They had a month—and now it's over. Any California mobile-app developers who don't have a privacy policy obviously available to consumers need to get one and fast. If they don't, they could be facing potentially massive fines: up to $2,500 per app download.
On October 30, California Attorney General Kamala Harris started notifying dozens of mobile-app developers that they weren't in compliance with a state law that requires all "commercial online services" that gather personal information to have a clearly displayed privacy policy. State lawyers are going to send out a wave of "up to 100" letters warning the developers to get in shape or face those fines.
Since the law applies to any service provider who collects information from "any Californian," it's basically a regulation of the entire Internet. Earlier this year, Harris' office made it clear that she intended to apply the law, called the California Online Privacy Protection Act, to the burgeoning world of mobile apps. In February, her office struck a deal with the big platforms, like Microsoft, Google, and Apple, to help get the apps they sell to be compliant. And in July, Harris created a specialized group of six lawyers to concentrate on enforcing privacy laws.
It's a remarkable thing, in part because Harris' office is acting in the total absence of any federal online privacy laws. Until the California law passed in 2004, websites weren't even required to have privacy policies. Now any online enterprise, big or small, is going to have a privacy policy. Whether it's an actually useful or readable policy is a different issue, but the nod at disclosure is still important.
The world of mobile apps, though, looks chaotic by comparison. In fact, a recent study found that almost three-quarters of mobile apps don't have privacy policies at all.
Getting with the program
If anyone might grumble about the new enforcement, one might think it'd be small app developers. They may chafe at the idea they have to lawyer up just to get their program out into the market. The main group representing small and medium-sized app developers, the Association for Competitive Technology (or ACT), hasn't hesitated to oppose privacy regulation it considers unhelpful. But in an interview with Ars today, ACT executive director Morgan Reed said this is an issue where developers are better off getting with the program.
"We need to follow the law, and look at the upside of the law," said Reed. The next generation of mobile apps won't be 99-cent impulse buys. "They'll deal with your financial information, your educational information, your health care. Being transparent about your data will win you contracts."
"The California A-G letter is real, and it's serious," noted Reed. "But it's not all 'woe is me.' All they're really asking for is for us to be transparent."
It doesn't have to be difficult or expensive, either. Free online resources are available, like PrivacyChoice's 20-minute privacy policy wizard and PrivacyPolicy.com's list of key questions.
It's also important that the A-G is also going after online companies that aren't apps while focusing on bigger companies, Reed added. "That's a good sign, that she's not door-knocking on garage developers, to drag them into the streets and have a public shaming of them."
Developers in confusion
"When this started coming to the forefront about six months ago, we had app developers reach out to us, very worried," said Christina Gagnier, a San Francisco lawyer who specializes in privacy law and social media. About half of developers she talked to believed they were somehow "covered" by the platform they worked with. For example, if an app gets through Apple's vetting process and makes it onto the iTunes store, developers would think that their privacy practices had been checked out and approved—but that's not the case.
Another common misconception is that if developers aren't doing something "borderline" with the data you're collecting, like selling it to other companies, they don't need to worry about privacy law.
"Most people are not building apps with the intent of doing harm," said Gagnier. "They're using data to make the product better." They still need a policy, though, that says, "this is what our app does, this is what we collect, this is how we store it."
And while free resources are available, if you have the money, it's worth talking to a lawyer, she added. "You need to have a policy that's crafted and particularized."
Gagnier has even seen app developers cut and paste policies from other companies, which is invariably a mistake. "The natural reaction is, Netflix is a big company, they probably have a good policy—it's probably good for our site," she said. "But if you don't stream video online, it's really not."
In many ways, the efficacy of privacy policies can be questioned. They're often too opaque to give meaningful notice to consumers. Still, they're the first building block of disclosure, and the days when most mobile apps have been able to just blow off the requirement are likely coming to a close.
"This is not a new law, but it hasn't been enforced," said Gagnier. "But now with the A-G's office paying attention, we will see that number [of non-compliant apps] go down."
reader comments
80