Mobile privacy can be legal minefield for enterprises


SAN FRANCISCO--Privacy can be a legal minefield for enterprises, whether grappling with BYOD or deploying mobile apps to generate business and satisfy customers.

At RSA Conference being held here this week, Tanya Forsheit, founding partner with the InfoLawGroup, tackled the legal issues raised by mobile apps.  

"The regulators are trying to figure out how to address privacy in the mobile space given the availability of information and the fact that so many different parties have access to it," says Forsheit.

Regulators and courts have tried to apply existing laws that were not designed for the mobile era to regulate mobile privacy. In addition, industry has been working to develop voluntary self-regulatory privacy rules, she notes.

In California, Attorney General Kamala Harris has formed a privacy unit and has issued rules regarding mobile app privacy. The state is requiring firms to post prominently mobile app privacy policies. "Right now, privacy policies are one of the only ways for firms to communicate their privacy policies," Forsheit observes.

Harris is applying the existing state's online privacy law that was drafted 10 years ago and not designed for mobile apps. The law includes a reference to online services, which Kamala interprets as applying to mobile apps, Forsheit explains.

In 2012, Harris reached agreement with Amazon, Apple, Google, Hewlett-Packard, Microsoft and BlackBerry to include in the app submission a hyperlink to the app's privacy policy or a statement describing the app's privacy practices.

In October 2012, Harris told as many as 100 apps that they need to comply with state law within 30 days or face penalties of up to $2,500 for each download. In December, she sued Delta for failing to comply, and in May of 2013 the court dismissed the suite on the grounds that state law was pre-empted by the federal aviation deregulation law. This ruling, because of its limited scope, has not deterred Harris from pursuing other mobile privacy app violators.

In addition, the Federal Trade Commission has taken action on mobile privacy issues. In 2013, the FTC issued two reports, one with mobile privacy disclosure suggestions for mobile platforms, app developers and advertising networks, and another examining mobile payment privacy.

The FTC investigated Goldenshores Technologies, which supplied a flashlight app that collected location data. The FTC settled with the company, requiring it to limit its data collection. The settlement also provided privacy guidance for app developers and publishers regarding data collection and sharing and privacy representations in license agreements.

To not run afoul of state and federal regulators, Forsheit recommends that enterprises know what information their apps are collecting, work with the privacy lawyers to update or create a mobile app privacy policy, keep abreast of changing technology and platforms and keep an eye on regulators. Sounds like good advice to me. - Fred