Earlier this monthy, California Attorney General Kamala D. Harris issued privacy guidelines for mobile app developers and other companies in the mobile industry to better protect consumers. The new guidelines are part of the State's Privacy Enforcement and Protection Unit. Why the California AG devloped these guidelines:
And, experts expect millions of consumers will be affected by mobile threats and mobile malware. This is not a surprise since mobile devices uniquely combine several types of valuable information on a single computer: personal and business email, business documents, personal and business contacts, calling history, text messages, passwords for social networking sites, video, photos, audio, browser history, app history, and your GPS locations by date and time.
The general guidelines:
"For App Developers:
1. Start with a data checklist to review the personally identifiable data your app could collect and use it to make decisions on your privacy practices.
2. Avoid or limit collecting personally identifiable data not needed for your app's basic functionality.
4. Use enhanced measures -- "special notices" or the combination of a short privacy statement and privacy controls -- to draw users' attention to data practices that may be unexpected and to enable them to make meaningful choices.
For App Platform Providers:
1. Make app privacy policies accessible from the app platform so that they may be reviewed before a user downloads an app.
2. Use the platform to educate users on mobile privacy.
For Mobile Ad Networks:
1. Avoid using out-of-app ads that are delivered by modifying browser settings or placing icons on the mobile desktop.
3. Move away from the use of interchangeable device-specific identifiers and transition to app-specific or temporary device identifiers.
For Operating System Developers:
Develop global privacy settings that allow users to control the data and device features accessible to apps.
For Mobile carriers:
Leverage your ongoing relationship with mobile customers to educate them on mobile privacy and particularly on children's privacy."
For each general guideline, the document contains specifics. California led the nation with data breach notification laws to inform and protect consumers. The new guidelines, while not legally binding, are consistent with this leadership.
Items I hoped the guidelines would have contained, but didn't:
- Don't build apps that upload consumers' entire address books. You don't need all of their information. You may want it, but you don't need it. A small porton of their contacts use your app.
- Data plan consumption estimates. Auto manufacturers provide consumers with mileage estimates (e.g., city, highway) for their products. App developers should provide similar estimates (e.g., low use, high use) if their apps are bandwidth hogs or operate frequently in the background
- Use plain English whenever possible for privacy statements and terms of usage statements
- Streamline and consolidate privacy statements whenever possible. Currently, consumers must read and wade through at least six privacy statements
- Be transparent and explicit about how you treat metadata with documents, videos, and photos. Consumers have a right to know what metadata elements you use, delete, and add to their assets.
- Be transparent and explicit with the list of affiliates or partners you share consumers' personal information with. That includes cloud vendors.
- Be explicit about the assistance (if any) you provide uses when your app is hacked, or when the transacton flow that supports your app is hacked.
- For additional services, consumers must opt in and register. Don't auto include consumers
- Guidelines for banks. Some banks develop apps and are covered. Others are part of the transaction flow that enables the app (e.g., payments)
Download the "Privacy On The Go" report (Adobe PDF, 2.27 Mbytes) by the California Attorney General.