Mobile App Platforms Reach Voluntary Agreement with California State Attorney General

By Samuel R. Castic and J. Bradford Currier

Californians who download mobile applications on their smartphones, tablets and other mobile devices should soon have greater knowledge of how their personal information is collected and used under a non-binding Joint Statement of Principals recently reached between six mobile app platforms, such as Apple, Inc., and the California Office of the Attorney General. The California announcement comes just days after the Federal Trade Commission warned app developers to improve privacy disclosures for mobile apps directed at children and within hours of the White House’s announcement of a Consumer Privacy Bill of Rights to protect citizens online.

Although the agreement does not create any new legal obligations for app providers, the parties agreed to voluntarily abide by five privacy principles: 

(1) Any app that collects personal data from a user, regardless of age, “must conspicuously post a privacy policy or other statement describing the app’s privacy practices” that informs the user how the data will be used and shared. California law already requires websites and online services to post privacy policies when they collect personally identifiable information about users. Despite this obligation, the California Attorney General reported that only 5 percent of mobile apps currently offer a privacy policy, although other parties suggest that the figure is approximately 33 percent. The agreement makes clear that the California Attorney General views mobile applications as online services subject to this law. 

(2) The agreement modifies the app submission process to make it easier for app developers to include a link to, or the text of, the privacy policy governing the app. However, the agreement contains no commitment by app platforms to notify users when a privacy policy changes. 

(3) The app platforms will create reporting procedures for users to identify apps that do not comply with applicable terms of service or applicable law. 

(4) The app platforms agreed to implement a response process to handle reported violations of app privacy policies. 

(5) The parties agreed to work together to develop “best practices” for mobile privacy policies. 

While no timetable exists for implementation of the agreement, the parties agreed that they will reassess the state of app privacy policies in within six months.

Copyright © 2016, K&L Gates LLP. All Rights Reserved.