As noted in prior posts, we have been hoping that mobile app store operators, like Apple and Google, will start to encourage developers to pay attention to app privacy policies, and in the course of doing so, get smarter about their privacy practices. Great news today comes from the California Attorney General’s office, which has struck an agreement with the major app market providers to do just that.
From the announcement, here are the fundamental terms (emphasis mine):
1. Where applicable law so requires, an application (“app”) that collects personal data from a user must conspicuously post a privacy policy or other statement describing the app’s privacy practices that provides clear and complete information regarding how personal data is collected, used and shared.
2. In an effort to promote greater transparency and to increase developer awareness of privacy issues, the Mobile Apps Market Companies will include, in the application submission process for new or updated apps, either (a) a data field for a hyperlink to the app’s privacy policy or a statement describing the app’s privacy practices or (b) a data field and storage for the text of the app’s privacy policy or a statement describing the app’s privacy practices. For developers who choose to submit a hyperlink or text in the available data field, the Mobile Apps Market Companies will enable access to the hyperlink or text from the mobile application store.
3. The Mobile Apps Market Companies have, or will implement a means for users to report to the Mobile Platform Companies apps that do not comply with applicable terms of service and/or laws.
4. The Mobile Apps Market Companies have or will implement a process for responding to reported instances of non-compliance with applicable terms of service and/or laws. Any action that a Mobile Apps Market Company takes with respect to such an application will not limit law enforcement or any other regulator’s right to pursue an action against a developer for alleged violation of applicable law.
5. The Mobile Apps Market Companies will continue to work with the California Attorney General to develop best practices for mobile privacy in general and model mobile privacy policies in particular. Within six months the participants will convene to evaluate privacy in the mobile space, including the utility of education programs regarding mobile privacy.
Here are my takeaways:
- When will this be effective? It’s not clear how soon app marketplaces need to meet the new requirement; given the simplicity of the change (adding a field for the privacy policy link or text), I would be surprised to see it take more than a few weeks to change the on-boarding process, if they start soon.
- When will this be enforced? While there’s no specific date for enforcement to begin, I expect it will probably take longer for the app markets to set up systems to collect and act on consumer complaints about missing policies. I expect more guidance from the app marketplaces, but there’s no reason to delay implementing your policy.
- What should developers do now? It doesn’t look like there’s a requirement for app developers to immediately add a policy for an app that doesn’t already have one, but the next time they update their app, they will be required to do so. This means developers who need to add policies should start looking at this promptly, particularly since the process of developing a policy may reveal necessary changes in data practices.
For app developers needing to add a privacy policy for their app, take a look at PrivacyChoice Policymaker, a free service to create and host your privacy policy, plus guidance on how to make sure it aligns with your actual data practices.