In recent months, there have been notable developments involving privacy for mobile applications ("apps"), a number of which have important implications for app developers, distributors and marketers. On February 22, the California Attorney General announced an agreement, developed with Apple, Google, Microsoft and three other mobile platform companies, that effectively establishes nationwide, enforceable standard privacy policies for mobile apps. A day later, the White House announced its proposal for a Consumer Privacy Bill of Rights as part of a framework for regulating how private-sector entities handle personal data in commercial transactions involving networked technology.1

Both of these initiatives are intended to strengthen consumer data privacy protections in Internet and mobile device commercial transactions. The California AG's agreement with the mobile platform companies is particularly timely. In recent weeks, the app industry has faced significant criticism over its handling of consumer privacy. First, a blogger discovered that an app for the social network Path had uploaded his contacts from his mobile phone without his permission. Shortly thereafter, photo-sharing service Hipster admitted uploading users' contacts and then Twitter acknowledged copying the content of users' address books from their mobile phones and storing the information on its servers.

In a digital economy where mobile apps are downloaded at a rate of two billion per month, where, according to the research company Gartner, worldwide mobile app sales are expected to grow to at least $25 billion by 2015, and where most apps available today do not even have privacy policies, these recent developments will certainly have an effect on future legislation and industry standards.

Consumer Privacy Bill of Rights

The Obama administration's proposal for a Consumer Privacy Bill of Rights ("CPBR"), which was released as part of its white paper, "Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy," is intended to give users more control over how their personal information is used in commercial transactions. This framework is directed, among other technologies, at mobile apps, which are capable of copying sensitive information from mobile devices, including device identification numbers, email addresses, location, personal contacts, texts, calendar entries and photos.

The CPBR contains seven core principles relating to all commercial uses of personal data. Under the CPBR, "personal data" is defined broadly as any data, including aggregations of data, that can be linked to a specific individual or specific device. As an example, the CPBR provides that "an identifier on a smartphone or family computer that is used to build a usage profile is personal data."

Seven Principles of the Consumer Privacy Bill of Rights

The CPBR adopts seven general principles as a guide for future rule-making and legislation. These principles are summarized below:

  1. "Individual Control: Consumers have a right to exercise control over what personal data companies collect from them and how they use it." When companies collect personal data from consumers, they should present choices to the consumer "about data sharing, collection, use, and disclosure that are appropriate for the scale, scope, and sensitivity of personal data in question," including the ability to withdraw or to limit consent to share and collect such data.
  1. "Transparency: Consumers have a right to easily understandable and accessible information about privacy and security practices." Mobile apps, which are accessed on mobile devices, will need to present mobile consumers with the most relevant information about what personal data is shared, used and collected in a way that takes into account the small screens and privacy risks that are specific to mobile devices.
  1. "Respect for Context: Consumers have a right to expect that companies will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data." If companies will use or disclose personal data for purposes other than those that are consistent with their relationship with the consumer or for which the information was originally disclosed, then they should inform consumers and get their consent before the personal data is collected or before the company seeks to use already-collected data for different purposes.
  1. "Security: Consumers have a right to secure and responsible handling of personal data." Companies that collect and keep personal data are required to keep such data secure. For example, data should be encrypted when moving data between a mobile phone and server.
  1. "Access and Accuracy: Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data is inaccurate." Not only should companies that handle personal data ensure that the consumer data that they maintain is current and accurate, but they should give consumers reasonable access to the data collected about them and the ability and opportunity to correct inaccurate data or request its deletion or limitation of use.
  1. "Focused Collection: Consumers have a right to reasonable limits on the personal data that companies collect and retain." Companies should only collect personal data that they need in order to accomplish the specific purpose for which the data was originally collected. App developers should take into account data and features unique to mobile devices, such as location data and the contents and metadata from phone calls and text messages, and limit access to only the data that is relevant for the app's intended functionality.
  1. "Accountability: Consumers have a right to have personal data handled by companies with appropriate measures in place to assure they adhere to the Consumer Privacy Bill of Rights." Companies should train employees to handle personal data appropriately; evaluate and, if appropriate, audit companies' treatment of personal data; and enter into contracts or other legally enforceable instruments requiring third parties to handle personal data appropriately.

Enforcement of the Consumer Privacy Bill of Rights

For now, the CPBR is a framework and does not include enforceable rules, but the Obama administration is pursuing implementation through legislation and a multi-stakeholder rule-making process and is seeking enforcement through the Federal Trade Commission ("FTC").

