Mobile application developers should minimize privacy surprises for their customers by limiting their data collection and retention and giving users access to the data collected, California Attorney General Kamala Harris has recommended.
Mobile apps should avoid or minimize their collection of personally identifiable data for uses not related to their basic functionality, and they should avoid or limit the collection of sensitive information, Harris and the California Department of Justice recommended in a report released Thursday. Mobile apps should also use encryption to send and store personally identifiable information, and app developers should appoint privacy officers to review their privacy policies whenever the apps are updated, Harris recommended.
App developers should also make their privacy policies easy to find and allow customers to see the policies before they download apps, the report recommended.
"Californians want to know what personal information their apps collect, how it is used and with whom it is shared," Harris said in a statement. "To meet this need and keep pace with rapidly changing technology, these recommendations strike a responsible balance between protecting consumers' personal information and fostering the continued growth of the innovative app economy."
It's important for the agency to address mobile privacy because more than half of U.S. mobile phone users access the Internet from their phones and mobile developers release more than 1,600 new apps every day, Harris said in a press release.
Mobile app privacy has been a controversial issue in recent months. Several privacy groups and some lawmakers in Washington, D.C., have called for new privacy laws after news and government reports that mobile apps collect large amounts of personal data without notifying consumers.
Harris' office reached out to the mobile industry before releasing the report. The agency wants the report to serve as a template for the mobile industry to develop privacy policies and practices that will improve consumer privacy without stifling innovation.
Some tech industry representatives said the recommendations are a good idea, as long as they are voluntary.
The report "by offering recommendations that can serve as a useful reference for developers rather than mandates that constrain innovation, is a step in the right direction," said Daniel Castro, senior analyst with the Information Technology and Innovation Foundation (ITIF), a tech-focused think tank.
Castro praised Harris for issuing recommendations instead of suing app developers for privacy violations. But the report makes some bad assumptions about mobile apps, he added in a blog post. The report's authors said advertising is not a part of an app's basic functionality, he said.
"For all of the talk in this report about a 'mobile ecosystem,' the report authors apparently do not seem to clearly understand that this ecosystem depends on revenue," Castro wrote. "Many mobile apps are ad-supported software."
Consumer Watchdog, a group focused on privacy and other consumer issues, praised the report, which provides the first state recommendations on mobile app privacy.
"This is an important step towards taming the Wild West in the mobile world," John Simpson, of Consumer Watchdog's Privacy Project, said in an email. "Significant as it is, however, the key guidelines must be enacted into law with strong enforcement provisions. I call on the legislature to follow Harris' lead and tackle the issue this term."
Steve DelBianco, executive director of e-commerce trade group NetChoice, called the guidelines reasonable, but said the report, if turned into law, would "become a road map to ruin for California's economy and its thousands of cutting-edge companies."
If the report becomes law, it would drive innovative businesses out of California, he said in an email. "If this became a legal requirement, businesses based in California would need to get a privacy permission slip from the state government," he said. "Under an open government privacy approval process, competitors and privacy advocates could see and replicate innovations before they came to market. "
Because of the smaller screens of mobile devices, the report recommended special notifications, such as icons or pop-up notifications, to inform consumers about how personally identifiable information is being collected and shared.
Mobile apps should also use special notices when they collect sensitive information, the report recommended. App developers should also make their privacy policies clear and understandable by using plain language. Some ways to do this is by using layered notices that highlight the most important privacy issues or by using graphics or icons to help users recognize privacy practices and settings, the report said.
Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's e-mail address is [email protected]