Confirmatory Opt-Out Text Messages Do Not Violate the TCPA

California AG Continues Focus on Mobile Privacy with New Best Practice Recommendations

Published On January 11, 2013 | By Melissa Maalouf | FTC & State AG, General, Privacy
TwitterLinkedInFacebookRedditCopy LinkEmailPrint

On January 10, California Attorney General Kamala Harris issued a report entitled “Privacy on the Go:  Recommendations for the Mobile Ecosystem.”  The report consists of recommended best practices for mobile app developers and other players in the mobile industry to protect consumer privacy.

As we previously reported, in early 2012 Harris signed an agreement with a number of mobile application platform downloading the app, in addition to having a consistent place from which to view an app’s privacy policy on the download screen for the app.  In July 2012, Harris created the Privacy Enforcement and Protection Unit, with the mission of protecting the right to privacy under the California Constitution.  In October 2012, Harris sent letters to approximately 100 mobile app developers and companies that she believed to be out of compliance with the California providers under which consumers will be afforded the opportunity to review an app’s privacy policy before Online Privacy Protection Act, giving the companies 30 days to post a mobile privacy policy.  And in December 2012, Harris filed a legal action against Delta Airlines for failure to post a privacy policy in violation of the Act.

The instant report, which was released after Harris received input from stakeholders throughout the mobile industry, is meant to serve as a template by which the mobile industry can develop mobile privacy policies and practices that are consumer-friendly, but that will not stifle innovation.  The report also urges the mobile industry to continue to increase transparency in its practices.

Underlying the report is the concept of what Harris refers to as “surprise minimization,” whereby all players in the mobile industry should work to implement privacy protections that ensure consumers are never surprised by data practices.  Some of the specific highlights of the best practices recommended by the report are as follows:

  • For app developers and mobile ad networks:
    • Utilize “privacy by design” techniques by starting with a data checklist for each new app to review the personal information collected by the app and to determine what privacy protections are needed;
    • Limit the collection of data not needed for an app’s basic functionality;
    • Develop a clear, accurate, and conspicuously accessible privacy policy; and
    • Use enhanced measures in addition to a privacy policy to draw users’ attention to data practices that may be unexpected (e.g., brief notices that appear when consumers take certain actions, just before data is collected, so they can opt not to proceed).
  • For app platform providers:
    • Make app privacy policies accessible from the platform so that users can review them before download; and
    • Use the platform to educate consumers about mobile privacy.
  • For mobile ad networks:
    • Avoid using out-of-app ads that are delivered by modifying browser settings or placing icons on the mobile desktop;
    • Maintain a privacy policy and provide it to the app developers that permit the ad network to deliver targeted ads through the apps; and
    • Transition away from the use of device identifiers for tracking and other purposes and instead, shift to app-specific or temporary device identifiers.
  • For operating system developers:
    • Develop global privacy standards (such as privacy icons that can be easily recognized by consumers) that allow users to control their data and the device features accessible to apps.
  • For mobile carriers:
    • Use your relationship with mobile customers to educate them about mobile privacy and in particular on children’s privacy issues.

Although the report consists solely of recommended “best practices,” given Harris’s focus on mobile privacy over the past year, mobile industry players who collect personal information from California residents should consider including relevant recommendations from the report in their apps and services.


About The Author

Melissa Maalouf’s practice focuses on advising a broad range of clients, from start-ups to established companies, on both U.S. and international data privacy and security issues. Melissa assists clients in drafting appropriate website disclosures, implementing legally-compliant e-commerce flows, responding to FTC Section 5 and state AG enforcement actions, analyzing advertising claims, and children’s online privacy and safety issues. She also regularly helps clients obtain certification under the EU-US Safe Harbor and navigate compliance with divergent international privacy laws.