Slashdot Mirror

← Back to Stories (view on slashdot.org)

California AG Gives App Developers 30 Days To Post Privacy Notice

Posted by Unknown on from the not-gpl-compatible dept.

Trailrunner7 writes "California Attorney General Kamala D. Harris today announced a crackdown on mobile application developers and companies that haven't posted privacy policies, at least where users can easily find them. The attorney general is giving recipients 30 days 'to conspicuously post a privacy policy within their app that informs users of what personally identifiable information about them is being collected and what will be done with that private information,' according to a prepared statement. A sample letter defines the issue at hand. 'An operator of a mobile application ("app") that uses the Internet to collect PII is an "online service" within the meaning of CalOPPA. An app's commercial operator must therefore conspicuously post its privacy policy in a means that is reasonably accessible to the consumer. Having a Web site with the applicable privacy policy conspicuously posted may be adequate, but only if a link to that Web site is "reasonably accessible" to the user within the app.'"

8 of 108 comments (clear)

  1. Open source privacy policy by concealment · · Score: 5, Interesting

    Instead of attaching a sample compliance letter, why didn't the AG attach a sample privacy policy and open source it so that developers can use it?

    Pasting in a generic document is much more likely to happen than all those app developers running out and hiring lawyers, so she will either get lower compliance or shoddier privacy policies.

    Is it too much to ask that government take the lead in this case? I can't imagine it costs the AG anything, since that office hires a staff of lawyers.

    1. Re:Open source privacy policy by Sarten-X · · Score: 4, Insightful

      Why didn't the AG attach a sample? Because it's a silly idea.

      This is a legal document, probably differing for every case, and the point in requiring it is to make developers take a hard look at what information they access and how they use it. Rubber-stamping a boilerplate lets developers say they have a privacy policy, but it doesn't actually encourage any increase in privacy until somebody's sued over it. Once that happens, there will be a few developers who think about privacy, but most won't even know the case happened.

      Like most legal documents, you usually don't actually need a lawyer to write it. You may need a lawyer to make it bulletproof against other lawyers, but any statement is enough. You could drop in a note saying "This app doesn't intentionally collect any personally-identifiable information, and doesn't contact external services" and probably satisfy the needs of the law, assuming it's accurate. In the event of a lawsuit, though, that statement would cause a little trouble (and open up room for opposing lawyers to argue), because it doesn't define "personally-identifiable" or "external" adequately. Does a game ask for a name for a high-score list? Does it send usage reports or download updates from a developer's server?

      A lawyer could enumerate all the things the app does and doesn't do, in absolutely clear language, so there's no question where users' data goes, but for many apps (especially for those made without the intent of profit) that's unnecessary. Developers should already know how their program works, so they should be able to define one aspect of it.

      Disclaimer: IANAL, but I've had my share of dealings with them.

      --
      You do not have a moral or legal right to do absolutely anything you want.
    2. Re:Open source privacy policy by fustakrakich · · Score: 4, Insightful

      ...why didn't the AG attach a sample privacy policy and open source it so that developers can use it?

      Because the real intention here is to put small independent developers with their 'disruptive' technology who can't afford a gaggle of lawyers out of business. The whole idea of a 'privacy policy' can be nothing more than a jobs program for the legal profession. It is impossible to enforce such nonsense.

      --
      “He’s not deformed, he’s just drunk!”
    3. Re:Open source privacy policy by bmo · · Score: 4, Informative

      Because the real intention here is to put small independent developers with their 'disruptive' technology who can't afford a gaggle of lawyers out of business.

      Bullshit. It's not a conspiracy. This is an issue everyone in the 80s running single-line BBSes had to deal with. The ECPA became law 24 years ago. The California AG's message should not surprise you.

      Copy someone else's privacy policy. It's what lawyers do anyway. You think they actually work at this stuff? It's all boilerplate.

      You can say "we do not collect any user data" and make sure your program doesn't phone home or disclaim all privacy whatsoever. and hope nobody actually reads your privacy policy. Copy Facebook's privacy policy if you want to be evil. They bury the "we own everything you post" in language that you and I can understand but not 90 percent of users.

      And at the end of it, say "we reserve the right to change this policy in the future." to further cover your ass.

      It's not hard if you're honest and up front. It's only hard if you want to deceive users. That's where the tricky language comes in.

      --
      BMO

  2. Only 30 days? by Manfre · · Score: 5, Funny

    With only 30 days to get a policy written and added to the app, I guess that means that most iPhone apps will not be able to comply.

  3. It has to be within the app? by Bogtha · · Score: 4, Informative

    The article contradicts itself. Early in the article, it states that the policy has to be within the app, then later on, it says it has to be in the App Store. There's a huge difference between the two in what it means for app publishers.

    --
    Bogtha Bogtha Bogtha
  4. Is this guy serious? by SuperMooCow · · Score: 5, Interesting

    Does this guy expect app developers from other states to comply with the laws of California? What about developers from other countries?

  5. Encourage them to standardize by concealment · · Score: 4, Insightful

    This is a legal document, probably differing for every case, and the point in requiring it is to make developers take a hard look at what information they access and how they use it.

    I disagree that it's going to be that different. If they need to list different data fields that will be retained, or change a length of time, they can edit the open-source document for their specific needs. But this gives them a template to work from which has all of the lawyerese perfected.

    I can't agree that the document will differ in every case. In my experience, the differences will be slight, and thus having an open source document would encourage programmers to adopt a general standard (like a community rule) for how they're going to approach privacy issues.

    The result would be a raising of the overall standard to that of the proposed document, which is why it's a good idea to have professionals write it and "promulgate" it.