As discussed in a previous Creative Industry Law blog post, California Attorney General Kamala Harris began a two-pronged enforcement strategy last year to bring mobile app developers, platform providers, and mobile ad networks in line with California’s Online Privacy and Protection Act (“COPPA”).
The AG sent notices of non-compliance to offending entities (a sample notice letter can be found here). In December, selected lawsuits were filed (e.g., Harris’ action against Delta). Recently, the Attorney General’s office released Privacy on the Go, a set of guidelines to help those involved in mobile app development, distribution platforms, and advertising to better understand how to meet California’s OPPA’s requirements.
For app developers, the guidelines recommend constructing a data checklist that accounts for all personally identifiable information (“PII”) an app couldcollect. Developers are also advised to avoid, if possible, any unnecessary collection of PII.
Also, a policy must be “holistic” to meet COPPA requirements. It must specify the PII it gathers, how it will be used, whether it will be shared, and whether the user retains any control over that information or not. The AG recommends that privacy policies open with a short, clear synopsis of their terms, and that developers offer users privacy settings to control how their data will be used.
Recognizing that platform providers play an important role in making consumers aware of rights and threats to privacy, the AG’s office also recommends that privacy policies be accessible from an app store, or other platform, so that consumers can review privacy information before making a download decision.
The role of operating system managers is also recognized. They are encouraged to put global privacy settings in place to provide users with a convenient means of controlling the data all their apps may utilize.
The most controversial of Harris’ recommendations concerns advertisers. Privacy on the Go suggests that advertisers should “avoid” delivering out-of-app ads that direct browsers to an advertiser’s URL or place icons on the device’s desktop. It further advises advertisers to cease their use of device-specific identifiers, which advertising engines may exploit to identify a consumer, in favor of less personally intrusive app-specific or temporary device identifiers.
These hortatory directives to the advertiser have drawn the ire of some important ad groups including the Direct Marketing Association, the Interactive Advertising Bureau, the American Advertising Federation, the Association of National Advertisers, the American Association of Advertising Agencies, and others. Charging the Attorney General with bias for the perspective of “the privacy, academic, and mobile app community,” the groups complain in an open letter that the office’s guidelines go beyond what the law requires and will “create uncertainty in the marketplace, raise unnecessary costs for business, restrict innovation, slow economic growth, reduce benefits for consumers, and result in job losses” (a familiar litany in the regulatory world).
Will Privacy on the Go come to be regarded as a set of guiding principles to promote better compliance with COPPA goals, or will it evolve into a more substantive legal standard? Will it be helpful or confusing? At the early stages of COPPA application standards are still unformulated, and either could happen. As the AG brings more enforcement actions in the context of this lively debate, we may begin to discern where on the spectrum between rulebook and recommendations specific preferred practices fall. Meanwhile, Privacy on the Go provides a useful checklist for app developer and distributors alike. Take a look at it here.