California Attorney General Releases Privacy Guidelines for App Developers

Today, California Attorney General (AG) Kamala Harris released Privacy on the Go, a 22-page report that contains privacy guidelines for all stakeholders in the mobile ecosystem. Prepared by the AG’s Privacy Enforcement and Protection Unit, the guidelines do not supplant or supplement existing California privacy laws, such as the California Online Privacy Protection Act, but are meant to encourage all players in the mobile industry to consider privacy implications at the outset of the design process.

The key principles of the guidelines include: transparency about data practices; limits on the collection and retention of data; meaningful choices for users; security; and accountability of all industry stakeholders for user privacy. As part of these principles, the guidelines encourage a “surprise minimization” approach that includes adding enhanced measures to an app’s general privacy policy to alert users and give them control over data practices that are not related to an app’s basic functions or that involve sensitive information.

The guidelines contain specific recommendations for app developers, app platform providers, mobile ad networks, operating system developers and mobile carriers. The majority of the guidelines, however, are applicable to app developers, and include the following recommendations:

• Use a checklist to consider the types of data your app could access or collect and use it to make decisions on your privacy practices;
   
• Be transparent by making your privacy practices available to users before the app is downloaded and inform users what data is collected;
   
• Use enhanced measures to draw users’ attention to data practices that may be unexpected or that involve sensitive information;
   
• Keep your privacy policy up-to-date so that it reflects your actual data-handling practices;
   
• Avoid or minimize the collection of personally identifiable data for uses not related to your app’s basic functionality, and limit the retention of such data to the period necessary to support the intended function or to meet legal requirements.
   
• Be aware of additional obligations under the Children’s Online Privacy Protection Act if your app is directed to children under the age of 13 or if you know that you are collecting personal information from children under the age of 13;
   
• Make your privacy policy conspicuously accessible and easy to read on mobile devices.
   

According to AG Harris, these guidelines are intended to “encourage the alignment of architectural and functional decisions” with widely accepted Fair Information Practice Principles that form the basis for many privacy codes and laws in different parts of the world, including federal and California law. A copy of Privacy on the Go can be found here.