California AG issues mobile app privacy guidelines

California's attorney general has issued a 22-page set of guidelines designed to improve and protect mobile application user privacy.

In the report, California AG Kamala D. Harris urged mobile software developers to "minimize surprises to users from unexpected privacy practices," suggesting they post transparent, easy-to-read privacy policy guidelines and recommending the use of "special notices" when an app might be using data in a way consumers might not expect. Harris also encouraged developers to use encryption to handle data, limit employees' access to user information and designate a staffer to periodically review the app's privacy practices, making sure that policies remain up to date. The report additionally includes best-practice suggestions for app store operators like Apple (NASDAQ:AAPL) and Google (NASDAQ:GOOG), mobile advertising networks and wireless carriers.

"Along with the many wonderful capabilities these apps offer, we remain mindful that the mobile environment also poses uncharted privacy challenges," wrote Harris in her introduction to the report. "These are challenges that we must confront and that we must resolve in a way that appropriately protects privacy while not unduly stifling innovation."

However, Harris does not have the authority to write new legislation governing mobile apps. The report is instead an interpretation of the California Online Privacy Protection Act, which requires commercial websites and digital services--including mobile apps--that collect personally identifiable information to conspicuously post a privacy policy. Experts said the report could nevertheless have a dramatic impact on shaping mobile software policies across the U.S. "What California does often ends up becoming the law of the land," Ryan Calo, assistant professor at the University of Washington School of Law, told The Los Angeles Times.

Late last year, Harris filed California's first-ever mobile app privacy lawsuit against Delta Airlines, alleging the Atlanta-based carrier failed to properly clarify what personal information it collects from consumers and what it does with that data. The complaint states that the Fly Delta traveler app collects information like the user's full name, telephone number, email address, frequent flyer account number and location but does not display a privacy policy. "Users of the Fly Delta application do not know what personally identifiable information Delta collects about them, how Delta uses that information, or to whom that information is shared, disclosed or sold," the lawsuit stated.

For more:
- read this Ars Technica article
- read this Los Angeles Times article
- read this Washington Post article

Related articles:
California sues Delta Airlines over mobile app privacy violations
Apple, Google consent to mobile app privacy accord
FTC to Apple, Google: Apps for kids must disclose data privacy practices
Amid privacy uproar, Apple promises to detail app permissions
Path admits mistake, allows users to opt out of contacts database
Lawmaker Markey unveils Mobile Device Privacy Act