Ever on the forefront of consumer privacy protection, California
is again making news in the privacy world with the California
Attorney General's recent publication of "Privacy on the Go: Recommendations for the Mobile
Ecosystem," which includes privacy recommendations for app
developers, app platform providers, mobile ad networks, makers of
operating systems and mobile carriers. With this publication,
California joins the FTC and the GSMA as entities that have
published non-binding guidance with respect to mobile privacy
(which we blogged about
In the publication, the Attorney General notes that these
recommendations often ". . . offer greater protection than
afforded by existing law, [and] are intended to encourage all
players in the mobile marketplace to consider privacy implications
at the outset of the design process." The report
outlines the following specific recommendations:
For App Developers:
Start with a data checklist to review the personally
identifiable data your app could collect and use it to make
decisions on your privacy practices.
Be transparent with respect to your privacy practices.
Avoid or limit collecting or retaining personally identifiable
data not needed for your app's basic functionality.
Give users access to personally identifiable data the app
collects and retains about them.
Use security safeguards.
Be accountable for compliance with applicable laws.
conspicuously accessible to users and potential
Use enhanced measures – "special notices" or
the combination of a short privacy statement and privacy controls
– to draw users' attention to data practices that maybe
unexpected and to enable them to make meaningful choices.
Make app privacy policies accessible from the app platform so
that they may be reviewed before a user downloads an app.
Use the platform to educate users on mobile privacy.
For Mobile Ad Networks:
Avoid using out-of-app ads that are delivered by modifying
browser settings or placing icons on the mobile desktop.
will enable the delivery of targeted ads through your network.
Move away from the use of unchangeable device-specific
identifiers and transition to app-specific or temporary device
For Operating System Developers:
Develop global privacy settings that allow users to control the
data and device features accessible to apps.
For Mobile Carriers:
Leverage your ongoing relationship with mobile customers to
educate them on mobile privacy and particularly on children's
While the California Attorney General acknowledges that the
recommendations are just that – recommendations – it is
clear that as "smart phones" become ubiquitous, more
federal and state regulation will impact, in one way or another,
all participants in the mobile ecosystem.
I strongly urge every covered entity and business associate faced with a Business Associate Agreement that includes indemnification provisions to read Michael Kline’s "List of Considerations" before signing.