AG is simply right... by AuMatar · 2012-10-31 02:34 · Score: 2
  
  Unless they're selling to someone who lives in California. In which case the sale is governed by California law. Now if the developers said CA residents can't buy it (and are not themselves CA residents) then they can ignore this.
  
  --
  I still have more fans than freaks. WTF is wrong with you people?
Yeahletmethinkaboutthathowaboutno? by pla · 2012-10-31 01:59 · Score: 2

Dear California Attorney General Kamala D. Harris:

Go pound sand.

Sincerely,
Someone who doesn't live in California.
Let's see by SmallFurryCreature · 2012-10-31 02:48 · Score: 3, Funny
- There's a lot of pushback against bullet points:
  - people talking about "The Power Point effect,"
  - where somehow reading a lot of bullet points turn ordinary people into morons.
- I'm with you --
  - I think whatever works to make the simplest
  - clearest communication is best.
- Going to the level of memes might be taking it too far, but no one's suggest that yet thankfully.
--

MMO Quests are like orgasms:
You may solo them, I prefer them in a group.