The administration's intent of legislating the CPBR is to provide a comprehensive federal standard applicable to all personal data used or disclosed in private sector commercial transactions. Currently, much of the personal data used, shared and collected on the Internet or through mobile devices and technology are subject to federal privacy statutes that regulate specific sectors, such as healthcare, education, communications, financial services and data collection involving children. In implementing the CPBR through legislation, the Obama administration does not intend to modify these existing federal privacy statutes, but instead intends to supplement them with the CPBR legislation and extend privacy regulations to those entities not covered by the existing statutes.

The multi-stakeholder process, intended to include such players as state Attorneys General, law enforcement representatives, individual companies, industry groups, privacy advocates, international partners and other groups, is expected to ultimately produce codes of conduct that implement the seven principles of the CPBR, which companies may choose to adopt voluntarily. It is expected that a company's public commitment to adhere to a code of conduct will become enforceable under Section 5 of the Federal Trade Commission Act (prevention of deceptive acts or practices), similar to how companies are bound to follow their privacy policies.

In addition, the Obama administration supports further legislation that provides the FTC (and state Attorneys General) with specific authority to enforce the CPBR. It supports giving the FTC explicit authority to review companies' codes of conduct against the CPBR legislation and to grant a safe harbor from enforcement of the CPBR legislation to companies that follow a code of conduct that the FTC has reviewed and approved. If a company does not adopt a code of conduct, or chooses not to seek FTC review of a code that it chooses to adopt, then it will be subject to the requirements of the legislatively adopted CPBR.

California Online Privacy Protection Act

The recent joint statement of principles ("Joint Statement") issued by the California AG along with Amazon, Apple, Google, Hewlett-Packard, Microsoft and RIM (collectively, the "Mobile Apps Market Companies") is significant for stakeholders in the app industry. It requires the Mobile Apps Market Companies to conspicuously post, for mobile apps available in their stores, a privacy policy describing the app's privacy practices and how personal data is collected, used and shared. It also commits the Mobile Apps Market Companies to bring the industry in line with the Business and Professions Code Section 22575 of the California Online Privacy Protection Act ("CalOPPA").

This section of CalOPPA, operative since July 2004, requires that "an operator of a commercial web site or online service that collects personally identifiable information through the Internet about individual consumers residing in California who use or visit its commercial web site or online service shall conspicuously post its privacy policy." Under CalOPPA, the operator, as defined above, must detail the categories of information collected by the online service, the dates the policy takes effect, how the website will notify users about changes to the policy, and what processes a user has to review or request changes to any of his or her personally identifiable information that is collected through the website or online service.

The California AG believes, regardless of the Joint Statement, that this section of CalOPPA applies to mobile apps and requires them to have privacy policies. The majority of mobile apps do not. In fact, a TrustE and Harris Interactive study found that only 5% percent of all mobile apps have privacy policies. With the requirements of CalOPPA applicable to mobile apps, it appears, given the virtual nature of the product and the technology, that all mobile app providers will have to comply with CalOPPA, with the Joint Statement effectively establishing a nationwide standard for mobile app privacy policies.

The Joint Statement sets forth additional principles. It requires the Mobile Apps Market Companies to include in their application submission process for new or updated apps either a hyperlink to the app's privacy policy or the text of the app's privacy policy. Also, the Mobile Apps Market Companies are required to put in place a process for users to report to them if apps on their platform do not comply with applicable terms of service and/or laws, as well as a process for responding to reported instances of non-compliance. Finally, the Mobile App Market Companies must continue to work with the California Attorney General to develop best practices for mobile privacy and model privacy policies, and meet within six months to evaluate privacy in the mobile space and educational programs regarding mobile privacy.

Conclusion

The proposal for a Consumer Privacy Bill of Rights and the developments involving CalOPPA present legal and commercial implications for all companies involved in the mobile app industry, as well as for consumers who download or use apps. All stakeholders in the industry should consider the privacy ramifications of the technology involved and proactively incorporate privacy protections into the design and use of apps.

Footnotes

1. The FTC also recently issued a report on mobile apps for children, a topic covered in our March 27, 2012 Client Alert

Goodwin Procter LLP is one of the nation's leading law firms, with a team of 700 attorneys and offices in Boston, Los Angeles, New York, San Diego, San Francisco and Washington, D.C. The firm combines in-depth legal knowledge with practical business experience to deliver innovative solutions to complex legal problems. We provide litigation, corporate law and real estate services to clients ranging from start-up companies to Fortune 500 multinationals, with a focus on matters involving private equity, technology companies, real estate capital markets, financial services, intellectual property and products liability.

This article, which may be considered advertising under the ethical rules of certain jurisdictions, is provided with the understanding that it does not constitute the rendering of legal advice or other professional advice by Goodwin Procter LLP or its attorneys. © 2012 Goodwin Procter LLP. All rights reserved.