The Attorney General of California (“AG”) released a Joint Statement of Principles (“Joint Statement“) among itself and Amazon.com Inc., Apple Inc., Google Inc., Hewlett-Packard Company, Research In Motion Limited and other companies (collectively the “Mobile App Market Companies”) describing the terms of a settlement relating to the AG’s review of mobile application marketplace privacy protections.
The Joint Statement resulted from the AG’s collaborative review of mobile application compliance with the California Online Privacy Protection Act (“Act”) and the AG’s opinion that the Act “requires mobile applications that collect personal data from California consumers to conspicuously post a privacy policy.” The Joint Statement does not impose legal obligations, rather, is an effort between the Mobile App Market Companies and the AG to increase transparency and control over personal data in the mobile marketplace “without unduly burdening innovative mobile platforms and application developers.”
The Joint Statement generally sets forth the following:
- Where applicable law requires, a software application (“App”) collecting personal data must conspicuously post a privacy policy presenting clear and complete information regarding how personal data is collected, used and shared;
- Mobile App Market Companies will include either (a) an optional data field for a hyperlink to the App’s privacy policy or a statement describing the privacy practices or (b) an optional data field for the text of the App’s privacy policy or a statement describing the App’s information collection practices;
- Mobile App Market Companies will maintain a means for users to report App’s that do not comply with applicable terms of service and/or laws;
- Mobile App Market Companies will maintain a process for responding to reported instances of non-compliance with applicable terms of service and/or laws (without limiting law enforcement/regulatory rights to pursue actions); and
- Mobile App Market Companies will continue to work with the AG to develop best practices for mobile privacy in general and model mobile privacy policies in particular, and, within six months, will convene to evaluate privacy and education regarding mobile Apps.
In connection with the Joint Statement, the AG released a Mobile Applications and Mobile Privacy Fact Sheet which referenced a Wall Street Journal report stating “45 of the top 101 Apps did not provide privacy policies either inside the application or on the application developer’s website” despite 56 of the Apps transmitting unique identification information to third parties without consumer consent.
Although the Joint Statement isn’t legally binding, and applies only to California, mobile application providers should strategically reevaluate the transparency of their personal information collection practices and privacy policies since (a) conspicuous links to privacy policies at the time of purchase/installation may be interpreted as an affirmative obligation under the laws of other States and (b) CA (and its robust tech community) often serve as a thought leader providing legislation other states choose to implement.
